Navigating the Patchwork of Privacy: State Privacy Laws in the Absence of a Federal Framework
As technologies change and internet usage has exploded, the amount of personal and consumer data we provide and generate has significantly increased. Through online activities such as purchases, social media, and even surveys or just clicking on links, companies are collecting data from consumers and using it or selling it. This collection and use of consumer personal data has raised many concerns about privacy over the years. Although a growing number of states have begun passing privacy regulations, the different standards in each legislation and the rapid introduction of new bills makes it difficult for multistate businesses to keep up their compliance with all privacy laws and for consumers to know their rights. Given these risks, it is necessary for the federal government to act quickly and establish a federal framework for privacy law in the United States.
Although data privacy is a growing concern across the country, there is currently no comprehensive federal data privacy law. As a result, states must enact their own privacy regulations to monitor consumer data within their borders. In 2018, California kicked off this effort by enacting the California Consumer Privacy Act (“CCPA”), the first comprehensive consumer data privacy law in the United States. The CCPA provides consumers with certain rights over the personal data collected by businesses. California later amended the CCPA in 2020 to include additional privacy protections. Since then, Colorado, Virginia, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Florida, Texas, and Oregon have all followed California with comprehensive state consumer data privacy laws. Overall, thirty-three states have passed or introduced privacy bills regulating both the collection and the use of personal data. However, as the internet has no borders, this patchwork approach by states carries many risks.
Given the difference in the regulations provided by the patchwork state laws surrounding data privacy, there are many compliance costs for multistate businesses. While most of the new bills that have been passed or proposed in the past year share many similarities with the existing privacy laws in states like California, Colorado, and Virginia, each bill contains unique standards for companies and creates carve-outs from existing standards. California’s privacy law generally provides consumers with the right to access, correct, delete, opt-out of processing sensitive data, portability, opt-out of sales, not participate in automated decision making, and a limited private right of action. The privacy law also includes obligations for businesses to provide an opt-in option for collecting personal data of children under 16, give notice and provide transparency, prepare risk assessments, not discriminate against customers exercising rights differently, and inform individuals of the purpose for the processing of personal data. For example, while the Montana data privacy laws appear very similar to California’s privacy law model, Montana actually goes beyond California’s standards and creates more rights for consumers, allowing them to revoke their consent to data processing. However, Montana does not include a limited private right of action for consumers as California’s law includes. States like Tennessee have additional provisions like the carve-out that creates a compliance safe harbor for companies that comply with the National Institute of Standards and Technology standards. In other states, like Utah, the consumer privacy acts provide only baseline consumer data protections like the rights to access, delete, opt-out of targeted advertising, portability, and opt-out of sales. Additionally, Utah has less obligations for businesses, only requiring their businesses to provide an opt-in option for children under 13, give notice and transparency, and not discriminate against customers based on how they exercise rights. The rights and business obligations provided by the Utah legislation and proposed legislations in other states are clearly less than those of other states.
While having enacted privacy laws across states is helpful to establish baseline standards for other states to look to, the variation in practice as a result of different privacy regulations and standards across states impose huge compliance costs for businesses and also confusion for consumers. These costs come from out-of-state businesses being subject to multiple different state laws, as well as duplicative rules. The burden on small businesses is especially substantial. Due to these high costs and the possibility of more states passing privacy laws, businesses need to assess whether they need to make changes or wait for other states to act. These types of decisions based upon the medley of new privacy regulations creates a high risk that many businesses will not comply with state regulations.
Not only do the state laws create a dangerous patchwork approach to privacy law, but federal regulations applying to only certain sectors of business like the Graham-Leach-Bliley Act (“GLBA”) in the financial sector, the Health Insurance Portability and Accountability Act (“HIPAA”) in the medical sector, the Children’s Online Privacy Protection Act (“COPPA”) to protect children, and others also do not provide any unifying law to federally protect personal data privacy. Despite only certain sectors having regulations that protect consumer data privacy rights, there is an increased awareness of consumer privacy rights in all sectors due to the innovation of new technologies including AI across all industries, making this type of industry-based federal regulation not comprehensive enough.
The risks and high costs associated with the current patchwork approach to data privacy law highlights how imperative it is for Congress to act quickly and pass a federal privacy framework that streamlines regulations, clarifies how businesses should comply with privacy laws, and provides consumers with basic data privacy rights. The United States is one of just a few developed countries that does not have a comprehensive federal privacy law. On June 3, 2022, Congress released a bipartisan and bicameral proposal called the American Data Privacy and Protection Act (“ADPPA”). The ADPPA was designed to provide “foundational data privacy rights” for consumers as well as “create strong oversight mechanisms and establish meaningful enforcement” of organizations and businesses. The act would broadly apply to all businesses operating in the United States. However, although the ADPPA would provide federal standards and safeguards for personal data, the ADPPA seems to impose weaker regulations on data privacy law than California’s data privacy law, causing resistance from California lawmakers since, if enacted, the ADPPA would preempt California data privacy law. While this is true, the uniformity provided by a potential federal data privacy law has the potential for greater benefits for businesses and consumers. On July 20, 2022, the ADPPA was approved by the House Energy and Commerce Committee by a huge margin of 53-2. While this proposed act is the closest Congress has been to passing a comprehensive federal privacy law, it ended without even a House floor vote. Since 2022, the political landscape within Congress has changed, with a now Republican-controlled House, and it is unclear where support lies for the ADPPA. With the growing patchwork of state privacy regulation, federal preemption remains a dispute in the discussions of the ADPPA. Due to this uncertainty, many individual states are continuing to progress with their own data privacy laws, therefore further complicating the data privacy landscape for consumers and businesses in the United States.
On October 30, 2023, President Biden issued an executive order on AI, and called on Congress to pass bipartisan data privacy legislation to better protect the privacy of Americans. This recent federal recognition of the current and growing risk to Americans’ personal data is an indication that the issue is still at the forefront of federal discussion despite Congress not voting on the ADPPA in 2022. Given Congress’s snail’s pace movement towards a comprehensive federal data privacy framework, and the uncharacteristic swiftness of states in filing and enacting data privacy bills, it is likely that the compliance issues associated with patchwork state laws will continue to plague businesses and consumers until the ADPPA or a different federal privacy law is enacted.
Victoria Jin anticipates graduating from Boston University School of Law with a juris doctor in May 2024.
