“We need someone who is focused on our concerns, our issues … how we work and how we relate to our donors and fulfill our missions.” - Steve Abrahamson, Vice President, Direct Response, National Audubon Society

Legislation in the States

Last Updated February 26, 2025

Included below:

Artificial Intelligence (AI)
Board Diversity
Consumer Data Protection & Data Privacy
Donor Privacy and Confidentiality
Charitable Solicitation
Nonprofit Governance
Salary Disclosure

This information is prepared by TNPA staff based on reports supplied by FOCUS, a Leonine business.

Artificial Intelligence (AI)

PROPOSED LAWS:

New York AB 768, sponsored by Asm. Alex Bores, D-New York City, was introduced and referred to the Assembly Consumer Affairs and Protections Committee on January 8. Assemblymember Bores does not hold any ranking positions. The bill, titled the “New York Artificial Intelligence Consumer Protection Act,” would amend existing law to prevent the use of artificial intelligence algorithms to discriminate against protected classes. It would require developers and deployers of high-risk AI decision systems to implement risk management policies, conduct bias and governance audits, and provide transparency and documentation to ensure compliance with anti-discrimination laws. Additionally, the bill would mandate consumer notifications and provide mechanisms for consumers to correct data and appeal adverse decisions made by AI systems.

Texas HB 1709, sponsored by Rep. Giovanni Capriglione, R-Keller, was prefiled on December 23 for the upcoming legislative session that is scheduled to begin on January 14. Representative Capriglione is the chair of the House Artificial Intelligence & Emerging Technologies and Pensions, Investments & Financial Services committees. The bill would regulate the use of artificial intelligence (AI) systems by certain business entities and state agencies. It would require developers and deployers of high-risk AI systems to conduct impact assessments, disclose AI interactions to consumers and implement risk management policies. The bill would also establish the Texas Artificial Intelligence Council and the Artificial Intelligence Regulatory Sandbox Program to oversee AI development and ensure ethical use.

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: Colorado SB205 Colorado Becomes the First State to Enact Comprehensive AI Legislation. The new law becomes effective February 1, 2026. It applies generally to developers and deployers of “high risk AI systems,” which are defined as AI systems that make, or are a substantial factor in making a consequential decision. The law also defines “consequential decision” as “any decision that has a material legal or similarly significant effect on the provision or denial to any consumer of, or the cost or terms of: (a) education enrollment or an education opportunity, (b) employment or an employment opportunity, (c) a financial or lending service, (d) an essential government service, (e) health-care services, (f) housing, (g) insurance, or (h) a legal service.”

The law is aimed at addressing AI bias, establishing a requirement of human oversight throughout the life cycle of AI systems, and requiring significant documentation around the use of AI.

It applies to any person doing business in Colorado who develops an “AI system” or deploys a “high-risk AI system.” In effect, this means that it applies to any organization using a high-risk AI system, whether or not that system is consumer-facing. Importantly, the law explicitly excludes a Private Right of Action, leaving enforcement solely to the Colorado Attorney General.

NOW LAW: California AB 2013/Chapter 817 was signed into law by Democratic Gov. Gavin Newsom on September 28, 2024 and takes effect on January 1, 2025. This law requires, on or before January 1, 2026, and before each time thereafter, that a generative AI system or service, or a substantial modification to such a system or service, released on or after January 1, 2022, is made available to Californians for use, regardless of whether the terms of that use include compensation, a developer of the system or service to post on the developer’s internet website documentation regarding the data used to train the generative AI system or service. Documentation is required to include a high-level summary of the datasets used in the development of the system or service.

NOW LAW: California SB 896/Chapter 928 was signed into law by Democratic Gov. Gavin Newsom on September 29, 2024 and takes effect on January 1, 2025. This law will bring the California Privacy Protection Agency into the reporting creation aspect of this bill. The law will create the Artificial Intelligence Accountability Act as a follow up to Sen. Bill Dodd’s, D-Napa, CR 17, as he stated in his press release. Additionally, the law requires state agencies to develop a risk report for potentially the most significant uses of artificial intelligence. It will also require state agencies to alert users when they are interacting with artificial intelligence.

FAILED BILLS:

California SB 1047 was vetoed by Democratic Gov. Gavin Newsom on September 29, 2024. It was not overridden. This bill would have established safety and security protocols for large developers of advanced AI models that require over $100 million to train or meet a certain computing power threshold. In his veto message, the governor stated that focusing on regulating large artificial intelligence models based on size and cost could create a false sense of security. He expressed concern that the bill’s approach may overlook potential risks from smaller, specialized models and could stifle innovation.

Board Diversity

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: Illinois SB 2930/Public Act 635 was signed by Democratic Gov. J.B. Pritzker on July 1, 2024 and effective as of January 1, 2025. The law will, in part, provide that a nonprofit, within 30 days after filing its annual AG990-IL Charitable Organization Annual Report, that reports grants of $1 million or more to other charitable organizations would need to post on its website, if applicable, the aggregated demographic information of the corporation’s directors and officers, including race, ethnicity, gender, disability status, veteran status, sexual orientation and gender identity.

States: Consumer Data Protection / Data Privacy

Below is a comprehensive list of state activity. If you are interested in a broader overview of the issue, please read more here.

PROPOSED LAWS (CARRYOVER FROM 2024):

Massachusetts HB 4632 passed the Joint Advanced Information Technology, the Internet and Cybersecurity Committee on May 13, 2024. The bill is the new draft of several privacy bills including HB 60, HB 63, HB 80, HB 83 and SB 227. The bill, to be known as the “Massachusetts Data Privacy Act,” contains numerous definitions that determine the applicability of the bills’ various provisions and would define a “covered entity” as a person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing or transferring covered data. “Covered entity” would also include a person that controls, is controlled by or is under common control with the covered entity. “Covered entity” would not include an entity that is acting as a service provider. The bill also contains many novel definitions that include covered high impact social media, covered algorithm, covered language, large data holder and small business. The bill would not apply to government agencies or certain persons that meet the following criteria for the preceding three calendar years:

The person’s average annual gross revenues during the period did not exceed $20 million.
The person, on average, did not annually collect or process the covered data of more than 75,000 individualsduring the period beyond the purpose of initiating, billing for, finalizing or otherwise collecting payment for a requested service or product, as long as all covered data for that purpose was deleted or de-identified within 90 days, except when necessary to investigate fraud or as consistent with a covered entity’s return policy.
No component of the person’s revenue comes from transferring covered data during a year or part of a year if the person is an entity that has been in existence for less than one year.

