In a recent Perspectives from FSF Scholars summarizing the American Privacy Rights Act (APRA) Discussion Draft, I added New Hampshire (number fifteen) and Kentucky (number sixteen) to the Free State Foundation's running list of states that have passed a comprehensive data privacy statute. The Cornhusker State in the interim has joined their ranks, upping that total to seventeen. Meanwhile, at a House Commerce Committee hearing on the APRA, more than one representative indicated that they are "fired up" (subscription required) to turn that bill into preempting federal law.
New Jersey was the first state in 2024 (and the fourteenth overall) to enact privacy legislation, a development I noted in a January post to the FSF Blog. The New Hampshire Privacy Act followed in March, the Kentucky Consumer Data Protection Act in early April. (Two days later the Maryland Online Data Privacy Act of 2024, about which I blogged here and here, cleared both legislative houses. Should it be signed by Governor Wes Moore, it will bring the tally to eighteen. That is, assuming another state – Pennsylvania, perhaps? – doesn't beat it to the punch.)
And on April 12, Governor Jim Pillen enacted the Nebraska Data Privacy Act, a statute very similar in substance to the Texas Data Privacy and Security Act, a bill that I summarized in July 2023's aptly titled "More States Compound the Dreaded Privacy 'Patchwork' Problem."
Of course, one of the aspects of the APRA Discussion Draft that I praised in "Congressional Leaders Return Privacy to the Front Burner," the Perspectives referenced above, is its language preempting state comprehensive data privacy laws: "no State or political subdivision thereof may adopt, maintain, enforce, or continue in effect any law, regulation, rule, or requirement covered by the provisions of this Act or a rule, regulation, or requirement promulgated under this Act."
As such, passage of the APRA – by no means a foregone conclusion – would eliminate the chaos and compliance contradictions created by the expanding number of state laws.
At an April 17 hearing held by the House Commerce Committee's Subcommittee on Innovation, Data, and Commerce, APRA co-author and Committee Chair Cathy McMorris Rodgers (R-WA) acknowledged that "Congress has been trying to develop and pass comprehensive data privacy and security legislation for decades" and argued that "[w]ith the American Privacy Rights Act, we are at a unique moment in history where we finally have the opportunity to imagine the internet as a force for prosperity and good."
In response, Subcommittee Chair Gus Bilirakis (R-FL) reportedly stated that he is "fired up" – and Representative Frank Pallone (D-NJ) indicated that he is "fired up too."