As summer kicks into gear, state legislatures are closing up shop, but not before introducing and passing legislation impacting startups. In the absence of federal action on many technology policy issues occupying the public imagination, state legislatures have acted to create their own rules, which can vary slightly, significantly—or outright conflict with—each other. State legislatures move faster than Congress, creating patchworks of varying rules that can touch every area of running a startup, from privacy to payroll. Patchworks are bad for startups, adding layers of complexity, creating duplicate costs, erecting barriers to market, and steering where startups can scale. This blog post walks through some of the key issues state lawmakers worked on this year and how they’re likely to impact startups in the years to come.

Data privacy:

Going comprehensive

The year began with five states—California, Colorado, Connecticut, Virginia, and Utah—that had enacted their own unique comprehensive data privacy laws. Now in late June as most state legislatures stand adjourned, five additional states—Indiana, Iowa, Montana, Tennessee, and Texas—have also enacted their own comprehensive laws, with a sixth—Oregon—awaiting the governor’s signature, while others have passed narrower, sector-specific, or child-focused data privacy legislation (more on that in a bit).

Many of those laws are modeled after the Washington Privacy Act (which, ironically, did not pass in Washington state), with each state iterating on that legislation to fit their needs or political dynamics. Those variations have led to what are sometimes significant differences, especially for startups. Differences among the laws can be found in applicability, in critical definitions, or in practice. 

In terms of applicability, some of the laws have revenue thresholds, but several do not. Montana has the lowest consumer threshold, 50,000 (in acknowledgment of the state’s smaller population), while Texas excludes small entities by relying on the Small Business Administration’s definition of a small business. When it comes to definitions, many states define key terms and categories, like sensitive personal information differently. And many state laws will vary in practice—with one state enabling a consumer to opt-out of certain practices, while another requires companies to obtain consumer opt-in for the same practices. 

What does it mean for startups?

These new and varied privacy laws add to the patchwork of state privacy laws that startups must navigate as they grow and scale nationwide. According to research Engine released earlier this year, startups expect to encounter costs from $10,000 to more than $60,000 for each additional state law added to the patchwork. Often, those costs arise from performing similar, duplicative compliance activities across the states. 

The focus on data privacy has not been exclusive to statehouses, and the growing patchwork of unique state laws should add pressure on Congress to pass a federal privacy framework. Enacting a uniform, comprehensive, and consistently-enforced federal privacy framework is critical for startups, and several have accordingly called on Congress to pass such a law. House committees have held several hearings on the topic so far this year, and are expected to reintroduce a bipartisan bill that advanced to the floor last Congress. At the same time, vested interests among lawmakers hailing from states with their own privacy laws (like California), helped to doom earlier efforts at a national standard, so more states with their own privacy laws could add to headwinds for a federal law. 

Think of the children!

State lawmakers introduced and advanced several pieces of legislation focused on kids' privacy online and limiting how minors can use the Internet. For example, Connecticut amended its privacy law, expanding obligations designed to protect children online. The new provisions share similarities with California’s Age-Appropriate Design Code, with respect to impact assessments and design risks of harm to children, but the Connecticut law stops short of more controversial requirements like age verification.

Many states did pass laws requiring age verification in the name of protecting children online. Utah led the way, enacting two similar laws that will require in-scope platforms to verify the ages of all of their users (to determine who are minors), collect location data (to determine if the user is based in Utah), and facilitate parental access and control of minor accounts, including by limiting the hours that services are accessible. The Utah law creates a legal presumption that social media is harmful and enables individuals to sue companies for alleged harms caused by the use of their platforms. Arkansas followed with an age verification law of its own, containing high thresholds and function-based carve-outs that make it unclear what services are actually in scope. Finally, Texas enacted a law requiring in-scope online service providers to verify their users, ensure parental consent for minor-held accounts (and verify that parental relationship), prevent minors from encountering potentially harmful content, and limit the use of minors’ data. Like their data privacy law, Texas intends to exclude small businesses from being in-scope using the Small Business Administration definition. 