The bill would prohibit a covered entity from collecting or transferring covered data unless the collection, processing or transfer is limited to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the individual to whom the data pertains. The bill would specify numerous allowed purposes for the collection, processing or transferring of covered data including but not limited to the completion of a transaction, fulfillment of an order and providing first party advertising. The bill would require covered entities to obtain a consumer’s affirmative consent before engaging in or directing the transfer of covered data or engaging in targeted advertising and would also be required to provide consumers with the opportunity to opt out. The bill would also grant various individual rights involving covered data including:

The right to access their covered data, except back up or archival data, that is collected, processed or transferred by a covered entity or service provider within the preceding 24 months.
The right to correct a verifiable substantial inaccuracy, inaccuracy or substantially incomplete information.
The right to delete covered data of the individual that is processed by the covered entity and make reasonable efforts to notify all third parties or service providers to which the covered entity transferred the covered data of the individual’s deletion request.

The bill also contains provisions that would establish a data broker registry. The bill would provide for enforcement by the attorney general, district attorney or municipal counsel. The bill also contains a private right of action with damages of $5,000 per person per violation annually adjusted for inflation or actual damages, whichever is greater among other specified damages and relief. A similar privacy bill, SB 2770, which is the new draft of SB 25, passed the Joint Advanced Information Technology, the Internet and Cybersecurity Committee on May 9, 2024. No further action was taken in 2024.

New Jersey AB 4811, sponsored by Asm. Bill Moen, D-Camden, was referred to the Assembly Science, Innovation and Technology Committee on October 20, 2022. The bill would require the Division of Consumer Affairs to establish and maintain a data broker registry. Data brokers would be required to pay a registration fee of $100 per year and provide the following following information:

The name and primary physical, email and internet addresses of the data broker.
Whether the data broker permits a consumer to opt-out of the data brokers’ collection practices including the method to request an opt-out.
A statement specifying the data collection, databases, or sales activities from which a consumer may not opt out.
Whether the data broker uses a credentialing process for purchasers of the data.
Any information the data broker has about the security breaches it has experienced.
A separate statement detailing the data collection practices, database sales activities, and opt-out methods that are applicable to minors as well as whether the data broker has any knowledge that it possesses the brokered personal information of minors.
Any information the division deems appropriate to implement.

Brokered personal information would include but not be limited to: name, address, date of birth, unique biometric data and social security number. Data brokers would not include e-commerce platforms, 411 directory asssistance services, providing publicly available information related to a consumer’s business or profession, and providing publicly available information via real time alert services for health and safety purposes.

New Jersey AB 4741 sponsored by Assembly Deputy Speaker Herb Conway Jr., D-Delran, and Assembly Deputy Majority Leader William Moen, D-Barrington, was referred to the Assembly Science, Innovation and Technology Committee on September 12, 2024. The bill would amend the state’s current data privacy law to require a controller or processor to deidentify personal data before the data is sold. The bill would also prohibit the reidentification of previously deidentified data before or after data sale. Controllers and processors would also be prohibited from providing a third party with the means to reidentify the data or engaging a third party for the proposes of reidentifying the data.

PROPOSED LAWS (NEW IN 2025):

Alabama HB 283, sponsored by Rep. Mike Shaw, R-Vestavia Hills, was heard in the House Commerce and Small Business Committee on February 19. The bill would apply to a person that conducts business in the state or produce products or services targeted to consumers of the state that:

Control or process the personal data of at least 50,000 consumers.
Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.

The bill would grant consumers various rights including the right to delete data; the right to opt-out of the sale of their personal data; and the right to opt out of processing for the purposes of targeted advertising. The bill does not contain a private right of action but does contain a 60-day right to cure.

California AB 566, sponsored by Asm. Josh Lowenthal, D-Long Beach, was filed on February 12 and has not yet been referred to a committee. The bill would require a business developing or maintaining a browser or mobile operating system to include a setting that enables a consumer to send an opt-out preference signal. The bill would authorize the California Privacy Protection Agency to adopt regulations to enforce the bill.

California SB 361, sponsored by Sen. Josh Becker, D-Menlo Park, was referred to the Assembly Rules Committee on February 13 where it awaits further assignment. The bill would require a data broker to provide additional information to the California Privacy Protection Agency, including whether the data broker collects consumers’ login or account information, various government identification numbers, citizenship data, union membership status, sexual orientation status and biometric data.

Georgia SB 111 was heard in the Senate Economic Development and Tourism Committee on February 19. Tthe committee heard from Sen. John Albers, R-Rosewell, and the Technology Association of Georgia and the Metro Atlanta Chamber who testified in support of the bill. The bill unanimously passed the committee at the conclusion of the hearing.

Nonprofits that do not sell data are exempt. The bill would apply to a person that conducts business in the state by producing products or services targeted to consumers of the state that exceeds $25 million in revenue and that:

Control or process the personal data of not less than 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data.
Control or process the personal data of at least 175,000 consumers.

The bill would grant consumers various rights including the right to delete data provided by or obtained about the consumer; the right to opt-out of the sale of their personal data; the right to opt out of processing for the purposes of targeted advertising. The bill does not contain a private right of action. Last session SB 473, also sponsored by Senator Albers, passed the Senate but died on the House floor.

Maryland HB 1089, sponsored by Del. Jared Solomon, D-Rock Creek Forrest was scheduled for a hearing in the House Economic Matters Committee on February 25. The bill would establish a data broker registry with the comptroller. Data brokers would be required to provide a declaration that states whether precise geolocation data and consumer health data is part of their data brokering activity as well as whether or not a consumer can opt out among other requirements. The bill would also establish a six percent tax on the gross revenue of data brokers. A companion bill, SB 904, has been scheduled for a hearing in the Senate Budget and Taxation Committee on March 5 at 1:00 PM.

New Mexico HB 307, sponsored by Rep. Pamelya Herndon, D-Albuquerque, was heard in the House Commerce and Economic Development Committee on February 12. The committee took testimony but did not vote on the bill during the hearing. The bill would require covered entities to:

Configure all default privacy settings to those that offer the highest level of privacy.
Publicly provide privacy information, terms of service, policies and community standards in a prominent, precise manner using clear, easily understood language.
Publicly provide prominent, accessible and responsive tools to help a consumer exercise the consumer’s privacy rights and report concerns.
Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data.

