What New England States’ Efforts in 2024 Can Tell Us About the Future of Data Privacy
In the absence of a federal consumer data privacy law, data privacy continued to be a key legislative focus for states across the country. As 2024 legislative sessions largely wrap up, New England represents a compelling case study. Nearly every state in the region considered legislation to establish their own consumer data privacy law. New Hampshire and Rhode Island enacted laws that largely align with other existing state frameworks. On the other hand, states like Maine and Vermont attempted to pass unique data privacy regimes, ran into roadblocks, and were ultimately unsuccessful.
Privacy Landscape
As of writing, 19 states have a consumer data privacy law in place, the majority of which largely align in terms of rights given to consumers, business obligations, and enforcement mechanisms. Interoperability between state data privacy laws is crucial in absence of a federal privacy framework, as it minimizes confusion for consumers and businesses alike, helping to empower state residents and ensure smooth compliance processes for companies. This interoperability is particularly important in a region like New England, where an individual often crosses one or even two state lines every day and regional businesses employ and serve millions of residents. Connecticut was the first state in New England to pass a comprehensive data privacy law, with their law taking effect on July 1, 2023. Following Connecticut, every other state in the region has taken up data privacy in some form, with New Hampshire and Rhode Island this year becoming the second and third states to establish a comprehensive privacy law.
A Tested Model: New Hampshire and Rhode Island
In tackling comprehensive data privacy, the legislatures of New Hampshire and Rhode Island both sought to build from the model used in Connecticut and over a dozen other states throughout the country. This approach to data privacy provides consumers with clear rights, such as the right to opt out of processing for profiling or targeted advertising, the right to delete their data, and the right to opt out of the sale of their data, among others. It also prohibits businesses from discriminating against a consumer for exercising their rights and requires that businesses conduct risk assessments of privacy processes and procedures. Beyond the robust protections that both New Hampshire and Rhode Island installed for consumers, their privacy laws provided businesses with a clear and simple path to compliance. By aligning their privacy laws with over a dozen other states, businesses operating in these two states can easily replicate protocols used elsewhere, helping simplify the compliance process and reduce costs for all businesses.
Attempting a New Path: Maine and Vermont
Unlike other states in the region, Maine and Vermont sought a different approach to data privacy, incorporating definitions, standards, and principles from the EU’s General Data Protection Regulation, as well as the previous American Data Privacy and Protection Act, which failed in Congress in 2022 due to concerns around the restrictive nature of the bill and its negative impact on innovation and U.S. businesses more broadly. These bills included unique provisions, like a proposed private right of action, as well as strict data minimization principles, which are not found in other existing state privacy laws.
State laws pertaining to data privacy have typically been focused on prohibiting certain practices and acts that pose a significant risk to consumers as well as those that offer no benefits. However, both Maine and Vermont sought to include strict data minimization in their legislation, under which businesses would no longer be able to collect, process, or use covered data, even if it were beneficial to a consumer, unless the business can demonstrate that it adheres to the new standard. This requires businesses to undergo a thought exercise every single time they want to possibly use or collect data, and determine if it fits with a list of fixed permitted purposes. If there is any ambiguity, the business would be forced to abandon the use of that data. This significant divergence in approach would hurt businesses, and justifiably raised concerns from businesses of all sizes operating in the two states, with companies like L.L. Bean in Maine and the Vermont Country Store in Vermont, testifying in opposition to the bills and urging the respective legislatures to instead advance a measured approach to data privacy.
Ultimately the concerns raised in both states about these overly-restrictive approaches to data privacy led to them failing to complete the legislative process – the Maine Senate voted down the bill and the Vermont Legislature failed to override Gov. Phil Scott’sveto of the bill.
What Comes Next: Looking to 2025
As most states in New England have wrapped up their legislative sessions for 2024 (Massachusetts being the exception), it is very likely data privacy conversations will re-emerge in the leadup to the start of 2025, with both Maine and Vermont likely to return to the topic at the start of their legislative sessions. Given that 2024 is an election year, it is likely that some dynamics within the two states’ legislative bodies will shift. At the very least there will be new bill sponsors in Maine as both Rep. Maggie O’Neill and Sen. Lisa Keim are term-limited out of their seats. There will also be new members of the Vermont Senate, as several vacancies will be filled via elections later this year.
The New England region is seemingly at a fork in the road when it comes to data privacy. Half of the states in the region (Connecticut, Rhode Island, and New Hampshire) have implemented well thought out laws, which build on a tested model that has been adopted by over a dozen other states throughout the country. These laws have and will continue to provide both consumers and businesses with a clear understanding of their rights and responsibilities, while ensuring that innovation and the economy more broadly are not negatively impacted. As the remaining states in the region continue to tackle data privacy, it is important to learn from the lessons of Maine and Vermont’s failed efforts this year, which emphasized the importance of interoperability between state laws and ensuring that business’ viability are not risked via the inclusion of overly burdensome requirements that create to competitive disadvantages. New England has the ability to be the first geographical region in the country to ensure that all of the area’s residents and businesses are covered by sound data privacy laws, and the remaining states should take all measures to accomplish such a feat in the coming year.
