Posted by Chris Alarie on Fri, 03/26/2021 - 09:47
The passage of Virginia’s new data privacy law—the Virginia Consumer Data Protection Act (VCDPA)—earlier this month has brought renewed attention to and likely spurred additional urgency with regards to the spate of similar data privacy laws making their way through multiple state legislatures. While not every one of these proposed laws will eventually be enacted, it is highly likely that some will and, perhaps, might eventually lead to the passage of federal consumer data protection legislation.
Just since Virginia Governor Ralph Northam signed the VCDPA on March 2, the following data privacy legislation actions have been taken:
- March 5: New York legislators introduced the Digital Fairness Act.
- March 5: The Oklahoma House of Representatives passed the Oklahoma Computer Data Privacy Act and referred it to the State Senate Judiciary Committee.
- March 15: New Jersey legislators held a hearing in the Assembly Science, Innovation and Technology Committee on three proposed bills related to data privacy.
- March 15: West Virginia lawmakers introduced a data privacy bill.
- March 16: Illinois legislators referred their proposed data privacy legislation to the Illinois House’s Judiciary-Civil Committee.
- March 17: Washington legislators held a public hearing on the Washington Privacy Act.
- March 19: Colorado lawmakers introduced the Colorado Privacy Act.
- March 23: Florida lawmakers discussed the state’s proposed consumer data privacy bill in the legislature’s Civil Justice & Property Rights Subcommittee.
The recent history of regulatory and legislative activity to protect consumer data privacy began with the European Union’s General Data Protection Regulation (GDPR) in 2016 and found its first United States legislation in California’s California Consumer Protection Act (CCPA) in 2018. The flurry of activity following the passage of the VCDPA indicates that these sorts of laws will soon extend across the country, beyond California and Virginia. Six states—Connecticut, Florida, Illinois, New Jersey, Oklahoma, and Washington—are currently considering data privacy legislation. 13 additional states—Alabama, Arizona, Colorado, Kentucky, Maryland, Massachusetts, Minnesota, New York, Rhode Island, South Carolina, Texas, Vermont, and West Virginia—have active bills that have been introduced during their states’ legislative sessions. Some of these states are considering multiple pieces of legislation on the subject and Washington’s legislature has introduced data privacy legislation three years in a row.
All of these laws generally allow consumers some degree of control over their personal data. However, the degree of control varies significantly. For example, some laws allow consumers to request that their data be deleted while others don’t. There are also discrepancies between the laws in terms of how they are enforced, what sorts of requirements they put on businesses, what standards of applicability there are, how key terms like “consumer” are defined, which kinds of data are covered, and which sorts of exemptions exist. These discrepancies can make a significant difference for businesses and consumers.
The discrepancies between various proposed state laws—as well as the differences between the CCPA and VDCPA—factor into the debate regarding the most recently proposed federal legislation on consumer data privacy. Rep. Suzan DelBene (D-WA) introduced the Information Transparency and Personal Data Control Act (ITPDCA) in the House of Representatives on March 10. This is the third straight year she has introduced a consumer data privacy bill but neither of the previous two advanced very far. Having previously been an executive in the tech industry, Rep. DelBene has adapted her most recent proposed legislation to make it more favorable to businesses, in hopes of attracting support from Republicans. Most notably, it would preempt state laws. This is a significant point of contention as the ITPDCA would offer significantly fewer consumer protections than either the CCPA or VDCPA. For example, the CCPA contains a private right of action while the ITPDCA does not.
It is unclear which of these bills will actually become law, although it seems inevitable that some will. Further consumer data privacy regulations will be passed into law at the state and, eventually, federal level. The main consequence of all this recent activity is to demonstrate how the various stakeholders are already battling to control whether those regulations will favor the interests of consumers or businesses.