Why does it matter for startups?

Children’s privacy will continue to be a priority for policymakers both at the federal and state levels, and many laws are likely to impact startups directly. California’s Age-Appropriate Design Code, for example, does not have applicability thresholds like many other proposed laws. Several states, like New Mexico, Maryland, Minnesota, and Oregon, introduced and advanced copycats of the California law. At the federal level, lawmakers are considering legislation that would in effect require age verification, thereby posing significant costs on startups.

Even if startups are unlikely to be in-scope of some of the recently-enacted laws requiring age verification, that’s little guarantee they won’t be in the future, especially since lawmakers tend to expand, not restrict, the reach of existing obligations. What’s more, every startup’s goal is to scale to beyond five million users (Utah threshold) or 500 employees (Texas threshold). 

Age verification poses problems for startups. First, verifying age is inherently privacy invasive, as companies will need to collect large amounts of sensitive personal information—government IDs, dates of birth, home addresses, or even scans of individuals’ faces. Alternatively, companies can rely on third-party age verification services, but that poses its own issues since the largest is owned by a company that operates several pornography sites. Collecting such information or handing it over to porn site operators puts Internet users at risk and appears to frustrate the goals of these legislative efforts designed to protect kids.

Age verification creates a barrier for startups to reach new and potential users. Startups have reported seeing their user conversions drop off when they add additional steps to the registration process, something that would be exacerbated if they were required to, e.g., also ask for a user’s government ID. Startups don’t want to have this sort of information either, because it “would create a burden,” “be privacy-invasive for our users,” and could carry security risks. The sensitive information required to verify a user’s age is sought after by malicious cybercriminals, and having it on hand makes startups and other companies a target. Startups already fear and expend considerable resources to prevent data breaches, and these laws put them (and their users’ data) at higher risk.

Feeling healthy

States also looked to enact protections around health data, especially in the wake of the Supreme Court’s Dobbs ruling that overturned Roe v. Wade. In addition to the kid-focused elements of their privacy expansion this year, Connecticut included new protections for ‘consumer health data,’ and amendments to ensure those provisions apply to small businesses like startups. Washington enacted a broad consumer health bill called the My Health My Data Act that defined consumer health data broadly, and Nevada passed a similar bill, albeit, with a narrower scope. New York enacted a law that will prohibit geofencing around health facilities (e.g., in service of delivering advertisements or inferring medical status), an element that is also found in each of the three above laws.

Why it matters for startups:

Many startups innovate in the health space, but these bills can also impact startups in adjacent spaces, thanks to broadly defined terms. Unlike most comprehensive data privacy legislation, startups are in-scope of these laws, which do not contain small business exceptions from any obligations (except for a few additional months delay in enforcement). Finally, the Washington My Health My Data Act creates a private right of action enabling individuals to sue for alleged violations of the law. Startups are vulnerable to abusive litigation in many areas of the law, and the private right of action could enable bad actors to exploit the high cost of privacy litigation to extract settlements from startups by bringing lawsuits even when startups have not violated the law. 

— — 

Intermediary Liability:

The abortion debate goes digital

Following the Dobbs v. Jackson’s Women’s Health Supreme Court decision in 2022 that overturned Roe v. Wade and opened the door to states passing laws banning abortion and even trying to stop people from even talking about abortion online. A bill from this year in Texas, HB 2690, would force Internet service providers like Comcast and Verizon to “make every reasonable and technologically feasible effort to block” their subscribers from accessing information about elective abortions, including six specific websites. It also would create the ability for individuals to sue websites and online services that host information about abortion, including in content created and shared by users.

Why does it matter to startups?

