New ‘quirks’ could make states’ privacy laws impossible to follow, experts worry
Tatiana Maksimova via Getty Images
By
Chris Teale
Speakers during a recent webinar repeated their calls for Congress to pass a national standard, and warned that new approaches in several states could complicate matters further.
Time ran out once again last year on a new federal data privacy law, as the proposed American Privacy Rights Act died at the end of the 118th Congress and has yet to be reintroduced.
The national effort would have preempted the approximately 20 state-level comprehensive data privacy laws to have been signed in recent years, with state leaders keen to get moving in the absence of Congressional action.
And while the concerns about a “patchwork” of state privacy laws remains, speakers at a recent webinar said they are now worried that new state laws will have even more subtle differences that will make compliance even more complicated, especially for small businesses. Only Congress and its preemption ability can step in, they said.
“We talk a lot about a patchwork, but you might even get to a point where this becomes mutually exclusive, where complying with one may not result in compliance with another,” Jake Morabito, senior director of policy at the American Legislative Exchange Council, said during a webinar this month hosted by the Information Technology and Innovation Foundation. “Instead of that race to the top, ‘I'll just comply with the strictest one and then I'm covered across the states,’ that may no longer be an option depending on how this goes, which is why it's so imperative that Congress steps in and why that preemption piece is necessary.”
Several different models appear to be emerging in state privacy laws, Morabito said. On one side is Virginia, which he said has taken a “sensible approach” to privacy using notice and consent, where users get a transparent explanation of how their data is collected, used, stored and protected. Meanwhile, Maryland looks to codify data minimization, which requires organizations to collect, process and retain only the minimum amount of data needed for a specific purpose.
Maryland’s approach appears to have gained popularity in other states, including Maine and Massachusetts, he said.
Deborah Collier, vice president of policy and government affairs at Citizens Against Government Waste, said a previous proposal in New Mexico looked like an “entirely new framework.” It required that users’ default privacy settings be set as high as possible online, and that websites should take reasonable yet undefined steps to protect users’ confidentiality.
The bill died last year, but Collier warned that other states may try to go even further, and so make compliance extremely difficult.
“It remains entirely possible that states will continue to introduce new styles, frameworks and their own quirks, especially as they each try and protect more privacy than their neighbors or the other similarly situated states,” she said. “[That] would introduce a ton of wrinkles for small businesses to navigate, and pull resources away from hiring and growth and innovation and a lot more.”
The differences in state laws have been so noticeable, Morabito said, that ALEC adopted what he said might appear to be an “antithetical” resolution for a single federal privacy standard. Others said that small businesses in particular will struggle in the face of complying with 50 different state privacy laws.
No small business wakes up in the morning like, ‘You know what I want to do today? Actually, I want to just completely get rid of privacy and not have that for my consumers,’” said Morgan Stevens, a policy associate at The App Association trade group. “They want to do so. They want to help protect their consumers’ privacy and one set of rules will help make that happen.”
It’s far easier for larger businesses with batteries of attorneys to comply with a variety of state laws, Collier said. But it stifles growth for smaller organizations.
“A small business doesn't want to necessarily stay small forever,” Collier said. “They might want to grow, but in order to grow, they have to have the resources to do that. and they can't afford the attorney fees to comply with 20 or more different state laws when it is interstate commerce that they're doing. Anything that's over the internet has to be considered interstate commerce.”
Morabito said, given the gridlock in Congress and its shifting focus to other areas of technology like artificial intelligence and children’s online safety, a national data privacy standard is becoming more unlikely.
“The longer this goes on, I feel like the prospects are getting dimmer,” he said.