State privacy legislation is likely to get a boost from the public’s heightened interest in privacy due to the pandemic, but higher-priority bills and debates over enforcement schemes could slow progress as they did in 2020.
Virginia, Washington, and New York emerge as top contenders for comprehensive privacy bills to be passed this session and could produce a snowball effect for others to follow this year or next, attorneys say.
The Consumer Data Protection Act in Virginia cleared both chambers earlier this month and is expected to pass in the coming weeks.
It’s more business-friendly than the California Consumer Privacy Act and successive California Privacy Rights Act, which passed in November.
The Virginia bill has exemptions for certain health data and financial institutions subject to Title V of the Gramm-Leach-Bliley Act, said David Stauss, a privacy and data security partner at Husch Blackwell LLP in Denver.
“I don’t see how Virginia doesn’t increase momentum,” Stauss said. “Some states may look to it as a model.”
Skirmishes in other statehouses have largely centered on whether individuals should be able to sue for privacy law violations or whether enforcement should be left to a state attorney general.
The Virginia bill doesn’t have a private right of action, whereas the CCPA, which passed in 2018, has a narrow right to sue for some data breach incidents.
A private right of action or lack thereof remains a sticking point among legislators in most other states, including Washington, where a lack of a private right of action has hindered progress the past two years.
“If New York and Washington can reconcile the competing interests involved in passing privacy legislation, then that might point to a way forward for other state legislatures,” said Reece Hirsch, co-head of the privacy and cybersecurity practice at Morgan, Lewis & Bockius LLP in San Francisco.
The pandemic has spurred the public’s interest in privacy, and that could translate into more momentum at the state and federal levels, said Caitlin Fennessy, research director at the International Association of Privacy Professionals.
“COVID-19 made privacy a mainstream issue, even if it did disrupt statehouses,” Fennessy said. “Remote working, education, contact tracing—they’ve all put privacy at the forefront.”
But while interest in privacy has increased over the last few years, higher legislative priorities tied to the public health crisis and unemployment could slow progress on privacy bills at the federal level, said Jeff Dennis, head of the privacy and data security practice at Newmeyer & Dillion in Newport Beach, Calif.
Still, federal traction could mount if a handful of states start to pass legislation, Hirsch said. Congress so far this year has floated bills related to contact tracing, but not comprehensive privacy bills as were proposed and stalled out last year.
A preemptive national law is desired by many businesses, because though it would impose additional compliance requirements, it would be uniform across the board and save them the headache of applying different standards and procedures to personal data they process.
“Industry does not want a patchwork here,” Fennessy said. “They already have that on the international level,” with Europe’s General Data Protection Regulation and Brazil’s LGPD, for example.
Dozens of states floated bills in 2019 and 2020 following the passage of the CCPA. Most died in committee or were overshadowed by legislation aimed at dealing with the coronavirus crisis.
“Nothing passed for all that fanfare,” Stauss said. “Now we’re in 2021, the Washington Privacy Act is back, and New York is flashing—the governor [Andrew Cuomo] wants to push something.”
In Oklahoma, House Bill 1602 has broad bipartisan support. It’s conceptually similar to the CCPA, but it has a broader private right of action for consumers to sue over violations and an opt-in model. It passed committee Feb. 10.
It would be enforced by the Oklahoma Corporation Commission—a body that regulates oil and gas and public utilities, among other industries—which would also set rulemaking, said Zach Oubre, an attorney at McAfee & Taft in Oklahoma City. The CCPA, by contrast, is enforceable by the state attorney general.
“Data privacy is being viewed as a public issue, not a partisan issue,” said Sasha Beling, also an attorney at McAfee & Taft in Oklahoma City. “They’re finding common ground to protect Oklahomans’ privacy interests.”
Another state to watch, Texas, established an advisory council in 2019 to study data privacy issues, Dennis said.
The Lone Star State released an interim report in September 2020 that recommended legislation “be written broadly enough to allow the adoption of new technology and business standards.”
The council concluded that Texans have the right to know how their personal data is used and urged the state Legislature to “consider ways to strengthen that right.”
Still, despite growing hopes in Virginia, Washington, and other states, some legislative efforts have failed so far this session. North Dakota’s House Bill 1330 was voted down in committee last week.
The bill, not comprehensive in nature like other proposals, would have prohibited the sale of personal data without opt-in consent.
Regardless of how many privacy bills pass this year, each successive effort lays the groundwork for future attempts and represents a chance to refine or adjust existing proposals, Stauss said. Privacy legislation is “incredibly complex” and “very difficult to get right,” but repeat efforts are likely the key to result in a successful version, he said.
“If this is a football game, we’re still in the first quarter,” Stauss said. “There’s a lot more to go here.”