Interest in passing data privacy legislation has been growing in state legislatures across the United States (US) as of late. Since 2018…



Interest in passing data privacy legislation has been growing in state legislatures across the United States (US) as of late. Since 2018, 34 states have passed or introduced 72 privacy bills regulating the commercial collection and use of personal data.

Last week,​​ both Connecticut and Kentucky introduced bills, Florida and Utah voted bills out of committee, and the Wisconsin Assembly voted to adopt moving their bill to the Senate.

The recent rapid changes in data technology, and the headline-grabbing privacy scandals involving companies like Cambridge Analytica and Facebook have raised the profile of data privacy issues for both individuals and legislatures. Under the impression that the current US sectoral and self-regulated privacy legislation lacks holistic protections for consumers, many states have decided that they must give consumers the tools and transparency to control the usage of their personal data. Although a state by state solution is not ideal, it is better than none at all.

With three Comprehensive State Privacy Acts already passed in California, Virginia, and Colorado, and 20 additional bills introduced into states’ legislatures, it will become increasingly complicated and expensive to keep abreast of all the regulations.

The schedule for a potential 50 states legislation would be overwhelming for any business when you consider the timeline for just the three Acts already passed:

JULY 1, 2022 Deadline for adopting final California Privacy Rights Act (CPRA) regulations
JANUARY. 1, 2023 Majority of CPRA provisions become operative (CPRA Ballot Initiative Section 31(a))
JANUARY. 1, 2023 Virginia Consumer Data Protection Act becomes operative (Part 4). Data protection assessment requirements are not retroactive (Section 59.1–578(F)).
JULY 1, 2023 Colorado Privacy Act becomes operative (Section 7). Data protection assessment requirements are not retroactive (Section 6–1–1309(6)).
JULY 1, 2023 CPRA enforcement begins (California Consumer Privacy Act (CCPA) Section 1798.185(d)).
JULY 1, 2023 CPA deadline for the Attorney General to adopt rules detailing technical specifications for universal opt-out mechanisms (Section 6–1–1313(2)).
JULY 1, 2024 CPA requires a universal opt-out mechanism (Section 6–1–1306(1)(a)).
JANUARY. 1, 2025 Deadline for the Attorney General to adopt rules under the CPA (Section 6–1–1313(3)).
JANUARY. 1, 2025 CPA notice of cure provision expires (Section 6–1–1311(1)(d)).
JULY 1, 2025 Deadline for rules to become effective under the CPA (Section 6–1–1313(3)).

A growing patchwork of state laws will burden companies with confusing and duplicative compliance costs in the absence of a federal privacy law. The Information Technology and Innovation Foundation (ITIF) estimates that the out-of-state costs from 50 such laws could exceed $1 trillion over 10 years, with at least $200 billion hitting small businesses. A kick in the teeth at a time when many businesses are still reeling from Covid.

In California alone, since the enactment of the CCPA in 2020, there have been nearly 200 lawsuits involving companies that sell to customers in California despite being located elsewhere.

There is considerable overlap in the states’ privacy bills. Notwithstanding some significant differences, several new bills appear to substantively copy the structure of different privacy bills passed by other states. In particular, several state bills appear to draw its content from the CCPA/CPRA and the thrice-unpassed Washington Privacy Act. The bills also draw heavily on the more restrictive European Union’s General Data Protection Regulation (GDPR), the granddaddy of Privacy Acts.

Perhaps the individual states need to go through this expensive fragmented approach to shake the Federal Government into action. But, ironically, the states seemingly fail to understand that one of the primary purposes of the GDPR was to harmonize data protection laws across EU member states. By enacting competing, and potentially contradictory state data protection laws, state legislatures are creating the exact type of fragmentation in the United States that the EU created the GDPR to resolve.

The need to pass comprehensive federal privacy legislation that preempts state laws, protects consumers, and promotes innovation is overdue. There has been a growing interest in establishing a national data protection law that would apply to a broad spectrum of organizations and go beyond the United States’ many sectoral data protection laws.

The Spectacle of the Union

The State of the Union speech this year was a busy affair. Despite the rumors that a Federal Privacy Act would get some airtime, President Biden focussed on better protection for child safety on social media platforms like Facebook and Instagram. President Biden has previously stated that his administration will be taking a more active role in developing data privacy. So we could have finally found the momentum it needs to move forward with comprehensive privacy legislation.

While members of Congress have introduced multiple proposals, none have yet to gather widespread bipartisan support. However, a recent poll has illustrated strong support from their constituents. With 86% of Democrat and 81% of Republican voters in favor of federal legislation.

The former U.S. Federal Trade Commission Chair Jon Leibowitz recently explained that there is bipartisanship support on the issue, noting members of the House Energy and Commerce Committee are “trading drafts and seem close to marking up a consensus privacy bill.” Still, some divisions remain over potential preemption and the rights of individuals to take private legal action against organizations.

It would be a brave gambler who wants to place a bet on a federal privacy law becoming a reality during a midterm election year or the two years thereafter when Biden is trying (likely in vain) to work with the GOP in both houses.

Despite the impasse, surely the situation will get to the stage when it is really in everyone’s interest to enact a uniform national privacy law. There must be a tipping point when the number of states with privacy legislation will finally incentivize businesses to start seriously pressuring Congress to act, so they don’t have to know how to comply with a convoluted and expensive patchwork of laws.