A new year means new state privacy bills introduced in states across the country. With two additional states joining California last year with the passage of the Virginia Consumer Data Protection Act and the Colorado Privacy Act, it is likely that more states will join the fray this year in creating a patchwork of comprehensive privacy laws in the United States.
While some states will have these bills under consideration well into the fall, the vast majority of state legislatures will adjourn by early June and thirteen will adjourn before the start of April.
During this early year sprint, there are five general trends that observers will want to keep an eye on in state legislatures.
The big enforcement debate remains whether to include a private right of action or to vest government actors with enforcement authority. Although the Universal Law Commission’s Personal Data Protection Act provides for a private right of action if the state’s existing consumer protection law provides for consumer redress through the courts, this approach has not been followed in the three privacy statutes passed to date. State privacy laws in California, Colorado and Virginia all lack a comprehensive private right of action for violations of the statute, and the California law only provides one in limited circumstances related to data breaches.
The private right of action can often stall legislative proposals. For example, disagreements over the exclusion of a private right of action have torpedoed the Washington Privacy Act for three years in a row and stalled Florida’s privacy bills at the close of last year’s session. Meanwhile in places such as New York, every bill under consideration has some form of private right of action, but none have come close to passing thus far.
A Kentucky State Senate bill has taken a third approach to enforcement. In addition to Attorney General enforcement, this bill allows for consumers to bring an action for injunctive relief related to certain violations of the law and consumer rights. In addition to injunctive relief, plaintiffs could seek reasonable attorneys’ fees and costs. It remains to be seen how popular this third approach becomes amid debates over private rights of action in state privacy bills.
CCPA or GDPR/VA Model
Europe’s GDPR set the stage for comprehensive privacy legislation and a few years later California brought its own approach to the concept and introduced new terms, definitions, and processes. Over the past two years, state legislatures have varied in their approach to new privacy legislation with some modeling their bills on the CCPA and others modeling their bills on the GDPR. Colorado and Virginia elected to more closely follow the GDPR’s approach, though they also adopted elements of the CCPA such as the jurisdictional requirement that a certain number of users’ data be processed by a business to fall under the law and opt-out rights for key activities such as the “sale” of covered data, profiling, and targeted advertising. States during this legislative session have also pursued both frameworks at the same time. In Florida, the House bill adopts GDPR/Virginia language while the Senate bill adopts CCPA language. In the coming legislative session, the trend seems to be that states will follow the GDPR or CCPA approaches, though it will important to monitor for novel proposals.
To date, most state privacy legislation includes exemptions for data or entities that are regulated by federal privacy laws. These exemptions cover a range of topics, but tend to center around the Gramm-Leach-Bliley Act (“GLBA”), Health Insurance Portability and Accountability Act, and Fair Credit Reporting Act. Although some bills, such as the Massachusetts Information Privacy Act, omit nearly all of the exemptions, bills that omit the exemptions will likely engender significant opposition and challenges from businesses and industries that must already comply with their respective federal privacy laws and regulations.
Rather than omitting all exemptions, the exemption debate in most legislatures during the coming months is likely to focus on the scope of the exemptions: data only, entity, or entity and affiliates. Elements of this are reflected in the Florida Privacy Protection Act. During last year’s session, the Senate version had only a data-level GLBA exemption. But when reintroduced this year, the exemption was expanded to include an exemption for a “financial institution to the extent regulated by” the GLBA.
Employment and Business-to-Business Data
Two other notable exemptions are the employment and business-to-business (“B2B”) data exemptions. These exemptions exclude from the scope of the law data collected in commercial and employment contexts. The CCPA included these exemptions through the amendment process, but both provisions are set to expire in California at the end of this year, and it remains uncertain at this stage whether they will be extended.
Proposed state privacy legislation this session reflects a mixed bag. Some bills, such as the Ohio Personal Privacy Act, have both the employee and B2B exemption. Meanwhile Illinois’ Consumer Privacy Act would contain neither exemption. And other states have considered including one exemption but not the other, as the Oklahoma Computer Data Privacy Act of 2022 does. Which structure prevails may depend on the relative strength of organized labor in a given state, but it is worth noting that the only non-CCPA privacy bills to become law (Colorado and Virginia) have permanent employment and B2B exemptions written into their laws.
Even though these state privacy regimes are often termed “comprehensive,” the legislative drafting generally leaves gaps and questions for businesses seeking to comply with the law. Accordingly, California and Colorado established rulemaking mechanisms in their privacy laws. Notably, Virginia did not establish a rulemaking process, and despite recommendations to do so from the Virginia Consumer Data Protection Act Work Group, no amendment has been proposed during the current legislative session to add rulemaking.
Proposed legislation similarly varies in its approach to rulemaking and states may wait to see how the process (or lack of process) plays out in California, Colorado, and Virginia before fully committing to one path or another.