Moderating user content is already an expensive, time-consuming, and fraught endeavor for startups that create spaces online for users to convene and share. Thanks to the federal liability framework created by Section 230—which ensures Internet platforms can quickly dismiss lawsuits over user content that they are almost certain to win—startups can host and moderate content in ways that make the most sense for their businesses, the kind of content they host, and the kind of communities of users they serve without having to worry about lawsuits. Opening up startups to bankruptcy-inducing private lawsuits when one user disagrees with the content shared by another user would push platforms to preemptively remove their users’ content, decreasing opportunities for expression online and stifling the communities that startups are often looking to build. While proposals like HB 2690 would run afoul of both Section 230 and the First Amendment, there are multiple federal efforts to change and even repeal Section 230, leaving startups open to having to spend significantly more time and money in court fighting lawsuits over user content.

— —

Digital taxes:

Going to the courthouse

After Maryland enacted a first-of-its-kind digital advertising tax targeting big tech companies companies with global revenues in excess of $100 million, other U.S. states have watched intently. Maryland’s ad tax was challenged in state and federal court. In state court, challengers argued the law was unconstitutional and violated the commerce clause and the Internet Tax Freedom Act, because it only taxes digital advertising, vs traditional or print advertising. Challengers Comcast and Verizon initially prevailed over the state, with the judge declaring the tax unconstitutional. But upon appeal, the Maryland Supreme Court found that the circuit court did not have jurisdiction over the case, failing to exhaust administrative remedies, leaving the digital ad tax in place. Similar arguments were made in federal court, with the First Amendment challenge allowed to proceed. But following the state Supreme Court’s decision, the count was ultimately dismissed. Challengers, including the U.S. Chamber of Commerce, have since appealed. 

Tax copycats

States across the country have been watching the legal process in Maryland play out. Connecticut, Massachusetts, Indiana, and New York have all had measures introduced that propose taxation of varying digital services. Kentucky also came close to implementing legislation under HB 360 that would have extended “taxable services” to telemarketing services to include text messages and social media, though a subsequent bill, HB 5, ultimately stripped language referring to social media.

Why does it matter for startups?

Startups and small businesses, particularly in their early stages, operate with exceedingly limited budgets and resources. While digital advertising taxes on their face target large technology companies that provide digital services, ultimately the cost of the tax will be passed down to the consumer, including startups. Startups rely on large technology companies for numerous free and low cost services, including advertising, and any increase in the cost of needed services could be insurmountable for many small businesses.

— —

Non-compete agreements:

Toward worker mobility

As the federal government continues to emphasize the harm to innovation and worker mobility by proposing a rule to broadly ban post-employment non-compete agreements, multiple states have followed suit. States across the country address non-compete agreements across a spectrum. A few states, like California, Oklahoma, and North Dakota broadly ban non-compete agreements regardless of income level with a few exceptions. Other states like Oregon ban non-compete agreements for low-wage workers, some states allow non-compete agreements so long as they are not overly broad, and others still do not have a non-compete statute on the books. Recently, the New York legislature passed a broad ban on non-compete agreements, though the bill still awaits the governor’s signature. And in May, Governor Waltz signed a non-compete ban for the state of Minnesota, which goes into effect on July 1, 2023. 

Why it matters for startups:

After access to capital, when and how to build a team are top of mind for many startup founders. But with many skilled workers out of reach because they are bound by restrictive non-compete agreements, the startup talent pool is restricted and innovation suffers. Similarly, innovation is hampered when skilled talent is prevented from spinning out and launching new startups, competing within the same industry because of restrictive non-compete agreements, leaving many would-be entrepreneurs with few options when trying to launch companies.

— —

The upshot:

It’d be difficult to capture everything state policymakers worked on this session, but the breadth of startup issues highlighted here helps to demonstrate the volume of new laws impacting the nation’s tech entrepreneurs. Many of these policymaking efforts have proverbial facsimiles at the federal level as well, so in addition to impacting startups directly, they’re likely to impact related policy debates. 

Disclaimer: This post provides general information related to the law. It does not, and is not intended to, provide legal advice and does not create an attorney-client relationship. If you need legal advice, please contact an attorney directly.