Covered entities and third parties would be prohibited from:

Profiling a consumer by default unless it is necessary to provide the product or service.
Processing the personal data of a consumer except as necessary to provide the specific online service, product or feature
Processing data for any reason other than the one for which the data is collected.
Processing a consumer’s sensitive personal data unless the collection of that data is strictly necessary to provide the specific product, service or feature and only for the limited time it is necessary.
Processing personal data for purposes of targeted advertising, first-party advertising or the brokerage of personal data without the consumer first opting in

The bill would also give consumers the right to access, correct or delete their data as specified. The bill contains a private right of action.

Oklahoma SB 546, sponsored by Sen. Brent Howard, R-Altus, passed the Senate Technology and Telecommunications Committee on February 13 and is now pending on the Senate floor. The bill does not apply to nonprofits. The bill would apply to a person that conducts business in the state or produce products or services targeted to consumers of the state that:

Control or process the personal data of at least 50,000 consumers.
Control or process the personal data of not less than 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data.

The bill would grant consumers various rights including the right to delete data provided by the consumer; the right to opt-out of the sale of their personal data; the right to opt out of processing for the purposes of targeted advertising or profiling The bill does not contain a private right of action.

Vermont HB 208, sponsored by Rep. Monique Priestly, D-Bradford, was referred to the House Commerce and Economic Development Committee on February 12. It is cosponsored by committee chair Rep. Mike Marcotte, R-Newport, and vice-chair Rep. Edye Graning, D-Jericho. The bill would apply to a person that conducts business in the state or produce products or services targeted to consumers of the state that:

Control or process the personal data of at least 25,000 consumers, excluding data processed purely for the purpose of complete a payment transaction.
Control or process the personal data of not less than 12,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.

The bill would grant consumers various rights, including the right to know whether or not their data is or will be used in any artificial intelligence system; the right to obtain a list of specific third parties to which the controller disclosed their personal data; the right to delete data; the right to opt out of processing for the purposes of targeted advertising.

The bill would also require controllers to limit the collection of data to what is reasonably necessary and proportionate to maintain a specific product or service requested by the consumer. Controllers would be prohibited from processing sensitive data, unless strictly necessary, or selling sensitive data. Controllers would also be required to complete data protection assessments for all processing activities that present a heightened risk of harm to the consumer.

The bill contains a private right of action with exemptions for controllers that earned less than $25 million in the previous year among other exemptions. Representative Priestly is sponsoring other privacy bills, which were also referred to the House Commerce and Economic Development Committee on that same day, including: · HB 210, which is an age-appropriate design code bill; HB 211, which would amend the state’s data broker registry to require the state to set up an accessible deletion mechanism to all consumers to opt out of all data brokers registered in the state.

Similar Senate bills were also recently filed, including: SB 69, an age-appropriate design code bill, sponsored by Sen. Wendy Harrison, D-Brattleboro, which was heard in the Senate Institutions Committee on February 18, 19 and 20. The committee heard testimony from the bill sponsor, the Electronic Privacy Information Center and Attorney General Charity Clark who testified in support of the bill.

Washington HB 1671, sponsored by House Technology, Economic Development and Veterans Committee Vice Chair Shelley Kloba, D-Kirkland, passed that committee with a substitute on February 14 and referred to Appropriations on Feb 18. The bill would afford a consumer various rights, including:

The right to confirm whether a controller is collecting or processing personal data, the right to access their personal data and confirm whether or not their data is used for the purposes of automated decision making.
The right to obtain a specific list of third parties to which a controller has transferred a consumer’s personal data.
- The right to correct inaccuracies in their personal data.
- The right to delete personal data concerning the consumer, including data the controller provided from another source and derived data.

Violations would be considered an unfair or deceptive trade practice under the Consumer Protection Act, which includes a private right of action for consumers. The substitute, in part, would modify the definition of consumer to exclude nonresidents whose personal information is collected in Washington.

Representative Kloba is also sponsoring a data broker registry and tax bill, HB 1887, which was heard in the House Consumer Protection and Business Committee on February 18 and 19. The bill was scheduled for a vote on February 21 but none was taken.

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: California (from the CA AG website): The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This law secures new privacy rights for California consumers, including:

The right to know about the personal information a business collects about them and how it is used and shared;
The right to delete personal information collected from them (with some exceptions);
The right to opt-out of the sale of their personal information; and
The right to non-discrimination for exercising their CCPA rights.

Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

NOW LAW: California SB 362/Chapter 709 was signed by Democratic Gov. Gavin Newsom on October 10, 2023 with the bill taking effect January 1, 2026. This law, dubbed the Delete Act, seeks increased limitations on data brokers that amass and sell personal information collected online. It will create a portal for residents to remove personal data that has been collected by the 486 registered data brokers in the state, from purchase history to internet browsing habits. The law will also require data brokers to register with the California Privacy Protection Agency and disclose the types of information they collect.

NOW LAW : California AB 1008/Chapter 802 was signed into law by Democratic Gov. Gavin Newsom on September 28, 2024 and takes effect on January 1, 2025. The law states that “publicly available” does not include information gathered from websites using automated mass data extraction; personal information can exist in various formats. The law defines terms related to personal information, such as advertising and marketing, aggregate consumer information and biometric information. It outlines what constitutes a business and the thresholds for data collection and processing that apply. The law describes business purposes for using personal information and specifies what qualifies as consumer consent. Additionally, it includes definitions for sensitive personal information, service providers and third parties, emphasizing the protection and proper handling of personal data.

NOW LAW: Colorado SB 190 was signed into law by Governor Polis on July 7, 2021. The law takes effect on July 1, 2023. Major provisions include:

Enable a consumer to opt-out of the processing of their personal information.
Confirm whether or not a controller is processing personal data concerning the consumer and to provide access to that information.
The right to correct inaccurate personal information.
The right to have personal information deleted.
Controllers would be required to provide a meaningful privacy notice to consumers detailing their various rights
Does not contain a private right of action.

Nonprofit organizations are NOT exempted from the requirements of the law.

NOW LAW: Connecticut SB 6/Public Act 22-15 was signed by Democratic Gov. Ned Lamont on May 10 and took effect July 1, 2023. The law grants consumers various rights including:

The right to confirm whether or not a controller is processing the consumer’s personal data.
The right to correct inaccuracies in their personal data.
The right to delete personal data provided by or obtained about the consumer.
The right to obtain a copy of the consumer’s personal data processed by the controller.
The right to opt out of the processing of the personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects.

