NEW: 2024 Gartner Market Guide for Consent and Preference Management
Access now
Back to main menu

US State privacy laws: Indiana, Massachusetts, NY updates

Posted: January 27, 2023

This year sees five new state privacy laws take effect across the US. And many more states are debating comprehensive privacy legislation that would provide their residents new data rights and significantly impact businesses. 

This article will look at three states that introduced new privacy legislation in January 2023. These bills are not merely California copycats—there are seriously interesting and potentially impactful ideas contained in some of these draft laws. 

Let’s look at the state of play for privacy legislation in Indiana, Massachusetts, and New York. 

 

Indiana: SB 5 

Last year, Indiana’s SB 5 passed in the state’s Senate (49-0) but failed in the House. The bill goes for “round two” this session, having been reintroduced in early January. 

If passed, SB 5 would take effect from January 1, 2026. Some of the law’s main provisions include: 

  • Consumer rights, including: 
    • Access 
    • Correction 
    • Deletion 
  • A right to opt out of: 
    • Targeted advertising 
    • The sale of personal data 
    • Profiling with legal or similarly significant effects 
  • Duties to: 
    • Limit data processing to the purposes disclosed to the consumer 
    • Implement reasonable security measures 
    • Publish a privacy notice 
  • A requirement to only process sensitive personal data with the consumer’s opt-in consent. 
  • Mandatory contracts between controllers and processors. 
  • A requirement to conduct a “data protection assessment” before conducting certain types of risky data processing. 

SB 5 is similar to some other state privacy laws, including the Virginia Consumer Data Protection Act (VCDPA).  

One interesting quirk of Indiana’s law is that a controller may, at its discretion, respond to access requests by providing a “representative summary” of the consumer’s personal data, rather than a copy of the personal data. 

SB 5 does not contain a private right of action. The state’s Attorney General may pursue controllers and processors suspected of violating the law—but must allow 30 days for the controller or processor to “cure” its alleged violation.  

SB 5 passed the Committee stage on Friday and will now proceed to the Senate, where the bill is likely to pass, then the House, where the bill failed last year. 

 

Massachusetts

There’s a lot going on in Massachusetts right now. The “Bay State” has introduced three comprehensive privacy bills so far this year, and they are each very interesting draft laws. 

SD 745: Massachusetts Data Privacy Protection Act 

SD 745, the Massachusetts Data Privacy Protection Act (MDPPA), would introduce a very strong standard of “affirmative express consent” that contains similar elements to the EU General Data Protection Regulation (GDPR): 

The bill would also introduce a definition of “first-party advertising or marketing” to cover advertising based on data collected directly from an individual. 

The MDPPA would include a “duty of loyalty” that only permits the processing of personal data for one of 14 prescribed purposes and prohibits covered entities from engaging in “deceptive advertising or marketing.” 

HD 3245: Internet Bill of Rights Act 

HD 3245, the Internet Bill of Rights Act (IBRA) is a highly ambitious proposal that draws heavily from the GDPR. 

The bill would introduce many concepts familiar under the GDPR, such as “cross border transfers” to regulate transfers of data outside of the state, “binding corporate rules” to facilitate such transfers, and even “relevant and reasoned objections” to draft enforcement decisions. 

The IBRA would provide a “right to object” to direct marketing that requires controllers to stop processing their personal data for direct marketing purposes on request. 

SD 1971: Massachusetts Information Privacy and Security Act 

SD 1971, the Massachusetts Information Privacy and Security Act, draws from the California Privacy Rights Act (CPRA), Virginia’s VCDPA, and, to some extent, the GDPR. 

The bill would provide consumers with the right to opt out of the sale of their personal data, targeted “cross-contextual” advertising (using third-party data), and, unusually, targeted first-party advertising. 

Much like the VCDPA—and Connecticut’s recently-passed state privacy law—SD 1971 would require controllers to undertake a risk assessment before engaging in certain risky types of data processing, including both cross-contextual and first-party targeted advertising. 

 

New York Privacy Act: SB 365

For the fourth year running, New York has introduced a comprehensive privacy bill.

Like many other recent privacy bills, the New York Privacy Act (NYPA) partly resembles Virginia’s VCDPA. Key provisions include:

  • Consumer rights, including:
    • Access
    • Data portability
    • Correction
    • Deletion
  • A right to opt out of:
    • Targeted advertising
    • The sale of personal data
    • Profiling with legal or similarly significant effects
  • Duties to:
    • Limit the use and retention of personal data to certain processing purposes
    • Implement reasonable security measures.
    • Publish a privacy notice
  • A requirement to only process sensitive personal data with the consumer’s opt-in consent.
  • Mandatory contracts between controllers and processors.
  • A requirement to conduct a “risk assessment” before conducting certain types of risky data processing.

New York’s privacy bill includes a “duty of loyalty” and “duty of care” requiring controllers to inform consumers about potentially harmful processing and conduct regular audits, among other obligations.

The law would also define “data brokers” and require such companies to register with the Attorney General.