So far, 2021 is shaping up to be an important year for data privacy legislation. In March, Virginia enacted the Consumer Data Protection Act (CDPA) — the nation’s second comprehensive data privacy law. Dozens of state legislatures are actively considering data privacy bills, with California continuing to ramp up enforcement of the California Consumer Protection Act (CCPA). Meanwhile, with Democrats in control of both the White House and Congress, the prospects of a comprehensive federal data privacy law have increased, and the first data privacy bill introduced in this Congress holds promise as a possible law that could garner bipartisan support.
With the increased focus on data privacy and proposed legislation, there is also reason to expect a significant increase in enforcement actions and resource allocation for protecting consumer data over the next few years.
The recently introduced data federal privacy bill — Representative DelBene’s (D-WA) Information Transparency and Personal Data Control Act, H.R. 1816 — would appropriate $350,000,000 to the FTC “for issues related to privacy and data security” and would require the FTC to “hire 500 new full-time employees to focus on privacy and data security, 50 of which shall have technology expertise.”
To put this into prospective, the FTC’s fiscal year 2021 budget requests “a program level of $330,199,000 and 1,140 full-time equivalent positions,” and the FTC’s Division of Privacy and Identity Protection, which oversees privacy related issues, only employed 40-45 full-time employees in 2020. If passed, this federal privacy law would more than double the FTC’s resources for privacy-related enforcement — an area the FTC is already actively pursuing through current privacy-related laws.
At the same time, state regimes have already started to take action to increase funding and resources. In November 2020, California voters approved Proposition 24 — the California Privacy Rights Act (CPRA) — which amends the CCPA and creates the California Privacy Protection Agency (CPPA). The CCPA is the first agency created in the U.S. for the sole purpose of protecting consumers’ privacy rights, and it has already been allocated $10 million in funding in the California governor’s proposed 2021-2022 budget. The CPPA is expected to be aggressive in its enforcement of the CPRA and will likely impact all future state and federal privacy laws.
Similarly, the Virginia attorney general’s office will soon begin staffing in preparation to begin enforcing the CDPA in January 2023. While the CDPA does not provide any funding to the attorney general, it does establish a fund for civil penalties intended to support the attorney general’s enforcement of the CDPA. It is conceivable this self-funded approach may actually encourage the attorney general to be more aggressive in enforcing the CDPA (and collecting penalties) to ensure it has the necessary resources to protect consumer’s privacy rights in Virginia.
Based on the current climate and increased focus on data privacy at both a federal and state level, it is very possible that in the next few years, the U.S. will have both a comprehensive federal privacy regime with increased funding and resources to the FTC and a robust state-level privacy framework with increased funding and resources to state agencies.
Though a federal privacy law that includes preemption could change this course, the current direction of data privacy laws suggests that federal and state regulators will continue to throw more and more resources and funding at enforcing privacy laws. This begs the question: Will the number of enforcement actions ultimately be disproportionate to the needs of consumers?