Controllers will be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers will also be prohibited from processing the sensitive data of a consumer without their affirmative consent. The law will not apply to nonprofit organizations, does not provide a private right of action and will grant controllers a right to cure at the discretion of the attorney general.

NOW LAW : Delaware HB 154 was signed into law by Democratic Gov. John Carney on September 11, 2023 and took effect January 1, 2025. The law applies to “persons” that conduct business in the state, including nonprofits, or produce products or services that are targeted to state residents and:

Control or process the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
Control or process the personal data of not less than 10,000 consumers and derive more than 20 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including the right to delete data they provide and opt-out of the sale of their personal data. The law does not contain a private right of action but does contain a 60-day right to cure before the attorney general may initiate any action which would remain in place until December 31, 2025. After that date, the right to cure will be up to the discretion of the attorney general.

NOW LAW: Florida SB 262 was signed by Republican Gov. Ron DeSantis on June 6, 2023 and took effect July 1, 2024. The law will prohibit government employees or officers from using their positions or state resources for the purposes of social media content moderation. The law contains age-appropriate design code language.

The law will also grant consumers various rights including:

The right to confirm if a consumer’s personal data is being processed and providing access to the data.
The right to correct inaccurate consumer personal data.
The right to delete the consumer’s personal data provided by or obtained about the consumer.
The right to opt-out of processing of personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similar significant effects concerning the consumer.
The right to opt out of the collection of sensitive data, including precise geolocation data, or the processing of such data.

Controllers will be required to take action on consumer requests within 45 days but could request an extension of an additional 15 days and must establish a process that allows consumers to appeal a controller’s decision not to act on a request to exercise their rights. The law contains 45 day right to cure language. The law does not contain a private right of action and does not apply to nonprofits.

NOW LAW: Indiana SB 5 was signed by Republican Gov. Eric Holcomb on May 1 and takes effect January 1, 2026. The law will apply to businesses that conduct business in the state or produce products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 50 percent of their revenue from the sale of personal data. The law will grant consumers various rights including, but not limited to, the right to delete data and opt-out of the sale of their personal data. The law will apply to nonprofit organizations and does not contain a private right of action.

NOW LAW: Iowa SF 262 was signed by Gov. Kim Reynolds on March 28 and takes effect January 1, 2025. The law will apply to a person conducting business in the state or producing products or services that are targeted to consumers who are residents of the state and that during a calendar year does either of the following:

Controls or processes personal data of at least 100,000 consumers.
Controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including the right to delete data they provided and opt-out of the sale of their personal data. The law does not contain a private right of action but does contain a 30-day right to cure before the attorney general can initiate any action. Controllers would also be required to provide a reasonably accessible, clear and meaningful privacy notice.

NOW LAW: Kentucky HB 15 was signed by Democratic Gov. Andy Beshear on April 4, 2024 and takes effect January 1, 2026. The law will not apply to nonprofits. The law will apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:

Control or process the personal data of at least 100,000 consumers.
Control or process the personal data of not less than 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including but not limited to the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. The law does not contain a private right of action but does contain a 30-day right to cure.

NOW LAW: Maryland SB 541/Chapter 455 was signed by Democratic Gov. Wes Moore on May 9, 2024. Effective October 1, 2025, the act applies to “persons” that conduct business in the state or persons that produce products or services that are targeted to state residents and during the preceding calendar year:

Control or process the personal data of at least 35,000 consumers, excluding data processed solely to complete a payment transaction.
Control or process the personal data of not less than 10,000 consumers and derive more than 20 percent of gross revenue from the sale of personal data.

The act grants consumers various rights including the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects. A consumer would be permitted to opt out using global privacy controls.

NOW LAW: Minnesota HF 4757/Chapter 121 was signed by Democratic Gov. Tim Walz on May 24, 2024 and takes effect July 31, 2025, with a delayed effective date of July 31, 2029 for institutions regulated by the Office of Higher Education. Nonprofits are not exempt from the law. The law will apply to “persons” that conduct business in the state or produce products or services that are targeted to state residents and:

Control or process the personal data of not less than 100,000 consumers.
Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including the right to delete data concerning the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similar significant effects. The law contains an exemption and alternative requirements for small businesses and also contains a time limited 30-day right to cure until January 31, 2026.

NOW LAW: Montana SB 384/Chapter 681 was signed into law by Republican Gov. Greg Gianforte on May 19, 2023. The bill will apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and:

Control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including the right to delete data they provided and opt-out of the sale of their personal data. The law does not contain a private right of action but does contain a 60-day right to cure before the attorney general could initiate any action.

NOW LAW: Nebraska LB 1074 passed the legislature, was signed by Republican Gov. Jim Pillen on April 17, 2024, and took effect January 1, 2025. The law will not apply to nonprofits. The law contains both privacy and banking provisions. The privacy provisions will apply to anyone who conducts business in this state or produces a product or service consumed by residents of this state, processes or engages in the sale of personal data and is not a small business as defined under the federal Small Business Act. The law will grant consumers various rights including the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising, the sale of data or profiling in furtherance of decisions that produce legal or similarly significant effects. The law does not contain a private right of action but does contain a 30-day right to cure.

NOW LAW: New Hampshire SB 255/Chapter 5 was signed by Republican Gov. Chris Sununu on March 6, 2024 and took effect January 1, 2025. The law will not apply to nonprofits. The law will apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state that controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or controlled or processed the personal data of not less than 10,000 consumers and derived more than 25 percent of their gross revenue from the sale of personal data. The law will grant consumers various rights including the right to collect inaccuracies in their personal data and delete their data. The law does not contain a private right of action but does contain a 60-day right cure.

NOW LAW: New Jersey SB 332/Chapter 266 was signed by Democratic Gov. Phil Murphy on January 16, 2024 and takes effect January 15, 2025. Nonprofits are not exempt from the law. The law will apply to controllers that conduct business in the state or produce products or services that are targeted to residents of the state, and that during a calendar year meet one or more of the following thresholds:

Control or process the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
Control or process the personal data of not less than 25,000 consumers and derives or receives a discount on the price of goods or services, from the sale of personal data.

The law will grant consumers various rights including the right to delete data concerning the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or the sale of their data. Users will be able to opt-out of the processing of their data for the purposes of targeted advertising or the sale of their data via a user selected universal opt-out mechanism. The law does not contain a private right of action.

