In the past four months of 2021, the amount of state legislative activity around consumer data privacy laws has been frantic, by state legislatures standards. So much so, it is not easy to discern the cause for all this effort; is it that consumers are demanding action, are market forces lobbying for the least restrictive options, or have legislators initiated these efforts on their own seeing their citizens simply must be protected from more than data breaches, but also be encouraged to exercise control over their personal information?
State of Laws
In the U.S., existing consumer privacy laws are either sectoral based (think, healthcare and financial services) or state-law based. Despite several federal bills being introduced over the past few years, the U.S. Congress has failed to pass any comprehensive consumer-based data privacy laws to date. (See, “Information Transparency & 12 Personal Data Control Act” introduced by Rep. Suzan DelBene (D-WA) March 10, 2021; “Consumer Data Privacy and Security Act” introduced by Sen. Jerry Moran (R-MO) May 6, 2021; “Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act” introduced by Sen. Roger Wicker (R-MS) Sept. 17, 2020. See also, Consolidating US privacy legislation: The SAFE DATA Act, aipp.org).
Instead, as it often does, California led the way with its groundbreaking California Consumer Privacy Act (CCPA) in 2020 and Virginia followed abruptly in April this year with its “CCPAlike” Virginia Consumer Privacy Act. Also, there are a variety of proposed consumer data privacy laws currently pending in 13 other states (AB, AL, CO, CT, IL, MA, MN, NC, NJ, NY, RI, SC, and TX). As of May 5th, state lawmakers have introduced bills in 26 states and 10 states (AZ, FL, KY, MA, MI, ND, OK, UT, WA, and WV) have rejected these legislative attempts.
In each case, the center of attention is the consumer and their personal information and who should be held accountable for its use and protection and how. Although there are a variety of views on the value of privacy among the consumer population, they are key stakeholders and beneficiaries in the data privacy protection arena. At the heart of privacy legislation is the personal information shared by millions of U.S. consumers, millions of times a day in a million ways, on ecommerce websites, social media, and elsewhere across the internet. It is names, mail and email addresses, telephone numbers, financial account numbers, and various other categories of personal and, sometimes, sensitive types of (political affiliations, biometric, genetic) personal information and the invisible sharing and re-sharing of such information that manifests, in one way, by the speedy receipt of advertisements for products or services that were purchased, or merely admired, for that matter.
One of the most unique features of the CCPA was its “private right of action” that enables California residents to sue covered companies for violations of the CCPA in certain situations. Since Jan. 1, 2020 when the CCPA became effective, there have been numerous class action lawsuits using consumers’ private right of actions to enforce personal information privacy violations. These class actions have been brought against Alphabet, Walmart, Zoosk, U.S. Bankcorp and Hotels.com, to name a few. But for many in the privacy field the value of the private right of action as an enforcement tool, is debatable including Al Saikali, a partner in the Shook, Hardy & Bacon law firm who also testified before the Florida legislature on the Florida Privacy Protection Act (FPPA). Upon the failure of the Florida House and Senate to pass the FPPA in April, Saikali questioned the benefit of the private right of action, as it was drafted into the legislation, as an invitation for “frivolous lawsuits” and a possible detriment to the growth of states and federal privacy laws. Others, such as Caitriona Fitzgerald, who is the Deputy Director of the Electronic Privacy Information Center, views consumer privacy laws without a private right of action as “problematic” because companies can run the risk that underfunded Attorneys’ General offices will not have the resources to enforce these types of laws. The International Association of Privacy Professionals (IAPP) quotes Fitzgerald on Florida’s failure to enact a consumer privacy law because of the differing attitudes towards the privacy right of action, stating, “Industry just does a good job of selling the narrative that the private right of action would just be a win for plaintiff’s attorneys,” adding, “They just gloss over the fact that it would benefit consumers and that it has been proven in other states that it’s the only way privacy rights get enforced because if states just pass a bill and give the attorney general enforcement authority with no additional appropriation, they may as well not pass anything.”
See, “Florida Legislature’s privacy law efforts fall short,” Joseph Duball, IAPP Staff Contributor, May 3, 2021. According to Ashkan Soltani, a former chief technologist for the Federal Trade Commission, who also helped author the CCPA, states, like Virginia, that pass consumer privacy legislation without a private right of action are being led by Big Tech companies’ lobbyists pushing to prevent another California experience. Soltani states, “The effort to push through weaker bills is to demonstrate to businesses and to Congress that there are weaker options …. Nobody saw Virginia coming. That was very much an industry-led effort by Microsoft and Amazon.” See, “Big Tech Is Pushing States to Pass Privacy Laws, and Yes, You Should Be Suspicious,” Todd Feathers, The Markup, April 15, 2021. Connecticut lobbying records show Facebook, Microsoft, Apple, Amazon and Google spent a combined $700,000 lobbying Connecticut legislators against the consumer private right of action.
Modeling the General Data Protection Regulation (GDPR), U.S. states enacted, and proposed laws giving consumers rights, such as:
- Right of Access
- Right of Rectification
- Right of Deletion
- Right of Portability
- Right of Opt-Out
- Right Against Automated Decision Making
With these rights comes the burdens on effected businesses to identify and classify personal information, understand how the personal information is processed, implement reasonable security practices and procedures, assess its data sharing practices, design procedures for verifying and responding to consumer requests to exercise rights, analyzing contracts with third party contractors, and publishing appropriate notices, such “Privacy Policies” that accurately describes all of these factors. With the possibility of having to comply with potentially 50 different states’ laws, it is understandable that Big Tech and other industry technology-based companies are concerned by this patchwork system and prefer a single pre-emptive federal law approach.
Consumer Privacy End Game
Like it or not, consumer personal information is the centerpiece of modern commerce and personal privacy is important and need protection. Data breaches and data mismanagement are serious threats coming not only from cyber criminals, but also, legitimate companies who interact with such information every day; digitally or otherwise. Basic privacy concepts such as notice, choice, access, and accountability underpin consumers’ rights to control against privacy intrusions, such as identity theft, property loss and personalized advertising. Without comprehensive consumer data protection laws, self-regulatory codes or market forces alone will not be enough to encourage private businesses to develop good data hygiene and management practices. In Europe and elsewhere in the world, data privacy enforcement is largely handled by governmental data protection authorities (DPAs) tasked with:
- Implementing data protection laws.
- Enforcing data protection laws.
- Advising on matters related to data protection.
- Maintaining a data protection registry.
- Sanctioning data protection law breaches.
Currently, in the U.S., consumer data protection and accountability depend on random geography, and redress for unauthorized access or use often requires consumers to suffer harm, like in a data breach or other financial harm to even have a right to sue, if such a private right of action is even provided under applicable state’s law. The current patchwork of differing states consumer data protection laws, the broad burdens placed on businesses, the lack of coherent enforcement, and local governments’ waning resources all point, in this author’s opinion, to a smartly drafted comprehensive and preemptive federal consumer data privacy law coupled with a dedicated federal privacy enforcement agency as the best solution.