Virginia joined the party this month, passing its new legislation: Consumer Data Protection Act (CDPA). Is it just a matter of time before the other states join in, or will Federal law come in to eclipse everything? Let’s take a look at the privacy legislation developments in the US as they are right now.
First of all, let’s take a look at who’s not joining the party, at least for now.
While Samuel Warren and Louis Brandeis set out their vision of a right to privacy in an article for the Harvard Law Review back in 1890, the US is playing catch up this time. You could argue that too much has changed in the world since then and their seminal work — aptly titled The Right to Privacy — has much less application in the digital world.
Well, at least that’s probably what the tech giants are thinking and it looks like the lobbyists are getting their way: watering down consumer rights to privacy in several states or having them killed off entirely.
Maine's Act to Protect the Privacy of Online Customer Information was signed into law back in 2019 and came into effect in July 2020, but many would argue that it is weak privacy legislation at best. The legislation is applicable to internet service providers (ISPs) and stops them from “using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale, or access.”
While this legislation protects consumers in the state from ISPs selling their internet histories, it doesn’t encompass the businesses that consumers interact with online or in person.
Mississippi’s Senate Bill 2612 failed to impress lawmakers, with the bill failing in the state’s senate. If it would have passed, it would have granted consumers in the state the right to access and delete their data, and have given Mississippians the right to launch civil actions against violators.
Some would argue that Nevada was able to pass a consumer privacy law in the form of Senate Bill 220 back in 2019. Others would argue that the harsh reality is that this legislation is a very much watered down privacy law that doesn’t compel businesses with a clear way for consumers to opt out, nor does it provide consumers with rights of access, portability, or deletion of their data.
North Dakota was looking to push forward legislation which would obligate businesses to offer consumers the right to opt in to having their data processed. However, legislators voted against this bill, citing that consumer privacy is more difficult than an opt-in/opt-out process:
"While the bill is very simple in its approach, consumer privacy is not a simple concept and the bill raises a number of concerns for our members."
Internet Association Director of State Government Affairs, Northwest Region Rose Feliciano
Utah's Senate Bill 200 to create the Utah Consumer Privacy Act was set to provide consumers rights to access, correct, and delete their personal data, in addition to the chance to opt out of certain data processes. The bill failed to pass at the beginning of the month.
Now let’s take a brief look at the states that still have active legislation for consumer privacy and see what each is proposing for the consumers in their state.
Alabama’s consumer protection legislation as it stands would allow consumers to opt in or out of the sale of their personal data and obligate businesses to make certain disclosures about what they do with customer data.
Arizona’s lawmakers are more consumer-centric and are debating whether to boost consumers’ rights to access, correct, and delete their data. At present, the bill also includes a provision for consumers to object to the processing of their data.
Colorado is also debating whether to offer consumers access, rectification, and deletion rights, with the bonus of data portability.
Connecticut's consumer privacy bill aims to establish a framework for controlling and processing personal data. In addition to providing consumers with the chance to opt out of personal data processing for targeted advertising. The proposed legislation would give the state’s citizens the right to access, correct, delete, and obtain a copy of their personal data.
Illinois has a couple of bills in debate for privacy: the HB 2404 Right to Know Act would give Illinoisans the right to learn how their data is being used. HB 3910, on the other hand, is more comprehensive and based on California’s CCPA.
Maryland also is looking at how consumers should be informed about how companies use their data, looking at introducing notices at points of collection. Similarly to the CCPA, the lawmakers in this state are looking at implementing a right to access with provision of personal data within 45 days of the request.
Massachusetts’ lawmakers are also deliberating whether to introduce legislation that will give consumers the right to access their data, bestowing a “duty of care” on business owners who collect their customers' personal data to keep it safe from breach. Data portability also figures, along with the right for consumers to know who their data is being shared with.
Minnesota’s proposed consumer data protection act also aims to improve a wide range of consumer data rights. Similarly to the CCPA, if introduced the legislation would grant Minnesotans the right to verify, access, correct, delete, and opt-out of companies processing their personal data. The bill in its current state also sets a time limit of 45 days to deal with data subject requests.
New Jersey’s privacy legislation is centred around transparency of processing activities. It would require certain businesses to be clear on the data they collect and to notify data subjects about what they are doing with their customers’ data.
If passed as it stands right now, New York state’s privacy legislation would require businesses to have express and documented consent from consumers to use their personal data, in addition to transparency requirements like privacy policies. It also looks to establish private right of action against offending companies
In its current state, the proposed Oklahoma Computer Data Privacy Act, House Bill 1602, is similar to part of what New York lawmaker’s are proposing: a requirement for internet technology companies to obtain explicit permission if they want to collect and/or sell their customers’ personal data.
Rhode Island’s bill is centred around transparency and disclosure of what businesses do with consumer data. Should it pass, it would create the Rhode Island Transparency and Privacy Protection Act, which would obligate businesses to explain who they share data with or sell data to.
As it stands right now, South Carolina’s bill centers around protecting biometric data and giving consumers the right to request that businesses erase or stop selling their biometric data, in addition to opt out.
Texan lawmakers want to provide consumers with the right to know about what is happening with their personal data and give them the right to access, correction, and deletion of their data.
Vermont’s bill at present is super short and very high level, setting out the principles of the proposed legislation as to give Vermonters more control over the data that services collect on them and “adopt other protections provided in the California Consumer Privacy Act.”
Washington state lawmakers want to give consumers the right to know whether their data is being processed, in addition to access, correction, and deletion rights. In addition to this, the legislation as it is right now proposes to offer consumers with opt-out and data portability rights.
As we can see, the states are shifting in and around similar privacy issues but are so far adopting different stances. It is hard to tell if or when we will see a harmonization of the legislation at some point in the form of a federal law.
Sign up to our newsletter below to receive privacy insights right to your inbox.