NOW LAW: New Jersey SB 2930/Chapter 16 was signed by Democratic Gov. Phil Murphy on June 5, 2024 and took effect September 3, 2024. This law will make broad changes to the state’s public records law, including in part prohibiting public records requests made by or for data brokers and would prohibit data obtained through records requests from being sold. The law also contains a data broker registry requirement.

NOW LAW: Oregon SB 619 was signed by Democratic Gov. Tina Kotek on July 18, 2023, and took effect July 1, 2024. The law does not exempt nonprofits. The law will apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year either controls or processes:

The personal data of 100,000 or more consumers, personal data from 100,000 or more devices that identify or that link to or are reasonably linkable to one or more consumers, or personal data from a combination of 100,000 or more consumers and devices.
The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.

It will grant consumers various rights including the right to delete personal data whether or not the data was previously provided, obtain a copy of that data and opt out of the sale or sharing of their data. The law does not contain a private right of action.

NOW LAW: Oregon HB 2052 was signed by Democratic Gov. Tina Kotek on July 27, 2023, and took immediate effect with the registration provisions becoming operative January 1, 2024. The law will require data brokers to annually register with the Department of Consumer and Business Services. The law will impose a $500 penalty for each day the company fails to register with a maximum penalty of $10,000.

NOW LAW: Rhode Island SB 2500, became law without the signature of Democratic Gov. Dan McKee on June 26, 2024 and takes effect January 1, 2026. Nonprofits are exempt from the law. The law will apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:

Control or process the personal data of not less than 35,000 consumers.
Control or process the personal data of not less than 10,000 consumers and derive more than 20 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including the right to correct inaccuracies in their personal information, the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. The law does not contain a right to cure or a private right of action.

NOW LAW: Texas HB 4 was signed by Republican Gov. Greg Abbott on June 18, 2023 and took effect July 1, 2024. It does not apply to nonprofit organizations. The law will in part require controllers to honor global privacy controls such as a browser setting as a request to opt-out and exempt and includes 501(c)19 under the definition of a nonprofit organization. The law will apply only to a person that:

Conducts business in this state or produces a product or service consumed by residents of this state.
Processes or engages in the sale of personal data.
Is not a small business as defined by the United States Small Business Administration.

The law will grant consumers various rights, including the right to their personal data and to opt out of the processing of their personal data for various purposes such as the sale of data. The law contains 30 day right to cure and does not contain a private right of action.

NOW LAW: Utah SB 227 was signed by Republican Gov. Spencer Cox on March 24 and takes effect December 31, 2023. The law will grant consumer’s various rights including:

The right to confirm whether a controller is processing the consumer’s personal data.
The right to correct inaccurate personal data.
The right to delete the consumer’s personal data.
The right to opt-out of the processing of their data for the purposes of targeted advertising or the sale of personal data.

The law does not apply to nonprofit organizations and does not contain a private right of action.

NOW LAW: Virginia SB 1392, known as the Virginia Consumer Data Protection Act, was signed by Governor Ralph Northam on March 2, 2021, and took effect on January 1, 2023.  The CDPA grants consumers the right to confirm, correct, and delete personal data and opt-out of use of data for advertising or sale.  It includes an opt-in consent requirement for sensitive data.  Nonprofits are largely exempt.

States: Donor Privacy and Confidentiality

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: Georgia SB 534 was signed by Republican Gov. Brian Kemp on May 2, 2022 and took immediate effect. The law prohibits state agencies, absent the showing of compelling interest, to impose any annual filing or reporting requirements on charitable organizations more stringent than specified under existing law. Any additional reporting or filing requirements are required to be narrowly tailored to achieve the compelling state interest. The bill defines charitable organizations as 501(C)3 organizations.

NOW LAW: Indiana HB 1212, sponsored by House Speaker Pro Tempore Mike Karickhoff, R-Kokomo, was signed by Republican Gov. Eric Holcomb and takes effect July 1. The law will prohibit, with certain exceptions, a state or local agency from collecting or disclosing information that identifies an individual or business entity as a member, supporter, volunteer, or donor of financial or nonfinancial support to a nonprofit organization.

NOW LAW: New Hampshire SB 302/Chapter 336 was signed by Republican Gov. Chris Sununu on July 25, 2022 and takes effect January 1. The law will prohibit a public agency from:

Requiring an individual or entity to provide the public agency with personal information.
Releasing, publicizing or otherwise publicly disclosing any data that directly or indirectly identifies a person as a member, supporter, volunteer, or donor of financial or nonfinancial support.
Requiring any current or perspective contractor or grantee to provide the agency with a list of entities exempt from federal income taxation to which it has provided financial or nonfinancial support.

NOW LAW: New York SB 4817A (companion A 1141A) was passed by the Senate on June 9, followed by the Assembly on June 10. It was delivered to Gov. Hochul on November 1 and she signed it into law on November 12, 2022.

This legislation was necessary to undo a rider on 2020 budget legislation inserted by then Gov. Cuomo. That rider would have required all nonprofits registered with the Attorney General under the solicitation law to perform a duplicative (literally) registration with the NY Dept of State. It also would have required confidential donor information (that provided in Form 990 Schedule B) to be provided to the Department but with looser protections than afforded to the same information by the AG’s office (the AG collected Sched B from registrants until dissuaded by the U.S. Supreme Court donor privacy decision in July 2021).

Strong objections to wasteful duplicate reporting and to the prospective disclosure of private donor information led two New York nonprofits (Nonprofit New York and Lawyer’s Alliance) to lead a grassroots effort, joined by TNPA, to support SB 4817A. That effort was successful.

NOW LAW: Virginia SB 324/Chapter 19 was signed by Republican Gov. Glenn Youngkin on August 4, 2022 and took effect January 1, 2023. The law will prohibit a state agency from:

Requiring an individual or entity to provide the public agency with personal donor information.
Requiring any bidder, offeror, contractor or grantee of the organization to provide the agency with personal donor information.
Disclosing personal donor information without the express written permission of every individual who is identifiable from the potential release of such information, including identifiable as members, supporters or volunteers, or donors to the agency.

NOW LAW: Hawaii HB 2416 was signed by Governor David Ige on May 27, 2022, taking effect on January 1, 2023. The law in part requires 501(c)4 organizations operating as a noncandidate committee to disclose the name and address of donors who donate an aggregate of more than $10,000. The bill would prohibit donations from being used for electioneering communications, independent expenditures or contributions without the written consent of the donor.

