Since the start of 2021, at least 22 states have introduced sweeping consumer privacy bills. Many of these bills would include consumer rights modeled after privacy laws in California and Europe, such as the right to opt-out of certain data uses, and the rights to access, correct and delete one's personal information. Many companies have taken significant steps to comply with the California Consumer Privacy Act (CCPA), but obligations around consumer privacy are likely to grow as other states move forward with their own legislation, each with its own nuances. Following California's footsteps, the Virginia General Assembly passed – and Gov. Ralph Northam recently signed – comprehensive privacy legislation known as the Consumer Data Protection Act (CDPA) that will go into effect on Jan. 1, 2023.
As the year progresses, companies should monitor legislative developments that may significantly increase their future privacy obligations and consider whether additional resources and operational changes for handling personal information may be needed in order to come into compliance with additional laws before they go into effect.
Each of the proposed privacy bills would require some form of notice to consumers. For example, organizations that collect or sell consumer information would have to provide notice at or before the point of collection to their consumers.
What New Rights Would Consumers Get?
As shown below, most bills provide state residents with new rights similar to those in the CCPA or its successor, the California Privacy Rights Act (CPRA), which goes into full effect in January 2023.
^ Indicates the bill has been signed into law
*Indicates the bill has died for 2021
Right to Opt Out
At least 11 states would include a right for consumers to opt-out of the sale of personal information. Florida's legislation would require that covered entities provide consumers with notice of their right to opt-out.
Right to Correction
Similar to the CCPA, at least eight states would grant consumers the right to correct inaccurate personal information subject to a verified consumer request. New York and New Jersey would both require that, upon receipt of a request to correct information, an entity must do so without unreasonable or undue delay.
Private Right of Action
While most bills would rely on state attorneys general for enforcement, several – in their current form – would provide individuals with a private right of action. These states include Alabama, Florida, Massachusetts, Minnesota, New Jersey and New York. In New York, a violation would constitute an unfair or deceptive trade practice and an unfair method of competition. The new law in Illinois includes a limited private right of action for breach of unredacted or unencrypted personal information due to failure to maintain reasonable security practices. The proposed legislation in Texas, which would not include a private right of action, offers immunity to businesses that are in compliance with the bill's regulations from liability to third parties that are found to be in violation.
Even in the absence of a comprehensive federal law, which may happen in the not-so-distant future, the pressure on companies to implement policies and practices that protect the privacy rights of consumers continues to grow. In addition to the 22 states with pending privacy bills that would introduce a wide array on new consumer rights and compliance obligations, other states have committees or task forces actively addressing consumer privacy issues. These developments reflect a growing focus on data privacy as both Congress and state legislatures attempt to respond to the public's calls for greater privacy protections and accountability.
Managing consumer privacy – together with cybersecurity – will continue to grow as an important legal compliance and risk management function at organizations of all sizes and across all business sectors. Recent legislative developments should further inform organizations on taking privacy and security considerations into account when planning ahead to build and expand their products and services, implement new data systems, develop digital and marketing strategies and allocate risk management resources.