Connecting state and local government leaders
In the absence of federal action on data privacy standards, several states have stepped up. But some warned that could create a patchwork of laws and result in a compliance nightmare for businesses.
After much debate, a committee in the U.S. House of Representatives last year finally approved comprehensive data privacy legislation. But the bicameral bill never made it to the House or Senate floor for a vote, despite the legislation’s vast public support.
Indeed, the Pew Research Center in 2019 found that a majority of Americans are concerned about how their data is being used and believe they have little control over how it is collected by companies or the government.
In the absence of federal legislation, states have stepped in hoping to put those concerns to rest. Twelve states so far have enacted comprehensive data privacy legislation, a trend that began in California in 2018 and was most recently joined by Delaware this year. Other states have passed laws for specific use cases, like children’s online privacy.
“State legislators have been concerned about privacy issues for a number of years,” said Heather Morton, director of financial services, technology and communications at the National Conference of State Legislatures, or NCSL. “And I see it continuing at this level of interest for the foreseeable future.”
California’s effort began as a ballot proposition, with lawmakers eventually writing their own law to prevent the ballot measure from passing and thus being unamendable.
Several states saw California’s effort as a “springboard” for their own, Morton said. Data privacy laws in Colorado, Connecticut and Virginia went into effect this year, with Utah’s to follow on Dec. 31. Next year and the year after, data privacy laws in Indiana, Iowa, Montana and Texas will take effect.
Nikki Bhargava, a partner at law firm Reed Smith who advises clients on data privacy laws, said a major commonality between these efforts is to provide consumers transparency about how their data is used and how they can control that use. Many state laws have requirements for websites’ privacy policies, including what data they are allowed to collect and how they communicate that to the public.
“There was a perception that the public didn't understand what information they were actually giving to companies,” Bhargava said, “and they didn't fully understand how companies were using that information.”
Erik Weinick, who practices in the law firm Otterbourg’s bankruptcy and litigation practices and is also a co-founder of its privacy and cybersecurity practice, said another similarity is that these laws take children’s privacy “very, very seriously.”
But there are a lot of differences as well. One of those is the threshold of liability companies and governments face if they violate the law.
Weinick said some legislation uses the monetary size of the organization. Others use the amount of data a company processes to determine damages, or how much of an organization’s revenue is tied to the use or sale of personal data. Some state privacy laws can only be enforced by the state, while a few have a private right of action, meaning that victims have standing to bring a lawsuit against a violating company and recover damages.
“When it comes to data privacy, there's certainly consistency and uniform underlying concepts amongst the various states that have acted, but there are some meaningful differences, especially when it comes to who it applies to,” he said.
Morton noted that some laws target specific ways data can be collected, like through biometric technology, while other states have exerted more energy protecting certain types of data, like ensuring public employee or health data is well protected.
One headache for state legislators as they pass privacy legislation is the advancement of technologies, which could lead to new challenges not encompassed by existing laws. Lawmakers have tried to be “technology agnostic” and focused instead on how data is being used, Morton said. But emerging technologies like artificial intelligence are still gathering momentum, she added, and it remains to be seen whether existing data privacy laws will cover all its effects.
States having different data privacy laws, though, could create a compliance challenge for companies, as they try and ensure that their data practices are in keeping with sometimes disparate policies. In arguing for federal legislation, national lawmakers have previously warned of a patchwork of state laws that could make compliance not only difficult, but expensive.
Weinick said that in the meantime he advises clients to seek to comply with whichever state’s laws are the most stringent, depending on if their business falls under that state’s jurisdiction. He said that in time perhaps data privacy legislation could mirror the Uniform Commercial Code that helps harmonize state laws governing commerce, but that is a long way off.
“In theory, if you comply with the most stringent, you've complied with the least stringent as well,” he said. “The flaw in that approach, of course, is if there's a conflict between them.”
While federal inaction may prompt state legislatures to continue legislating on data privacy, some warned that a national law may preempt those existing state laws, if it ever comes. Morton said NCSL opposes any “blanket preemption” of state laws by a federal standard, and encouraged Congress to work with the states to find the best solutions possible.