States: Charitable Solicitation

PROPOSED LAWS:

California AB 576, sponsored by Asm. Jacqui Irwin, D-Thousand Oaks, was filed on February 13. It is a placeholder presumably to undertake amendments to the recently enacted “platform law” (AB 488 – 2021), also sponsored by Asm Irwin. She has expressed dissatisfaction with the Attorney General’s administration of the law and the resulting impact to nonprofits raising funds in California.

Connecticut HB 6858 was heard in the Joint General Law Committee February 10. The committee heard from numerous opponents and proponents of various provisions of the bill, including the attorney general’s office who testified in support. No vote was taken. The bill would:

require that charitable organizations employing a fundraising counsel retain a copy of the contract for not less than seven years
raise the bond requirement for fundraising counsel having custody or control of funds from $25,000 to $50,000
reduce the required reporting timeframe for paid solicitors from 90 days to 45 days

Hawaii SB 1048, sponsored by Sen. Jarrett Keohokalole, was filed on January 17, 2025, jointly referred to Senate Judiciary and Consumer Protection Committees on January 23, and passed with amendments out of Consumer Protection on Feb 10. The bill offers various technical amendments to SB 2983 (Act 205), the “fundraising platforms” law enacted in July 2024 and taking effect January 1, 2026. Its companion in the Senate is SB 1311. The bill would:

require the attorney general, when notifying an organization that it is prohibited from soliciting or operating, to indicate whether the prohibition is due to a ministerial deficiency
platforms would be required to maintain a process for complaints about any fundraising activity
require a written contract to be filed with the attorney general prior to any fundraising activity, in the case of a charitable fundraising platform or platform charity

Illinois SB 1599, sponsored by Sen. Jill Tracy, R-Quincy, was heard in the Senate Judiciary Committee on February 19. The committee heard testimony from Forefront, an organization representing Illinois nonprofits, among others who testified in support of the bill. No vote was taken. The bill would amend the Solicitation of Charity Act and the Charitable Trust Act to require the attorney general to accept required reports electronically.

Maryland HB 239, sponsored by House Economic Matters Committee Chair C. T. Wilson, D-Charles, passed that committee with amendments on February 10 and unanimously passed the full House on February 13. The bill would permit the secretary of state to:

suspend or waive late fees assessed to charitable organizations pursuant to a settlement agreement or as part of any regulations adopted regarding organizations that fail to file an annual report.
cancel the registration of a charitable organization if the organization failed to submit a statement of intent and final annual report within three years after their due date
Charitable organizations could request to be reinstated if they submit any outstanding annual reports, supporting materials and annual fees required and are otherwise in good standing.

A companion bill, SB 184, sponsored by Senate Judicial Proceedings Committee Chair William Smith, D-Silver Spring, passed that committee on January 27 and the Senate on January 30. SB 184 is now pending in the House Economic Matters Committee.

Montana SB 134 passed the Senate with amendments following a 33-17 vote on February 14. The bill, to be known as the Safeguarding Endowment Gifts Act, would prohibit a charitable organization that accepts a contribution pursuant to a written donor-imposed restriction from violating the terms of that restriction. If a charitable organization violates the terms of a donor-imposed restriction, the bill would grant the donor or their legal representative a private right of action. The bill would take immediate effect.

Pennsylvania HB 212, sponsored by Rep. Lisa Borowski, was introduced and referred to House State Government Committee on January 17, 2025. The bill would exclude in-kind contributions from the state’s gross annual contribution reporting requirement. Its purpose is to relieve organizations having limited cash resources from audit requirements based upon gross contribution amounts.

Tennessee HB 391 passed the House State and Local Government Subcommittee on Departments and Agencies on February 18 and is now pending in the full committee. The bill has been scheduled for a hearing in that committee on February 26. The bill would revise provisions of existing law by:

requiring the filing of solicitation materials with the secretary of state to be completed within 90 days after a solicitation campaign has been completed or within 90 days after the end of the fiscal year
The bill would also provide that the text of any solicitation scripts or pitches made to the public orally are no longer required to be utilized in the campaign.

A companion bill, SB 453, has been scheduled for a hearing in the Senate Commerce and Labor Committee on February 25.

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: California AB 488 Governor Gavin Newsom signed the bill into law on October 7, 2021. The law took effect January 1, 2023.

TNPA participated in a multi-year stakeholder process for this legislation which resulted in many necessary changes to the original draft created by the Attorney General’s office. Nevertheless, significant issues remain to be resolved through the means of rulemaking during the course of the coming year. The Attorney General conducts the rulemaking. The bill’s stakeholders, including TNPA, will undoubtedly participate in the process.

The bill establishes new requirements for online fundraising by third parties. However, the legislation is NOT applicable to a charity’s own website and online fundraising. Entities defined in the legislation as a “fundraising platform” or “platform charity” would be required to register with the AG and to submit annual reports. The legislation requires a number of compelled disclosures designed to give prospective donors adequate information (such as fees to be deducted from the intended gift, how long it may take for the beneficiary nonprofit to receive its gift, etc.).

The new California categories of solicitation law oversight are unique and will surely draw the attention of charity officials in other states. It is likely other states will let the California experiment play out rather than rush to emulate. Nonprofits currently receiving significant funds from the newly regulated platforms will also be watching. It is not a forgone conclusion the legislation and forthcoming regulations will strike the right balance between protecting donors and allowing support dollars to flow to nonprofit missions.

NOW LAW: Colorado SB 129 was signed by Democratic Gov. Jared Polis on May 24, 2024 and took effect September 23, 2024. This donor privacy law will prohibit a public agency from requiring any person to provide the public agency with data that identifies a member of a nonprofit entity or compelling the disclosure of member-specific data and would provide for penalties for violations.

NOW LAW: Colorado SB 16 was signed by Democratic Gov. Jared Polis on June 7, 2024 and took effect on August 8, 2024. The law will authorize a taxpayer to make a charitable contribution to a charitable recipient organization through a qualified intermediary that forwards the contribution to the charitable recipient organization, rather than making the contribution directly to the charitable recipient organization, without losing the right to claim a state income tax credit.

NOW LAW: Georgia SB 433/Act 423 was signed by Republican Gov. Brian Kemp on April 22, 2024 and took effect July 1, 2024. The law will prohibit a charitable organization that accepts a contribution pursuant to a written donor-imposed restriction from violating the terms of that restriction. If a charitable organization violates the terms of a donor-imposed restriction, the law will grant the donor or their legal representative a private right of action.

