States across the country will keep moving on privacy regulation next year as Congress struggles to come up with a broad federal law, lobbyists and privacy attorneys say.
California’s new privacy law takes effect Jan. 1. New York legislators are debating whether to force companies to disclose how customer data is sold, Washington state lawmakers want to limit facial recognition, and Colorado’s attorney general wants more enforcement powers.
Even though companies don’t have to worry about a comprehensive federal privacy law soon, they may have to deal with several new state laws, privacy attorneys said. States will use momentum from California’s privacy law to push efforts to craft new bills to hold tech companies accountable for data use failures, they said.
“You have the potential for a cascading effect,” said Lori Kalani, co-chair of Cozen O’Connor’s state attorneys general practice in Washington. States that haven’t acted will “pick up these bills, or pieces of the legislation, and it becomes much easier” to enact laws, she said.
State privacy actions create compliance costs for companies that struggle to meet differing requirements.
An app developer in a state such as Florida could face more than two dozen different state definitions of what constitutes personal information, Morgan Reed, executive director of ACT | The App Association, said. He based his estimate on the number of state privacy laws that now exist and the number of bills under consideration in state legislatures.
Small companies “can’t hire an army of lawyers,” Reed said.
Among state lawmakers and regulators, “there is a really strong, growing sense that companies can’t be trusted with personal information,” Lee Tien, a staff attorney at the Electronic Frontier Foundation, said.
The California Consumer Privacy Act will allow consumers to demand that tech companies stop selling their information. In New York, lawmakers held a hearing Nov. 22 on a bill that would give citizens the right to sue companies for privacy violations.
California’s law is likely to be the standard across the U.S., Kalani said. Companies that adhere to it now “will be in a better position to comply with any law that comes across their desk,” she said.
Mark McCreary, chief privacy officer at Fox Rothschild LLP in Philadelphia, said businesses that don’t have to comply with California-type laws should “act like you are.” That will prepare them for future actions, he said, because state privacy laws “will come sooner or later.”
Washington state lawmakers are set to introduce a bill in 2020 to create new consumer privacy rights and put restrictions on facial recognition technology. Colorado Attorney General Phil Weiser (D) is seeking legislative authority to hold companies accountable for privacy violations. New Jersey, Minnesota, and Oregon are likely to consider new privacy legislation to increase protections for their citizens
The growing tide in the states makes company compliance difficult, Jennifer Huddleston, a research fellow at George Mason University’s Mercatus Center, said. “We are already in a situation where a patchwork is emerging.”
U.S. lawmakers are ramping up efforts. A draft privacy bill by Rep. Jan Schakowsky (D-Ill.), who chairs House Energy and Commerce Committee’s consumer protection panel, calls for limits on sharing consumers’ information and would allow users to correct their personal data. Rep. Cathy McMorris Rodgers (R-Wash.) is working closely with Schakowsky on the measure.
Senate Commerce, Science and Transportation Committee Chairman Roger Wicker (R-Miss.) and ranking member Maria Cantwell (D-Wash.) released separate privacy measures in November. The senators are far apart on a private right of action and state privacy law preemption, two Senate aides said on the condition of anonymity. Sens. Jerry Moran (R-Kan.) and Richard Blumenthal (D-Conn.) say they plan to introduce a separate privacy bill.
Reps. Anna Eshoo (D-Calif.) and Zoe Lofgren (D-Calif.) introduced a privacy bill that would create a new data privacy regulator, while a measure from Rep. Suzan DelBene (D-Wash.) would require citizens to opt-out of corporate data use.
U.S. lawmakers could reach an agreement over a privacy right to sue or state law preemption, some lobbyists said. But given the uncertainty of federal law, companies should plan to comply with California-like standards, privacy attorneys said.