State data privacy laws, which are far from uniform, are on the rise. To address that, as well the public’s increasing concern with protecting their private information, it is expected that there will be a serious effort in Congress this year to enact federal data privacy legislation. Here is what you need to know to ensure your business is ready for potential federal regulation.
Applicable State Laws
As is widely known, some states have recently enacted data privacy legislation to protect consumers. For example, in early 2020, California’s new privacy law, the California Consumer Privacy Act (CCPA), took effect, giving consumers more discretion regarding over how companies share and use their personal information. (For years, California already had in place its Database Security Breach Notification Act.) More recently, California enacted the California Privacy Rights and Enforcement Act (CPRA), which amends and strengthens the CCPA. Other states, such as Maine, Nevada, New York, Oregon, and Washington, have enacted their own data privacy legislation.
Here is a brief summary of those laws so you can see some of the growing trends in the various states.
- Maine’s Act to Protect the Privacy of Online Customer Information generally bars Internet service providers from utilizing or sharing personal information of customers without their consent.
- Nevada’s Act Relating to Internet Privacy requires operators of websites to allow customers not to consent to the sale of their personal information.
- New York’s Stop Hacks and Improve Electronic Data Security Act mandates that certain entities create and maintain reasonable data security for the private information of state residents.
- Oregon’s data privacy legislation requires businesses to notify customers and the Attorney General if there is a breach of security relating to personal information.
- Washington’s Act regulates the use of facial recognition services, but it should be noted that Washington is very close to enacting more comprehensive privacy legislation.
- Virginia is very close to passing a privacy bill modeled after Washington State’s.
Nevertheless, California’s data privacy laws will continue for the foreseeable future to be by far the most stringent and comprehensive.
The Lack of Federal Legislation
On the federal level, despite various competing bills, Congress has failed to enact data privacy legislation. However, it is much more likely to pass in 2021 for various reasons. First, more and more states will begin to enact their own unique data privacy framework to address the privacy concerns of their residents. That will likely cause confusion when states’ interests overlap and dramatically increase compliance costs for businesses. Uniform federal data privacy legislation will also help allow U.S. businesses to better compete in the global market given other countries’ privacy laws, such as the European Union’s General Data Protection Regulation (GDPR). As such, pressure on Congress to pass uniform federal own data privacy legislation will continue to build.
Moreover, the White House and Congress are now controlled by Democrats, who have historically been more amenable to passing data privacy laws. However, the Democrats’ control is so tenuous that any data privacy legislation will likely need bipartisan support. Luckily, the Democrats and Republicans have narrowed their differences regarding competing bills, although the parties are still at odds regarding various issues, including whether the legislation should preempt more restrictive state laws or create a private right of action as opposed to only being enforced by a federal agency.
Anticipated Federal Legislation
If Congress does enact data privacy legislation, what will it look like? As the business community have already learned to comply with the CCPA and the GDPR, the eventual federal framework will likely be similar. However, it is unlikely that the federal legislation will be more restrictive than those laws. Looking into my crystal ball, my prediction is that in order for data privacy legislation to survive a filibuster it will not preempt more restrictive state laws, including existing private rights of action, to appease the Democrats. In addition, the legislation will not include a federal private right of action to appease the Republicans. Only time will tell.
Nevertheless, the good news is that businesses already complying with the CCPA or the GDPR will likely not face a learning curve when federal legislation is eventually enacted. If your business is subject CCPA or the GDPR and not already in compliance, you should contact a legal specialist so that you can get in compliance as soon as possible. That will not only protect your business from potential existing liability but also prepare you for federal legislation that is sure to come