At least 18 states considered comprehensive privacy bills this year, some raising more red flags than others. The New York Privacy Act would create a “data fiduciary” concept that requires data controllers to exercise duties of care, loyalty, and confidentiality. This means controllers would be obligated to provide consumers the opportunity to opt-in or opt-out of any processing of their personal data, not just sale, but all processing. Meanwhile, the Massachusetts SD 341 and Maryland’s Online Consumer Protection Act departs from the California Consumer Protection Act (CCPA) by allowing consumers to opt-out of any disclosures to third parties, not just sales, but all disclosures, subject to limited exceptions. In addition, the states would provide for a narrower set of exceptions than the CCPA for businesses regarding data subject rights to delete data.