A new year means new state privacy bills introduced in states across the country.  With two additional states joining California last year with the passage of the Virginia Consumer Data Protection Act and the Colorado Privacy Act, it is likely that more states will join the fray this year in creating a patchwork of comprehensive privacy laws in the United States.

While some states will have these bills under consideration well into the fall, the vast majority of state legislatures will adjourn by early June and thirteen will adjourn before the start of April.

During this early year sprint, there are five general trends that observers will want to keep an eye on in state legislatures.

Enforcement

The big enforcement debate remains whether to include a private right of action or to vest government actors with enforcement authority.  Although the Universal Law Commission’s Personal Data Protection Act provides for a private right of action if the state’s existing consumer protection law provides for consumer redress through the courts, this approach has not been followed in the three privacy statutes passed to date.  State privacy laws in California, Colorado and Virginia all lack a comprehensive private right of action for violations of the statute, and the California law only provides one in limited circumstances related to data breaches.

The private right of action can often stall legislative proposals.  For example, disagreements over the exclusion of a private right of action have torpedoed the Washington Privacy Act for three years in a row and stalled Florida’s privacy bills at the close of last year’s session.  Meanwhile in places such as New York, every bill under consideration has some form of private right of action, but none have come close to passing thus far.

Kentucky State Senate bill has taken a third approach to enforcement.  In addition to Attorney General enforcement, this bill allows for consumers to bring an action for injunctive relief related to certain violations of the law and consumer rights.  In addition to injunctive relief, plaintiffs could seek reasonable attorneys’ fees and costs.  It remains to be seen how popular this third approach becomes amid debates over private rights of action in state privacy bills.

CCPA or GDPR/VA Model

Europe’s GDPR set the stage for comprehensive privacy legislation and a few years later California brought its own approach to the concept and introduced new terms, definitions, and processes.  Over the past two years, state legislatures have varied in their approach to new privacy legislation with some modeling their bills on the CCPA and others modeling their bills on the GDPR.  Colorado and Virginia elected to more closely follow the GDPR’s approach, though they also adopted elements of the CCPA such as the jurisdictional requirement that a certain number of users’ data be processed by a business to fall under the law and opt-out rights for key activities such as the “sale” of covered data, profiling, and targeted advertising.  States during this legislative session have also pursued both frameworks at the same time.  In Florida, the House bill adopts GDPR/Virginia language while the Senate bill adopts CCPA language.  In the coming legislative session, the trend seems to be that states will follow the GDPR or CCPA approaches, though it will important to monitor for novel proposals.

Exemptions

To date, most state privacy legislation includes exemptions for data or entities that are regulated by federal privacy laws.  These exemptions cover a range of topics, but tend to center around the Gramm-Leach-Bliley Act (“GLBA”), Health Insurance Portability and Accountability Act, and Fair Credit Reporting Act.  Although some bills, such as the Massachusetts Information Privacy Act, omit nearly all of the exemptions, bills that omit the exemptions will likely engender significant opposition and challenges from businesses and industries that must already comply with their respective federal privacy laws and regulations.

Rather than omitting all exemptions, the exemption debate in most legislatures during the coming months is likely to focus on the scope of the exemptions: data only, entity, or entity and affiliates.  Elements of this are reflected in the Florida Privacy Protection Act.  During last year’s session, the Senate version had only a data-level GLBA exemption.  But when reintroduced this year, the exemption was expanded to include an exemption for a “financial institution to the extent regulated by” the GLBA.

Employment and Business-to-Business Data

Two other notable exemptions are the employment and business-to-business (“B2B”) data exemptions.  These exemptions exclude from the scope of the law data collected in commercial and employment contexts.  The CCPA included these exemptions through the amendment process, but both provisions are set to expire in California at the end of this year, and it remains uncertain at this stage whether they will be extended.

Proposed state privacy legislation this session reflects a mixed bag.  Some bills, such as the Ohio Personal Privacy Act, have both the employee and B2B exemption.  Meanwhile Illinois’ Consumer Privacy Act would contain neither exemption.  And other states have considered including one exemption but not the other, as the Oklahoma Computer Data Privacy Act of 2022 does.  Which structure prevails may depend on the relative strength of organized labor in a given state, but it is worth noting that the only non-CCPA privacy bills to become law (Colorado and Virginia) have permanent employment and B2B exemptions written into their laws.

Rulemaking

Even though these state privacy regimes are often termed “comprehensive,” the legislative drafting generally leaves gaps and questions for businesses seeking to comply with the law.  Accordingly, California and Colorado established rulemaking mechanisms in their privacy laws.  Notably, Virginia did not establish a rulemaking process, and despite recommendations to do so from the Virginia Consumer Data Protection Act Work Group, no amendment has been proposed during the current legislative session to add rulemaking.

Proposed legislation similarly varies in its approach to rulemaking and states may wait to see how the process (or lack of process) plays out in California, Colorado, and Virginia before fully committing to one path or another.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jayne Ponder Jayne Ponder

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection…

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.