As a Federal Privacy Law Stalls, States Propose a Flurry of Bills

Our personal privacy is at greater risk than ever before. Consumers are plagued by coronavirus-themed cyberattacks, there’s a spike in healthcare-related data breaches, and an unprotected Elasticsearch server exposing five billion records is the cherry on top. While few would debate the need for a federal data privacy law in our threat-filled world, it’s just not happening.

Key issues such as the “private right of action” and whether federal law should pre-empt states’ laws divide Congress. While the debate in Washington, D.C. continues, state legislators have been exceptionally busy. According to the National Conference of State Legislators, 25 states and Puerto Rico introduced more than 150 data privacy bills in 2019! This jump in legislative activity reflects Americans’ growing concerns about their personal privacy even before hackers began launching pandemic-related digital attacks.

The State of State Privacy Laws

While the California Consumer Privacy Act (CCPA) wasn’t the first state privacy law, its GDPR-like provisions have inspired how other states architect their own bills. The following three states are a sampling of what’s happening coast to coast, and how they compare to the CCPA.

Maine — Enacted

Maine is one of only three states that have enacted consumer privacy legislation. In June 2019, Democratic Governor Janet Mills signed the Act To Protect the Privacy of Online Customer Information into law, which goes into effect on July 1, 2020.

Maine’s law only applies to Internet service providers (ISPs), preventing them from denying service to customers who don’t consent to share their personal information. Some consider it even stronger than the CCPA because it requires “explicit consent” from customers to sell their data. In California, customers must choose to request their data not be sold. As the Pittsburgh Post-Gazette notes, “The Maine law makes privacy the default rather than a hard-to-find option.”

New Jersey — Proposed

The Garden State is proposing a data privacy bill that would require companies collecting customer data to:

• Get permission before they can collect and sell customers’ personal data to third parties. This appears to be similar to Maine’s opt-in language that requires explicit consent. If so, it could mean the start of a trend toward state legislation even stricter than the CCPA.
• Inform consumers—in “clear plain language”—on how they will use the data.

In turn, customers could ask these companies to provide them with their own personal data being sold to third parties and ask to have their personal information deleted.

“We need strong restrictions to limit the unchecked mass-scavenging of our personal information and we in the states will be the ones leading these conversations,” Amol Sinha, executive director of the American Civil Liberties Union of New Jersey, told The Wall Street Journal.

Washington — Failed

For the second year in a row, Washington state legislators failed to pass data privacy legislation. Like the CCPA, the Washington Privacy Act would have given consumers the right to request that companies delete their data.

The primary stumbling-block appeared to be enforcement—sort of. One legislator said enforcement by the state attorney general was a “more effective model” than allowing consumers to directly sue companies. Another disagreed, saying, “Strong attorney general enforcement was never the issue; it was the role of consumers that proved impossible to reconcile.”

What’s Next

Critics oppose a “patchwork” of state privacy laws, saying it “creates really sticky regulatory problems for any businesses doing work across state lines,” and “the best solution is a comprehensive federal privacy law that empowers people to understand how personal information they share is collected, used and protected.”

We at IDX agree…a federal law would be preferable to varying state laws. But until the U.S. Congress can agree on what that law looks like, states have every right to enact legislation that protects the online privacy of its citizens.

Stay tuned to our blog for the latest of regulation, consumer privacy threats, and all things data privacy.