EFF worked on bills in more than a dozen states this year, fighting for strong digital rights at the state level. Across the country, legislators focused on issues including medical privacy, biometric privacy, and the right to repair.

 In California, EFF was proud to support three bills—A.B. 2091, A.B. 1242, and S.B. 107– that passed into law and take crucial first steps to make California a data sanctuary state for anyone seeking reproductive or gender-affirming care. Authored by Assemblymember Rebecca Bauer-Kahan, Assemblymember Mia Bonta, and California State Sen. Scott Wiener, these bills will protect people by forbidding health care providers and many businesses in California from complying with out-of-state warrants seeking information about reproductive or gender-affirming care. EFF also supported A.B. 2089, authored by Asm. Bauer-Kahan, which extended the protections of the California Confidentiality of Medical Information Act (CMIA) to information generated by mental health apps.

Not every privacy bill sailed through the California legislature, however. EFF sponsored two strong privacy bills in California this year to curb unnecessary data collection: the California Biometric Information Privacy Act (S.B. 1189) and the Student Test Takers’ Privacy Act (S.B. 1172). Unfortunately, S.B. 1189 was stopped before it could reach a floor vote in the Senate, after facing heavy business community opposition. And after S.B. 1172 was severely weakened by removing its primary enforcement mechanism—the individual right to sue or “private right of action”—neither EFF nor our co-sponsor Privacy Rights Clearinghouse could continue to support it.                                                                                                                                   

Of course, not all of our work happened in California.

 Across the country, we continued to see a number of states moving to legislate on privacy. While California passed its privacy law in 2018, no states have built a similarly strong foundation for privacy rights since then.

In fact, it’s been quite the opposite. Last year, Virginia passed an empty privacy bill that protects consumers in name only. Unfortunately, two similar weak privacy bills passed this year in Utah and Connecticut. Virginia’s bill should not become a template for state privacy legislation, and we urge other states not to even use it as a starting point for their own bills. We have seen some promise in other states such as Oregon, where EFF has been participating in a work group convened by Oregon’s Attorney General to craft a better state privacy law.

State legislators are often looking to copy language or even whole bills from other states, to harmonize bills across state lines. As such, it’s common to see the same bill pop up in many states, particularly if it’s been successful elsewhere. This year, two bills emerged in statehouses that we believe we will have to fight in the coming year. The first is the "Equal Protection at Conception - No Exceptions – Act,” introduced this year in South Carolina—a bill that portends a broader and growing divide on how states treat reproductive justice issues. This bill, which is based on language published by the National Right to Life Coalition, seeks to restrict what its residents will be able to read online about abortion. As EFF wrote in an op-ed in Scientific American, “As a consequence, it also threatens to restrict what all of us can say.” South Carolina’s legislature chose not to advance this bill, but we expect other states will introduce it in the coming year.

The second is California’s Age Appropriate Design Code, which was passed into law and creates new duties for “businesses that provide online services, products, or features that children are likely to access.” EFF has deep concerns about the vague language in the AADC, such as how businesses are supposed to act in the “best interests of children”—particularly as the law’s definition of children includes anyone under 18. We are also concerned about the potential that the language would prompt companies to require all users to verify their ages to access online services. The aim of the AADC is to protect children, and we respect that goal, but its drafting weaknesses are concerning enough that we urge other states not to use it as a starting point for their own bills.

On the flip side, there are bills that we’d like to see other states pick up. Right to repair legislation continues to gain momentum. In Colorado, the legislature passed a law that gives wheelchair users more freedom to fix their own chair. And in New York, the legislature passed a landmark broad right to repair bill—the first of its kind in the country. This bill would make it easier to people to fix their own electronic devices and choose who they trust to repair their own devices. We hope to see more states recognize the importance of this issue in their own legislatures.

We were also excited to work with Maryland State Senator Susan Lee to pass S.B. 134, which will require law enforcement agencies to learn, as part of their standard training, to recognize the common tactics of electronic surveillance and the laws around such activities. The bill originated from conversations between the Senator's office and EFF Director of Cybersecurity Eva Galperin, based on her extensive work on "stalkerware"—commercially-available apps that can be covertly installed on another person’s device for the purpose of monitoring their activity without their knowledge or consent. We’d love to see this bill replicated in other states as well.

Thank you to every person in every state who answered EFF’s calls to action by sending an email, picking up a phone, sharing a blog post, or speaking to a legislator about the issues that are important to you. Your voices are especially crucial in our state work, and every supporter on the ground in the states where we do work helps us be more effective.

This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2022.