DATA PRIVACY LEGISLATION UPDATE
The Background: Europe compared to the United States
The first comprehensive online data privacy law emerged from the other side of the Atlantic Ocean. The General Data Protection Regulation (“GDPR” for short) was adopted by the European Union in 2016 and went into effect two years later. The law is designed to give individuals more control over how their data is collected, used, and protected online, and applies to organizations that handle data belonging to the citizens and residents of EU-member countries.
Compared to Europe, the landscape in the United State is much more fractured. While Congress can pass a nationwide data privacy law similar to the GDPR, it has not. The result is that residents of some states possess broader data rights than others. So far, California, Nevada, and Maine have passed comprehensive data privacy laws, while at least 24 other states have seen such laws introduced in their legislatures. It is important to remember that data privacy laws enacted in any one state generally only apply to residents of and organizations doing business in that state.
A State-by-State Approach in the United States
With enough petition signatures, California citizens may directly propose new laws and constitutional amendments, which are then put up for statewide election. This happened in 2018 when the consumer advocacy group Californians for Consumer Privacy obtained 629,000 signatures to qualify a ballot referendum designed to significantly expand the privacy rights of California consumers.
Instead of putting the measure in the hands of voters, the group’s organizers reached a deal with state legislators, who agreed to pass a bill providing new consumer privacy protections in place of the initiative. Thus, the California Consumer Privacy Act, or CCPA for short, was born.
Californians for Consumer Privacy has proposed a new ballot measure, which is slated for a vote in November 2020 after garnering over 900,000 signatures. If passed, the California Privacy Rights Act (CPRA or “CCPA 2.0”) would grant even more extensive privacy rights to Californians and would establish an agency devoted to enforcing those rights.
Not wanting to gamble with data privacy, Nevada expanded its residents’ rights soon after the CCPA was passed. In doing so, the Nevada legislature approved Senate Bill No. 220, which amends the state’s 2017 online privacy law.
The amendment gives its residents the right to opt-out of “website operators” selling their data. It also requires those operators to provide an email address for consumers to make such a demand.
Consumers cannot sue if companies violate the law, as enforcement power is vested only with the state’s Attorney General. Civil penalties for violations can reach up to $5,000 per violation. Though not as comprehensive as California’s law, SB 220 went into effect on October 1, 2019, a few months before the CCPA.
Maine’s governor signed its data privacy law in June of 2019. LD 946 applies only to broadband internet service providers (ISPs) operating in Maine and prohibits those ISPs from buying or selling Maine residents’ personal information without their express approval.
In this sense, the law creates an opt-in, rather than opt-out, requirement, which is more restrictive than either California’s or Nevada’s law. The law also requires ISPs to take reasonable security measures to protect consumers’ personal information from unauthorized use, disclosure, or access, to provide clear and conspicuous notice of the consumer’s rights, and prohibits ISPs from discriminating against consumers that refuse to opt-in.
There are no mechanisms for enforcement outlined in the law, so it is unclear how consumers can vindicate their rights under the law. LD 946 took effect just a few weeks ago on July 1, 2020.
The States Still Studying Data Privacy
In lieu of passing comprehensive legislation, six states have authorized a study or task force to delve deeper into the issue of online data privacy within their jurisdictions and provide recommendations for what actions the state’s lawmakers should take moving forward.
· North Dakota enacted a bill on March 28, 2019, which provided for a legislative management study of the protections, enforcement, and remedies regarding the disclosure of consumers' personal data. The study will look at the privacy laws in other states as well as applicable federal law. The findings of the study will be presented during North Dakota’s next legislative session, which is slated to start on January 5, 2021.
· Hawaii passed a resolution convening a task force to examine and recommend laws and regulations to update the state’s privacy laws on April 30, 2019.
· Louisiana passed a similar resolution a couple of months later when its legislature requested that the Southern University Law Center establish a task force to study the effects of the sale of consumer personal information by internet access service providers, social media companies, search engines, or other websites and providers of online services that may collect and sell consumer personal information.
· Texas adopted a data-breach notification law in June of 2019, which also established an advisory council tasked with studying data privacy laws in Texas, other states, and around the world. The council will make recommendations to the legislature on specific statutory changes regarding privacy no later than September 1, 2020.
