When California adopted its first-in-the-nation data privacy law in 2018, many observers predicted it would lead to a wave of similar laws across the states.
They were right in one way: according to the State Net database, at least 27 states have introduced far reaching consumer data privacy measures in 2021. But for all its sound and fury, this wave has so far mostly crashed harmlessly on the sand without any real consequence.
Shortly after California adopted the California Consumer Privacy Act(CCPA), Nevada adopted a law requiring businesses to offer consumers and opt-out from having their data sold. Maine later barred Internet providers from selling customer’s data without expressed written permission. But to date, the only one of these measures that is truly comparable to the CCPA to become law has been Virginia’s SB 1391, the Consumer Data Protection Act (CDPA), signed by Gov. Ralph Northam (D) on March 2nd.
The fate of this year’s remaining bills is murky. As of this writing, bills are still at least technically alive in at least 19 states, while measures have gone down to defeat in Maryland (SB 930), Utah (SB 200), West Virginia (HB 3159), Kentucky (HB 408), North Dakota (HB 1330), Oklahoma (HB 1602) and Mississippi (SB 2612).
Of those remaining, most are stuck in committees with time fast running out to see any action this year, as the majority of legislatures adjourn between mid-May and June 1st. Connecticut lawmakers adjourn on June 9th and Rhode Island ends its legislative session on June 30th.
California vs. Virginia
There are definite similarities and stark differences between the California and Virginia laws.
At the time of its adoption, the CCPA applied to any company that met three primary criteria:
- Has adjusted gross annual revenues of $25 million or more;
- Obtains at least 50 percent of gross annual revenue from selling California consumers’ data; and
- Buys, sells or trades the data of at least 50,000 California residents annually, regardless of revenues earned from those transactions (more on this below).
In contrast, the Virginia measure – which takes effect in 2023 – applies only to companies that:
- Buy, sell or trade the data of at least 25,000 Old Dominion consumers and obtain 50 percent or more of their gross revenues from those sales; and
- Control the data of 100,000 Virginia consumers in a calendar year.
Both laws provide protections to employers and benefits administrators, and each offers an exemption for “publicly available information.” The big difference is how the two states define “publicly available.”
In California, unless the information comes from federal, state or local government records, it is most definitely not a public record. In Virginia, however, the definition is much broader and vastly more complex.
That said, the Virginia measure appears to have more punitive bite. While both impose fines of $7,500 per violation, the CDPA comes with far less wiggle room on those penalties than does the CCPA.
Sheila Fitzpatrick, president and founder of Fitzpatrick and Associates, a California-based data privacy compliance consulting firm – says one major variance between the measures is the age at which parents will be able to invoke data protections on behalf of their kids.
“In California, the age of consent is 16,” she says. “In Virginia, it’s 13, which really is quite a significant difference.”
The CCPA was also not the final word on privacy in the Golden State. California voters last fall endorsed Proposition 24, a measure that increases the CCPA’s threshold number of consumers or households from 50,000 to 100,000, which effectively reduces the number of small and mid-sized businesses regulated by the law.
But among many other things, the new law (the California Privacy Rights Act) also more closely aligns the definition of consumer consent with the European Union’s General Data Protection Regulation (GDPR) and actually broadens applicability of the law to businesses that generate most of their revenue from sharing consumer data, not just selling it.
The new law goes into effect on January 1st, 2023 and becomes enforceable that July.
Private Right of Action
At least eight of the measures introduced this year would allow individual consumers to sue businesses that violate a request to opt-out from having their data retained or sold.
The “private right of action” component has long been vehemently opposed by business advocates, who contend it will lead to another kind of wave – a tsunami of lawsuits.
“Many of these businesses have just barely survived the pandemic and if this bill passes they will face significant compliance costs and legal exposure at a time when they really can’t afford it,” Florida Retail Federation lobbyist Grace Lovett recently told a Sunshine State House committee considering HB 969, a measure that contains the component.
The bill nonetheless passed unanimously on April 14th before later passing the full House on April 21st. It is now in the Senate, where its future is uncertain. Although the House bill has drawn support from Gov. Ron DeSantis (R), the Senate passed its own version of the bill (SB 1734) on April 29th that stripped that component out. (It is unclear if the chambers will reconcile the two measures. The Florida legislative session ends on April 30th, the day this issue goes to publication.)
A similar battle also played out again in Washington, where Evergreen State lawmakers have spent much of the last three years coming tantalizingly close to consensus on sweeping data privacy legislation only to run aground over the enforcement mechanism, including the private right of action. Two such measures this year – HB 1433 and SB 5062 – came in with a roar, only to die with barely a whimper.
Fitzpatrick says that isn’t surprising.
“States are trying to straddle the line between being business friendly with the consumer’s right to protecting their data,” she says. “That’s a very difficult position, especially in the U.S., which is very much more of an employer-focused environment than in many other countries.”
After years of debate but not much action, some observers think Congress might finally be poised to seriously consider implementing a federal privacy law this year in the form of the Information Transparency and Personal Data Control Act, introduced on March 10th.
In a statement, bill sponsor Rep. Suzan DelBene (D-WA) called data privacy “a 21st Century issue of civil rights, civil liberties, and human rights” and said states are “understandably advancing their own legislation in the absence of federal policy,” adding that “Congress needs to prioritize creating a strong national standard to protect all Americans.”
Under her measure, consumers would have to opt-in to having their data collected and sold – as opposed to the current system now of automatically allowing companies to do so unless a consumer specifically opts out – and companies would have to fully disclose when they are sharing that information, with whom they are sharing it and why. They would also have to submit to a third party privacy audit every two years.
The Federal Trade Commission and state attorneys general would be tasked with enforcing the law. The FTC would also be given the authority to impose future regulations rather than waiting for Congress to debate and pass new laws.
The measure has drawn support from several major retail trade and technology organizations, who are thrilled the measure does not contain a private right of action and would pre-empt any current or future state privacy bills.
But her bill is expected to soon have competition, and lots of it. Sens. Kristen Gillibrand (D-NY), Sherrod Brown (D-OH) and Ron Wyden (D-OR) have indicated they will be reintroducing revamped versions of previous privacy measures, all of which are much more stringent than DelBene’s bill. Several more privacy measures are expected to be introduced in the House.
While Democrats currently control both Congress and the White House, there is no clear consensus which of these measures, if any, has the best chance to get to President Joseph Biden’s desk. And even if DelBene’s bill does get there, she told Vox earlier this year the bill is meant to be “foundational” rather than the final word on data privacy.
Fitzpatrick is not optimistic that any of these measures will become law any time soon. And even if one does, she thinks the massive influence of Big Tech on lawmakers is likely to prevent such a measure from being anywhere near as tough as the GDPR.
If so, the onus to address data protection will remain on states well into the future.
--By RICH EHISEN
One State Enacts, Others Considering CCPA-Like Data Privacy Laws
Last month Virginia became the first state to enact a data privacy law similar to the landmark California Consumer Privacy Act (CCPA) enacted in 2018. CCPA-like legislation is still pending in at least 19 states but has failed in seven.