NOW LAW: Georgia SB 412/Act 612 was signed by Republican Gov. Brian Kemp and took immediate effect (May 2024). The law permits the secretary of state, at their discretion, to suspend or revoke the registration of a charitable organization, paid solicitor or solicitor agent for violations of existing law. The law also raises the maximum penalties for violations to $10,000 for a single violation and $100,000 for multiple violations.

NOW LAW: Hawaii SB 2693/Act 211 was signed by Democratic Gov. Josh Green on July 5, 2024 and took immediate effect. The law establishes the offense of charitable fraud during a state of emergency. The offense would range from a misdemeanor if the value of the contributions received is less than $750 up to a class B felony for contributions received over $20,000.

NOW LAW: Hawaii SB 2983/Act 205 was signed by Democratic Gov. Josh Green on July 5, 2024 and takes effect January 1, 2026. The law will require charitable fundraising platforms to register with the attorney general before soliciting, permitting, or otherwise enabling solicitations for charitable purposes. Fundraising platforms and platform charities will be required to make various disclosures before a person can complete a donation or select or change a recipient charitable organization, including the maximum length of time it takes charitable organizations to receive the funds and the fees to be deducted. Fundraising platforms and platform charities will also be required to make periodic reports to the department on a provided form that will enable the department to ascertain whether charitable funds have been properly solicited, received, held, controlled or distributed.

NOW LAW: Illinois HB 1197/Public Acts 121 was signed by Democratic Gov. J.B. Pritzker on June 30, 2023 and takes effect January 1, 2023. The bill would provide that every charitable organization that receives contributions in excess of $750,000, rather than the $300,000 specified under existing law, would be required to file a written report with the attorney general with specified information. The bill would also require organizations that receive contributions in excess of $25,000 but less than $750,000 to file a simplified report with the attorney general.

NOW LAW: Indiana SB 302/Public Law 40, sponsored by Senate Judiciary Committee Chair Liz Brown, R-Fort Wayne, was signed by Republican Gov. Eric Holcomb on April 20, 2023 and takes effect July 1, 2023. The law will prohibit state agencies or officials from imposing filing or reporting requirements on charitable organizations that are more stringent or burdensome than those imposed by or authorized under state or federal law.

NOW LAW: Kentucky SB 70 was signed by Democratic Gov. Andy Beshear on April 9, 2024 and took effect July 14, 2024. The law will prohibit a charitable organization that accepts a contribution pursuant to a written donor-imposed restriction from violating the terms of that restriction. If a charitable organization violates the terms of a donor-imposed restriction, the law will grant the donor or their legal representative a private right of action.

NOW LAW: Louisiana SB 179/Act 262 was signed by Democratic Gov. John Bel Edwards on June 3, 2022 and took immediate effect. The law prohibits state agencies from imposing any annual filing or reporting requirements on charitable organizations more stringent than specified under existing law. The legislature can review any requirements that are more restrictive. The law defines charitable organizations as a person who holds himself out to be benevolent, civic, recreational, educational, voluntary, health, law enforcement, social service, philanthropic, fraternal, humane, patriotic, religious or eleemosynary organization.

NOW LAW: Mississippi SB 2545 was signed Republican Gov. Tate Reeves on April 15, 2024 and takes effect July 1. The law will define monetary donations to mean cash or cash equivalents. It also raised the audit threshold from $500,000 to $750,000.

NOW LAW: Missouri HB 2400 was signed by Gov. Mike Parsons on June 30, 2022, and took effect August 28, 2022. The law prohibits state agencies or state officials from imposing any annual filing or reporting requirements on charitable organizations that are more stringent than specified under existing law.

NOW LAW: New Hampshire SB 375/Chapter 173 was signed by Republican Gov. Chris Sununu on June 7, 2022 and takes effect August 6. The law will prohibit the state from imposing any annual filing or reporting requirement on a charitable organization that is more stringent than already required under existing law. The law will also raise the compulsory audit threshold for annual reporting by nonprofits from $1 million to $2 million.

NOW LAW: North Carolina SB 429/Session Law 119 was signed into law by Democratic Gov. Roy Cooper on September 14, 2023. The law took immediate effect with certain provisions taking effect October 1. The law will increase the qualifying income threshold for exemption from charitable solicitation requirements to $50,000 from $25,000. The law will also specify that licensure applications are considered filed as of the date they are postmarked or electronically submitted.

NOW LAW: South Dakota HB 1116 passed the Senate on February 21, 2024 and was signed by Republican Gov. Kristi Noem on February 28. The law takes effect July 1. The law will make fraudulent solicitation of charitable contributions a deceptive act or practice.

NOW LAW: Tennesse SB 1935/Chapter 773 was signed by Republican Gov. Bill Lee on April 8, 2022 and took immediate effect. The law removes requirements that financial statements, annual event applications, charitable solicitation applications and athlete agent registrations filed with the secretary of state be sworn under penalty of perjury.

NOW LAW: Tennessee HB 1707 was signed by Republican Gov. Bill Lee on March 7, 2024 and takes effect July 1. The law will amend various provisions regarding charitable solicitations in the state including, in part, adding to the definition of a charitable organization by including a person that is determined by the Internal Revenue Service to be a tax-exempt organization pursuant to the Internal Revenue Code. The law will also:

Authorize the secretary of state, by order, letter, or other appropriate means, to enjoin the charitable organization, professional fundraiser, or other person from continuing an act or violation, or committing other acts in furtherance of it, during the course of an investigation.
Require renewal registrations to be accompanied by a copy of forms required to be filed with the U.S. Internal Revenue Service, and any other information the secretary deems appropriate to substantiate how funds were raised and spent by the organization. At least two authorized officers of the organization, one of whom must be the chief fiscal officer, must certify that the information provided under this law is true and correct to the best of their knowledge.
Prohibit a person from making any representation that such person is soliciting contributions for or on behalf of a charitable organization or from using or displaying any emblem, device or printed matter belonging to or associated with a charitable organization for the purpose of soliciting or inducing contributions from the public without first being authorized to do so by the charitable organization.

NOW LAW: Utah HB 43 was signed by Republican Gov. Spencer Cox on March 13, 2024 and took effect May 1, 2024. The law removes a requirement that charitable organizations register with the Division of Consumer Protection. The law will also prohibit deceptive acts related to charitable solicitations, including falsely indicating that the supplier is affiliated with the charitable organization.

