State Privacy News - 5/2

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement from across the U.S. states. Fourteen state sessions are scheduled to close in the Month of May, so we are at a critical juncture for many significant state bills.

1. California Narrows Privacy Rulemaking Package

On May 1, the California Privacy Protection Agency Board considered newly released proposed modifications to the draft rules on automated decisionmaking technology (ADMT), risk assessments, and cybersecurity audits. The board voted to initiate a public comment period on the draft regulations that will close on June 2 (giving stakeholders more time to respond than the statutory minimum 15 days, an accommodation sought by both industry and civil society testifiers).

Many of the changes were specifically requested by the Board at last month’s meeting and are not a surprise, but there is be much for compliance professionals to dig into across the 9 page list of changes. The most significant modifications that caught our attention include:

• Deleting references to “Artificial Intelligence” and narrowing in-scope ADMT systems from those that “substantially facilitate” human decisionmaking to those that “substantially replace” human decisionmaking. Industry commentators welcomed these changes while advocates repeatedly argued this would allow businesses to “self certify” themselves out of coverage.
• Removing ADMT opt-out rights and restrictions for targeted advertising based on first party data; workplace and education profiling; profiling through observation in public places; and training ADMT.
• Clarifying that pre-use notices for ADMT can be bundled with existing CCPA notices at collection.
• Streamlining cybersecurity audit requirements and changing the obligation to provide a certification of completion from a member of a business’s board to a member of a business's “executive management team.”
• Streamlining risk assessment requirements (such as removing the obligation to identify “technology to be used” in data processing) and removing the requirement to affirmatively submit abridged risk assessments to the Agency.

Importantly, the Agency now estimates that the Year 1 cost to in-state businesses from this rulemaking package will now be only $1.2 billion, down from the (highly questioned and contested) price tag of $3.4 billion associated with the regulations as original proposed.

2. Battle Lines Drawn in Maine

Remember the Maine? Last year Maine spent months tinkering with two competing privacy frameworks: a relatively standard New England-style proposal (LD 1973) and a more unique proposal with Maryland-style provisions for data minimization (LD 1977). Ultimately it was LD 1977 that came within a whisker of passing, advancing from the House 75-70 but failing in the Senate 18-15. That bill’s progress may have been complicated by last minute revisions that appeared to preserve most third-party targeted advertising while creating opt-out rights with respect to certain contextual and first party advertisements, the opposite of how most states approach online advertising!

While the primary sponsors of last year’s bills have been term-limited out, it appears that Maine policymakers are once again gearing up to work on competing versions of data privacy legislation. This year however, there will be at least three bills in the mix, all of which are on the agenda for a May 5th House Judiciary committee hearing:

• LD 1822 is the ideological successor to LD 1977. This proposal closely mirrors Maryland’s privacy law with heightened data minimization obligations focused on limiting data collection and use to what is necessary to provide a requested product or service and a presumptive ban on the sale of sensitive data. Similar to Maryland, LD 1822 has a “reasonably should know” knowledge standard that triggers protections for minors’ data and would require an assessment of each algorithm used by a business as part of risk assessments.
• LD 1088 is the ideological successor to LD 1973. This proposal would go further than existing state laws by requiring more detailed documentation of adherence to data minimization standards, data retention schedules, for companies to periodically ‘refresh’ consent for sensitive data processing, and more prescriptive requirements governing the exercise of consumer rights. Notably, this proposal would also override Maine’s existing ISP privacy law.
• LD 1224 is a bipartisan bill that very closely mirrors the Connecticut model of data privacy legislation. However, it appears to exclude pseudonymous data from the right to opt-out of targeted advertising which is rare for state privacy laws.

3. South Carolina Closing in on Age-Appropriate Design Code 3.0 Framework

Could South Carolina become the third state to enact an Age Appropriate Design Code Act (AADC)? What about the first state to enact an AADC that does not face legal challenge?

This week, the State Senate aligned and unanimously advanced two AADCs: H.3431 and S.268. While the House bill originally included a separate section requiring social media companies to conduct age verification, the Senate has removed these requirements. During Committee hearings, policymakers indicated that they were well aware this proposal would likely invite legal challenge and could be struck down, but were not concerned by this prospect. 

