Consumer privacy proposals pending in state legislatures are likely to get a boost from the passage of Virginia’s Consumer Data Protection Act earlier this month.
Comprehensive bills in Oklahoma and Washington each passed one chamber, and proposals in Illinois, Minnesota, and Massachusetts were introduced last month. If other states pass legislation, companies could find themselves with an even more deeply entrenched privacy patchwork, spelling trouble for compliance programs and upping regulatory risk.
The growing number of states seriously considering privacy legislation is likely to push the federal government to take action, attorneys say.
“My hope is there is some sort of federal law that comes into play that preempts all these similar state laws so we can have one standard,’” said Alessandra Swanson, a Chicago-based co-leader of Winston & Strawn LLP’s privacy and data security practice.
The first federal proposal of the year, the Information Transparency and Personal Data Control Act, was introduced by Rep. Suzan DelBene (D-Wash.) on March 10.
It would allow consumers to access and correct their data and would require businesses to set reasonable limits on the information they collect and retain.
“If we don’t have a clear domestic policy, then what is our position when we’re at the international table?” DelBene said.
In Illinois, HB3910 would give consumers the right to access and delete personal information collected by businesses. It was introduced Feb. 22 and assigned to the Illinois House’s Judiciary-Civil Committee on March 16.
Unlike the Golden State’s recently passed California Privacy Rights Act, the Illinois bill would not create its own privacy regulator. It would, however, establish a privacy fund to help offset the costs of attorney general enforcement, said Sheryl Falk, a Houston-based co-leader of Winston & Strawn LLP’s privacy and data security practice.
Illinois already has the Biometric Information Privacy Act, a 2008 law that gives individuals the right to sue if their fingerprints, eye scans, or other identifiers are collected without consent.
“The strong foundation with BIPA in Illinois means it could be easier for lawmakers to pass consumer privacy legislation there,” Falk said.
While the Illinois law looks fairly similar to the CCPA, a recent proposal in Massachusetts takes a different approach.
HD2664 would likely apply more broadly than the recently passed Virginia law, said Sherry-Maria Safchuk, an attorney at Buckley LLP in Los Angeles. Unlike the Virginia law, the Massachusetts bill doesn’t have express exemptions for entities subject to the Fair Credit Reporting Act or the Gramm-Leach-Bliley Act, she said.
“There are numerous obligations that financial institutions will have to navigate at the state level,” Safchuk said.
The Massachusetts bill, introduced Feb. 18, also tacks on provisions related to workplace monitoring and surveillance, which is a departure from most consumer privacy legislation, said Danielle Urban, a partner in the Denver office of Fisher Phillips LLP.
It prohibits employers and vendors from electronically monitoring employees unless it’s for certain purposes, including monitoring production processes or protecting the safety and security of employees. It also generally bars the monitoring of off-duty employees and the use of facial recognition tools for reasons other than identifying an employee for security purposes.
Minnesota’s leading contender for comprehensive privacy legislation, meanwhile, is inspired by the Washington Privacy Act, said Nadeem Schwen, an attorney at Winthrop & Weinstine P.A. in Minneapolis. It would give consumers the right to correct, delete, access, and opt out of the processing of their personal data, he said.
The Minnesota bill, HF1492 introduced Feb. 22, provides for an appeal process by which consumers can contest actions or inactions taken by a controller, an entity that decides how personal data will be processed, said Jamie Nafziger, a Minneapolis-based chair of Dorsey & Whitney LLP’s cybersecurity, privacy, and social media practice group.
“The Minnesota bill requires data protection assessments like the Europe’s GDPR does,” Nafziger said. “Companies may have to revise or redo agreements with their vendors.”
Despite an uptick in introduced legislation, proposals in several red states—Utah, Mississippi, and North Dakota—have failed so far this year.
The North Dakota bill, which wasn’t comprehensive but would’ve required some businesses to obtain opt-in consent before selling personal data, was struck down in committee. The Utah bill failed to advance before the state’s legislative session ended, and the Mississippi proposal also died in committee.
Still, momentum is building elsewhere, attorneys say. Florida’s HB 969 passed out of the regulatory reform subcommittee earlier this month, and bills in Washington and Oklahoma have each cleared one chamber.
The recent approval of Virginia’s law on March 2 may spur other states that have introduced legislation to modify their bills or pass their own proposals more quickly, attorneys say.
“The passage of the Virginia law is going to empower other states to pass their own,” Swanson said. “It could also spur industry to persuade the federal government to take action on a law.”
A federal standard would aid companies and help avoid the “nightmare” of piecemeal data privacy compliance plans, Falk said.
Businesses already have to deal with a slew of regulations outside of privacy and data security, so a set standard would help businesses—and consumers—by making it simpler to respond to requests and grant consumers access to their rights, Urban said.
In the interim, however, companies need to take a hard look at existing privacy regulations such as the California Consumer Privacy Act and prepare for the new Virginia law and California Privacy Rights Act, she said.
“Compliance doesn’t happen overnight,” Urban said. “It’s a good idea when you’re designing your privacy policies and structures to look at what’s up and coming.”