NOW LAW: Virginia HB 1748/Chapter 289 was signed by Republican Gov. Glenn Youngkin on March 23, 2023 and took effect July 1, 2023. The law will expand the definition of solicitation to include requests made via email. It will also require any contract between a professional solicitor and charitable or civic organization to specify the percentage of gross contributions that the civic organization will receive or the terms upon which a determination can be made. The contract will also be required to specify that at least every 90 days the professional solicitor would be required to provide the charitable or civic organization with access to and use of all information in the professional solicitor’s possession concerning contributors.

NOW LAW: Virginia HB 464 was signed by Gov. Youngkin on April 2, 2024 and took effect July 1, 2024. The law raises the audit threshold from $1 million to $1.5 million.

NOW LAW: Wisconsin AB 912/Act 151 was signed by Democratic Gov. Tony Evers on March 21, 2024 and took immediate effect. The law raises the audit threshold from $500,000 to $1 million.

States: Nonprofit Governance

NOW LAW: Illinois SB 2930/Public Act 635 was signed by Democratic Gov. J. B. Pritzker on July 1, 2024, and effective as of January 1, 2025. The law will, in part, provide that a nonprofit, within 30 days after filing its annual AG990-IL Charitable Organization Annual Report, that reports grants of $1 million or more to other charitable organizations would need to post on its website, if applicable, the aggregated demographic information of the corporation’s directors and officers, including race, ethnicity, gender, disability status, veteran status, sexual orientation, and gender identity.

N.B. A suit challenging the law’s constitutionality was filed by American Alliance for Equal Rights on January 21, 2025. More information on the suit, as well as a link to the complaint, can be found in the NonProfit Times, here.

States: Salary Disclosure

Read more about this issue

PROPOSED LAWS:

Connecticut SB 1036, sponsored by Sen. Mae Flexer, was referred to the Joint Labor & Public Employees Committee on January 22. The bill would establish disclosures to ensure pay transparency and eliminate wage disparities. It would require employers to:

Disclose pay and other information in all job postings and notices, both internal and external.
Disclose all available job postings to all employees and disclose who was selected for such positions.
Disclose how to advance through career progressions available to eligible employees.
Preserve records of job descriptions.

Maine LD 54/HP 18, sponsored by Joint Labor Committee Chair Rep. Amy Roeder and introduced January 6, 2025. Referred to the Joint Labor Committee on January 6. The bill would require an employer with 10 or more employees:

To list the pay range for job postings.
Upon employee request, to disclose the pay range for the employee’s position.
To maintain a record of each position held by an employee and the employee’s pay history during employment and for three years after.

Virginia SB 1132 passed the Senate on January 28, 2025, and the House on February 18, both on partisan Democrat votes. Its transmittal to Republican Gov. Glenn Youngkin is pending. The bill would establish protections for existing and prospective employees. The bill would prohibit an employer from:

Seeking the wage or salary history of a prospective employee.
Relying on the wage or salary history of a prospective employee in determining the wages or salary the prospective employee is to be paid.
Relying on the wage or salary history of a prospective employee in considering the prospective employee for employment.
Refusing to interview, hire, employ or promote an employee or prospective employee or otherwise retaliating against a prospective employee for not providing wage or salary history.
Failing or refusing to disclose the wage, salary, or wage or salary range in each public and internal posting for each job, promotion, transfer, or other employment opportunity.

The bill would also establish a cause of action for an aggrieved prospective employee or employee.

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: California SB 1162 /Chapter 559 was signed by Democratic Gov. Gavin Newsom on September 27, 2022, and took effect January 1, 2023. The law expands state pay data reporting requirements to cover contracted employees. The law requires a private employer having 100 or more employees to submit a pay data report to the Civil Rights Department. This law revises the timeframe in which a private employer is required to submit this information to require that it’s provisioned on or before the second Wednesday of May. This law requires the pay data report to include the median and mean hourly rate for each combination of race, ethnicity and sex within each job category. It also requires an employer, upon request, to provide an employee with the pay scale for the position in which the employee is currently employed. The law requires an employer with 15 or more employees to include the pay scale for a position in any job posting. The law requires an employer to maintain records of a job title and wage rate history for each employee for a specified timeframe, to be open to inspection by the labor commissioner

NOW LAW: Maryland HB 649/Chapter 271 alters the requirement that an employer disclose wage information to an applicant for employment. An employer will be required to disclose wage information in postings and to employees, as specified. A wage range disclosed by an employer will have to be set in good faith. The law also prohibits an employer from taking retaliatory action against employees and requires keeping a record of compliance for at least three years. The law was signed by Democratic Gov. Wes Moore on April 25, 2024 and took effect on October 1, 2024.

NOW LAW: Massachusetts HB 4890/Chapter 141 was signed by Democratic Gov. Maura Healey on July 31, 2024 and takes effect October 29, 2025. The law requires:

Annually, by February 1, a covered employer, subject to EEO-1 data report filing requirements, to submit to the state secretary a copy of its EEO-1 data report for the prior year.
In each odd-numbered year, not later than February 1, a covered employer, subject to federal EEO-3 data report or EEO-5 data report filing requirements, to submit to the state secretary a copy of its EEO-3 data report or EEO-5 data report, as applicable, covering the most recent filing period.
In each even-numbered year, not later than February 1, a covered employer, subject to federal EEO-4 data report filing requirements, to submit to the state secretary a copy of its EEO-4 data report covering the most recent filing period.

Employers will also be required to:

Disclose the pay range for a particular and specific employment position in posting it.
Provide the pay range for a particular and specific employment position to an employee who is offered a promotion, or transfer, to a new position with different job responsibilities.
Provide the pay range for a particular and specific employment position to an employee holding such position, or to an applicant for such position, upon request.

NOW LAW: Minnesota SF 3852/Chapter 110 is an omnibus labor policy act. Its provisions include requiring salary ranges be included in job postings. The act was signed into law by Gov. Tim Walz on May 17, 2024, and the relveant provisions are effective as of July 1, 2024, and Janury 1, 2025.

NOW LAW: New York SB 1326/Chapter 94 was signed by Gov. Kathy Hochul on March 3, 2023 and has effect from September 17, 2022 at the same time as SB 9427 from last session. The law specifies that existing laws on salary disclosure exclude remote work opportunities performed entirely out of state.

NOW LAW: Vermont HB 704 requires that job advertisements include the compensation or compensation range and job description for the advertised position. The act also prohibits employers from taking adverse action against current or prospective employees pursuant to the rights provided in the bill. The act was signed into law by Republican Gov. Phil Scott on June 4, 2024 and will take effect on July 1, 2025.