Key elements of the South Carolina Age-Appropriate Design Code (with reference to existing frameworks and litigation) include:

• A broad duty of care to prevent various harms to minors including (1) compulsive usage, (2) severe psychological harm, and (3) severe emotional distress. Prior AADC litigation suggests there may be arguments that these provisions would implicate access to lawful content.
• The framework has a “reasonably likely to be accessed by a minor” applicability standard with some unique carveouts, such as for “interactive gaming platforms.” Curiously, the bill seeks to import a “directed to minors” under age 18 standard from COPPA, but this standard does not exist - COPPA takes a “directed to children” under age 13 approach. For such services, businesses would be required to treat of all users as minors unless they have “actual knowledge” to the contrary.
• Data minimization requirements that would limit collection of minor’s data to what is necessary to provide a service with which a minor is knowingly engaged. This is a clearer standard than the Maryland AADC’s limitation on processing to what is necessary to provide a service with which a minor is knowingly and actively engaged. Consider the Luigi’s Mansion problem for more. 
• Various requirements to develop tools (e.g. limit the ability of other users to communicate with a minor), parental tools (e.g., change and control a child’s privacy and account settings), and mechanisms for parents, minors, and schools to report harms.
• A requirement to obtain and publicly post independent third-party audits that cover a number of issues including a “description of algorithms used by the covered online service.” This is likely a replacement of contested risk assessment requirements in other AADCs, but could still raise First Amendment compelled speech issues.

Significantly, the framework would take effect immediately upon enactment by the Governor, with no on-ramp for compliance. South Carolina is scheduled to adjourn its legislative session on May 8th.

4. Connecticut AG Broadens Call for Privacy Law Amendments in Updated Enforcement Report

As frequent Patchwork Dispatch readers are well aware, Connecticut’s fifth-in-the-nation data privacy law emerged as the template for which numerous red and blue states based their own privacy statutes. Hence, proposals to update Connecticut’s law (like the SB 3 amendments that expanded health and children's privacy protections adopted in 2023) are always worthy of particular attention, given their potential to influence other lawmakers.

On April 17, Connecticut’s Attorney General revised its enforcement report, broadening its calls for revisions to the Connecticut privacy law based on its ongoing experiences in enforcement. The original report called for (1) scaling back entity level exceptions including for nonprofits, (2) enacting a “one-stop-shop” accessible deletion mechanism, (3) adding a “right to know” specific third parties to whom data is disclosed, (4) expanding the definition of biometric data, and (5) some technical fixes to child protections and the publicly available information carveout. This report made reference to provisions in existing state privacy laws to support these requests for amendment, particularly California and Oregon.

The revised report wades into far more controversial waters, recommending amendments that would (1) broaden applicability to any organization that processes “sensitive” data; (2) adopt Maryland’s untested reasonably necessary/strictly necessary data minimization standard, calling the current approach an “exploitable standard” that “contravenes data minimization principles outright”, (3) expanding the definition of “sensitive data” to include categories like government identifiers, union membership, status as transgender or non-binary, income level or indebtedness, and neural data, (4) abandoning the “actual knowledge or willfully disregards” knowledge standard for child and teen privacy protections and replacing it with a “has reason to know” standard similar to Maryland, and (5) requiring all web browsers and mobile operating systems to offer native Opt-Out Preference Signal settings, similar to a vetoed proposal from California.

There is a live proposal (SB 1356) to update and expand Connecticut’s existing privacy law that has made it through the General Law and Judiciary Committees and is currently with Appropriations. We’ve covered this bill elsewhere and will hold off on providing a summary of it in this Dispatch as revisions are reportedly under active consideration. Expect to see more soon.

5. Arkansas Enacts Child Privacy Law

On April 21, Governor Huckabee Sanders signed HB 1717, the Arkansas Children and Teens’ Online Privacy Protection Act into law. Key provisions include: (1) new correction and deletion rights for certain teen users; (2) a complicated web of data collection and retention limits, consent requirements (for both parents and teens), and permissible purpose exceptions; and (3) a prohibition on targeted advertising to children and teens (based on an “actual knowledge” standard).

The law is a first-of-its-kind addition to the state privacy landscape. It is based upon Senator Markey’s (D-MA) proposed update to the federal Children’s Online Privacy Protection Act of 1998 and as a result contains numerous unique provisions, language, and definitions that will require close attention by compliance professionals prior to its July 1, 2026 effective date. The Patchwork Dispatch's Bureau Chief for the South-East, Bailey Sanchez has written a full analysis of the law (including questions of possible vulnerability under COPPA's preemption clause).

We have updated our state privacy patchwork accordingly:

As always, thanks for stopping by.

Keir Lamont is Senior Director at the Future of Privacy Forum