Navigating the Patchwork of State Data Privacy Laws

By David Giusti
Senior Manager, LexisNexis® State Net® 

The California Consumer Privacy Act (CCPA) sent chills up a lot of spines within corporate legal departments when it was adopted in 2018. This was the first comprehensive, consumer-facing data privacy law passed at the state level, and was widely viewed to be a harbinger of similar state data privacy laws that would soon flood across the nation like a tidal wave.

Nevada, Maine and even some major municipalities toed the water in the immediate aftermath of the adoption of CCPA, though none went nearly as far as the California law. Colorado and Virginia have each come closer since then, but even their laws do not contain the CCPA’s groundbreaking “private right of action” component that allows customers to sue businesses whose carelessness with securing their Personal Identifying Information (PII) leads to a data breach.

Meanwhile, proposed legislation in several states where a privacy law had strong support—Florida, Oklahoma and Washington—failed to pass because lawmakers disagreed on enforcement, according to Compliance Week®. As 2020 drew to a close, there was more confusion than clarity on the trajectory of CCPA-influenced data privacy legislation at the state level.

Surge in Proposed Legislation

When the new legislative sessions started in January 2021, the data privacy floodgates opened up again, and in-house legal departments have taken notice. For example, a new Florida privacy measure was passed in that state’s House chamber in April, and the Law360® service reports that the bill is now under intense attack by powerful lobbying groups that argue it is a looming compliance disaster for businesses.

Indeed, “according to the State Net® database, at least 27 states have introduced far reaching consumer data privacy measures in 2021,” according to Rich Ehisen, managing editor of the State Net Capitol Journal™.

Corporate legal professionals have a daunting challenge of keeping up with these numerous state legislative debates across the U.S. And while many of the proposed bills share some basic principles, the details and enforcement mechanisms vary widely from one jurisdiction to another. This presents a real conundrum for in-house counsel to determine what actions should be taken with their corporate data privacy policies when there is so much uncertainty about where state-specific legislation is headed.

Updating the Corporate Data Privacy Policy

Most in-house legal teams appear to have chosen to develop data privacy policies that will comply with the most restrictive state legislation—which is still the CCPA at this point—and thereby maintain a conservative risk management posture that assures compliance with less stringent state laws. Other in-house teams appear to be taking a more agile approach, modifying their policies for individual states in which their commercial interests are sizable enough to justify a bespoke approach to data privacy in that jurisdiction.

Regardless of the strategic approach, all in-house legal teams face the same dilemma: how to walk through the significant compliance challenges posed by the patchwork of data privacy laws that vary from state to state.

Here are six key areas for corporate legal departments to review in their consumer-facing data privacy policies to make sure they are in compliance with CCPA-style legislation under consideration at the individual state level.

1. Method of Disclosure
   Businesses must include the information required to be disclosed under state data privacy laws in two places: (1) An online privacy policy, if they have one that is published for consumers; or (2) A corporate website that is accessible to consumers.
   
   
2. Updating Requirement
   Businesses must update the information required to be disclosed under the relevant state data privacy law at least once every 12 months.
   
   
3. Description of Consumer Rights
   Businesses must include a description of the following consumer rights that are established in some proposed data privacy laws:
   • For businesses that collect personal information about consumers, the right to request details about how this information is collected, what is collected and why it is collected
   • For businesses that sell personal information, the right to request details about what kind of information is sold, to whom it is sold and any other commercial purposes for which it is used
   • The right to not be discriminated against by a business (e.g., denial of goods or services, charging different prices, providing different level of services, etc.) because the consumer exercised any of their rights under the data privacy law
     
     
4. Disclosure of Methods for Submitting Requests
   Businesses must disclose to consumers one or more designated methods for submitting requests to exercise consumers’ rights under the new data privacy laws.
   
   

5. Disclosure of Personal Information Collected
   Businesses that collect personal information about consumers are required under CCPA-style state data privacy laws to disclose five items to those consumers:
   1. The categories of personal information it has collected about that consumer
   2. The categories of sources from which the personal information is collected\
   3. The business or commercial purpose for collecting or selling information
   4. The categories of third parties with whom the business shares personal information
   5. At the consumer’s request, the specific pieces of personal information it has collected about that consumer
      
      

6. Information Sold or Used for a Business Purpose
   Businesses that sell consumers’ personal information—or that share personal information for a business purpose—must disclose this information in two separate lists: (1) The specific categories of personal information it has sold in the preceding 12 months; and (2) The specific categories of personal information it has shared for a business purpose in the preceding 12 months. If the business has not sold or shared consumers’ personal information in the preceding 12 months, it must disclose that fact instead.
   
   

Resources to Guide You

There are a number of useful resources available to help corporate legal professionals monitor the progress of data privacy legislation at the individual state level. The International Association of Privacy Professionals U.S. State Privacy Legislation Tracker is an intuitive tool that keeps in-house teams up to date with what is under consideration in various states and what is coming next in those respective processes.

The LexisNexis® State Net® legislative tracking system monitors pending data privacy bills and regulations and local ordinances in all 50 states and the District of Columbia, U.S. territories and select municipalities. For a complimentary State Net data privacy legislation report that you can download, please click here.*

*LexisNexis, a division of RELX Inc., may contact you in your professional capacity with information about our other products, services and events that we believe may be of interest. You can manage your communication preferences via our Preference Center. You can learn more about how we handle your personal data and your rights by reviewing our Privacy Policy.