· Connecticut legislators opted to pause their consideration of a CCPA-copycat bill for the delegation of a task force assigned to study the state’s consumers’ interest in protecting their privacy and the possible methods to achieve such protection, while not overly burdening businesses in the state.
· Massachusetts lawmakers similarly pumped the brakes on a comprehensive online data privacy bill in February of 2020. As introduced, the bill permitted any consumer to bring a lawsuit against any violating business or service provider, whether the consumer suffered actual damages or not. Critics of the bill suggested that the broad private right of action would result in a wave of class-action lawsuits. In the end, the Joint Committee on Consumer Protection and Professional Licensure issued a study order to review the bill, with the expectation being that a revised version will be introduced during the next legislative session at the beginning of next year.
The States That Have Tried and Failed…So Far
Since the passage of the CCPA, legislators in at least 18 states besides the ones mentioned above have introduced comprehensive online data privacy legislation. Many of these bills mirror the CCPA provisions, granting consumers more control over their data and outlining how businesses can handle that data.
Many, but not all, authorize private rights of action, and a few expressly permit authorized agents. Unfortunately, all the proposed bills have died at various points in the process.
For example, proposals in Arizona, Florida, Illinois, Iowa, Minnesota, Nebraska, New Hampshire, NewJersey, New Mexico, New York, Rhode Island, South Carolina, Texas, Virginia, and Wisconsin have all failed to make it out of committee in the chamber in which they were introduced.
Maryland’s HB 784, a very similar bill to the CCPA, was passed by the state’s House of Delegates. But it failed after receiving an unfavorable report from the Senate Finance committee.
And then there is Washington’s data privacy law from earlier this year. The Washington Privacy Act would have provided many of the same rights to consumers as the CCPA does – including the right to deletion and the right to opt-out of the sale of personal information – and even more stringent obligations upon companies doing business with the state’s 7.5 million-plus residents. Despite passing easily in both chambers, the House and Senate could not reconcile differences over whether the law should be enforced by the state attorney general or consumers through private lawsuits. In the end, the Act died in Conference Committee, just a step away from Governor Inslee’s desk.
What About the Federal Government?
An April 2020 report by the Electronic Privacy Information Center (EPIC) found that there are 11 bills being considered in the 116th United States Congress. Like most of the state bills, none of them have seen much forward progress, and are unlikely to do so in light of the current pandemic, meaning any federal action will likely be pushed back until the next session, which starts in January 2021.
Most People Want Stronger Data Privacy Protection
Though it may appear hard to believe in a day and age where liberals and conservatives seem to disagree on just about everything, Americans across the political spectrum overwhelmingly want more governmental control over how companies handle their data. According to a Pew Research Center survey of a nationally representative panel of 4,272 randomly selected U.S. adults conducted in June of last year, three-quarters (75%) of Americans desire more governmental regulation around what companies can do with their customers’ personal information. That figure included over 80% of Democrats and 70% of Republicans. Bearing this out is the fact that data privacy laws have been introduced by legislators from both sides of the aisle in both state and federal legislatures.
If Everyone Agrees, What’s The Holdup?
While Americans seem to agree that the country needs more stringent data privacy laws, legislatures can’t seem to find common ground on the details. Similar to what happened in Washington, one of the main areas of contention for lawmakers and businesses is the inclusion – or not – of a private right of action. Consumer protection advocates like EPIC say authorizing individuals to sue companies is imperative for effective enforcement. Businesses, meanwhile, want to minimize their exposure to litigation.
While the concern of overburdening businesses is not unwarranted, we at DDP firmly believe that a private right of action is integral to any new online data privacy law. Without a private right of action, the new laws lack teeth; with a private right of action in an Illinois state law, companies like Facebook have agreed to pay $650 million dollars to settle a privacy class action for just Illinois residents; just imagine if that Illinois law applied nationwide! Furthermore, we believe consumers should be empowered to authorize agents to vindicate their rights and mobilize the power of collective action. Without these provisions, businesses will lack a strong enough incentive to change their data handling practices.
What You Can Do
With your help, the Data Dividend Project can help convince legislators that laws like the CCPA are both vital and effective in protecting the data rights of Americans and should be put on the books across the nation. Together we can enforce your data privacy rights. Sign up now at Data Dividend Project.