With a dizzying array of state privacy laws on the horizon, the prospect of a federal solution has come into sharp focus. Rather than a patchwork of regional legislation, a comprehensive national framework would potentially govern the precautions that companies must take when electronically collecting, using and storing customers’ personal information, regardless of where in the country the company—or the consumer—is located. That is the current situation in the European Union under the General Data Protection Regulation (GDPR), and has been for many years. It might one day be the case in the United States as well, if advocates of omnibus federal data privacy legislation have their way.
Over the past two years, an increasing number of states have seriously debated—and in some cases enacted—comprehensive data privacy laws. The best-known is the California Consumer Privacy Act, or CCPA, which we have written about extensively in this blog. The CCPA is a consumer-friendly framework that includes an expansive definition of personal information, provides a private right of action with statutory damages for consumers impacted by data breaches, and gives consumers the right to opt-out of the sale of their personal information. The CCPA, as expected, has precipitated a flood of litigation since the law took effect on January 1, 2020, and we have covered some of those cases here.
Last month, Virginia became the first state since California to pass a comprehensive data privacy law when it enacted the Consumer Data Protection Act, or CDPA. The CDPA contains a broad definition of “personal information,” similar to the CCPA, and provides a limited consumer opt-out, but it lacks both a gross revenue trigger (meaning it will likely apply to fewer companies than the CCPA) and a private right of action.
New York passed the SHIELD Act in 2019, which mandates disclosure of any security breach in which the personal information of New Yorkers is compromised and authorizes the Attorney General to bring enforcement actions against companies that fail to report a breach or to take reasonable security measures. New York Governor Andrew Cuomo also recently proposed a data privacy law, the New York Data Accountability and Transparency Act, or NYDAT. Under the NYDAT, covered businesses would be required to inform consumers about the categories of personal information that they collect, provide an opportunity to opt-out, and implement certain safeguards. Like the recently-enacted Virginia law, NYDAT does not contain a private right of action, although New York legislators are also debating a Biometric Privacy Act (the NY BIPA) which would provide a private right to sue for negligent or reckless mishandling of biometric data.
A number of other states are currently considering their own data privacy laws—often modeled after the CCPA, but with important distinctions. In particular, other states including Florida, Washington, Texas, and Massachusetts have data privacy legislation modeled on the CCPA in the pipeline. Apart from creating an alphabet soup of legislative acronyms, these developments mean that companies operating across the country will likely soon be subject to a patchwork of state data privacy laws that impose different notice, consent, and storage obligations. The laws will define “covered entities” in different ways, leading to uncertainty about which laws a company is actually subject to. Consumers will have to choose from a bewildering menu of remedies for suspected violations, and, when multiple state laws apply, may flock to court in states that provide a private right of action. Further, state governments will be forced to tackle the question of reciprocity: whether compliance with one state’s data privacy regime is deemed to constitute compliance with that of another state. (This is already a major issue internationally: the European Court of Justice has twice struck down agreements intended to provide a safe harbor under the GDPR for U.S. companies operating in Europe, finding that U.S. law fails to mandate safeguards that are “essentially equivalent” to what European law requires.)
In sum, the expected passage of additional state data privacy laws will create added complexity and compliance burdens for businesses, and consumer confusion. These problems may be even more dire for businesses employing technology that uses biometric data (such as fingerprints), as these companies will also have to comply with a separate set of biometric privacy laws that have already begun to pop up around the country. If the process is left solely to the states, compliance obligations may gradually ratchet up as legislators—heeding public concern about cyberattacks and data breaches—take a harder line against corporations and try to show that their state is willing to go to greater lengths to protect consumer data than neighboring states. Companies may be obligated to undertake costly efforts to re-evaluate compliance and potentially enact new policies each time a new state privacy law is passed.
One possible solution lies in the form of omnibus federal data privacy legislation. A federal data privacy law has been discussed for some time, but the impending onslaught of state legislation—and recurrent reciprocity issues faced by U.S. companies operating in foreign countries—make the matter more pressing now than ever. Some commentators predict that federal data privacy legislation has a good chance of passing in 2021, due in part to Democratic majorities in Congress.
But a federal privacy law faces its own set of contentious issues, including (1) whether the law should include a private right of action, and (2) whether the federal regime should preempt state privacy laws. Generally speaking, Democrats support including a private right of action in the federal law and oppose preemption (which would make federal law the exclusive remedy for consumers whose information is mishandled). Under the Democrats’ preferred federal framework, consumers could choose whether to sue under federal law or state laws, and states would remain free to enact more protective privacy legislation. Many Republicans, on the other hand, oppose a federal private right of action and support preemption—if this comes to pass, consumers could sue only under the federal law and state-specific privacy laws would lose their force. These differences reveal a fundamental disagreement over who is really the victim when consumer information is leaked or mishandled, who is at fault, and what the consequences should be. While Democrats seek to empower consumers with significant remedial powers and sanction companies that fail to safeguard data, Republicans tend to focus on nefarious actors—not corporations—and are content to rely on government enforcement of a uniform standard that will lower the compliance burden for businesses.
Another lurking issue in any federal privacy legislation is whether it would supersede or conflict with existing federal laws that regulate the collection and use of personal information in specific industries or for specific groups—including, for example, HIPAA, COPPA, and Title V of Gramm-Leach-Bliley.
In the 1990s, countries within the European Union wrestled with some of these same issues. The precursor to the GDPR—the 1995 Directive on Personal Privacy Rights and Computerized Information—was driven by concerns that differing laws among the member states (some of whom lacked any comprehensive data protection law) might inhibit the free flow of electronic information within the EU. The ultimate willingness of EU countries to recognize the benefits of a coordinated, transnational approach to data privacy—albeit one that still provides some flexibility to member states—possibly foretells future federal data privacy legislation in the U.S. However, opponents will be quick to point out that the GDPR has been criticized as costly to businesses and potentially to consumers, a threat to innovation at the state and local level, and an instrument for increasing government control at the expense of individual rights.
Privacy is a major focus of legislators at every level. We expect to see a flurry of activity at the state level over the next few years, and an omnibus federal privacy law seems more likely than ever. It remains to be seen what precise shape those laws will take. In the meantime, we will continue to monitor and report on the fast-developing state data privacy landscape.