Okay, so maybe 2020 fell a little short of its “year of privacy” billing. But hey, so did 2019, as well as 2018 for that matter. Clearly, hope springs eternal for us privacy acolytes – particularly, it seems, as the calendar turns over and we cleanse ourselves of last year’s disappointments. In fairness, stakeholders charted important, if incremental, progress toward comprehensive federal privacy reform throughout these past few years, so it’s not as if all was lost.
Yet through the first two months of 2021, a different narrative is already coalescing. Privacy legislation is advancingrapidly on the state level, with policymakers in multiple states blazing widely divergent paths to get there. So, without falling into the trap of anointing 2021 the one true year of privacy, it is at least safe enough to point out that this year already marks something of a tipping point. The advancement of legislation in multiple states should generate real, lasting changes to the privacy debate that will ripple beyond any individual state’s borders and could serve as the impetus for congressional action.
The Quilt is on the Table
Over the past couple of years, ACT | The App Association noted that the lack of a comprehensive federal privacy law incents states to fill the void with their own legislation – potentially leading to the creation of a state-by-state patchwork quilt of privacy laws that differ in their definitions of key terms, coverage thresholds, consumer rights, and compliance requirements. Of course, adoption of privacy rules is a perfectly sensible goal for states lawmakers to strive for – real privacy harms continue to plague consumers in the marketplace and the Federal Trade Commission cannot protect against them all. Unfortunately, such an arrangement replicated in dozens of states, even if well-intentioned, could lead to an especially confusing compliance atmosphere for small businesses simply seeking to do the right thing.
Though the patchwork possibility typically emerges each year with the commencement of state legislative calendars and the unveiling of dozens of privacy measures, this year lawmakers appear truly to mean business. Currently, comprehensive privacy proposals exist in at least 13 states, while a handful more already perished at various stages within state legislatures. While in the past the vast majority of these efforts failed or morphed in committee-led commissions to research the impact of privacy legislation, this year several of bills stand a real chance of passing into law.
Needle at the Ready
Of the candidates to join California on the state privacy quilt, Virginia clearly stands out as the prime candidate. In fact, the only obstacle currently standing between Virginia and a comprehensive privacy law is the Governor’s signature, as the legislature recently approved a bill, the Consumer Data Protection Act (CDPA), with the broad support of both chambers. With Governor Northam poised to imminently add his signature, Virginia will become just the second state in the country with a comprehensive data protection law on the books, following California. Similar to the California Consumer Privacy Act (CCPA) and its recently passed cousin, the Consumer Privacy Rights Act (CPRA), CDPA grants consumers a slew of rights relative to their data, such as access, correction, deletion, and portability, as well as the right to opt-out of data sales. However, CDPA departs from CCPA in other important areas, providing lawmakers seeking to craft their own legislation at the federal level with an alternative template. Notably, CDPA allows consumers to opt-out of the processing of personal data for the purposes of targeted advertising and automated decision making, going further than CCPA and CPRA. On the other hand, CDPA does not include a private right of action for data breaches commensurate with the California model and offers broader exemptions for certain entities, such as financial institutions and healthcare providers, already covered by sectoral privacy laws.
Of the rest of the handful of states with active bills, Washington state’s Washington Privacy Act (WPA) likely stands the best chance of passing into law. WPA would create a similar set of consumer rights compared to CDPA and CCPA/CPRA, garnering support among several high-profile stakeholders, including the state’s big digital players. Though similar bills failed in Washington for the past two legislative sessions, primary bill sponsor Sen. Reuven Carlyle (D) crafted certain alterations that should improve its chances of passage this time around. These include enhanced ability for the Washington Attorney General to enforce the law, as well as additional protections for data generated from contact tracing apps.
Next Patch Up?
Meanwhile, several other states are toiling at various stages of the policy development process, with some surprising players making noise. Oklahoma legislators, for example, are debating whether to approve what would likely constitute the strictest privacy law in the country. The bipartisan Computer Data Privacy Act would require companies to obtain the opt-in consent of users to collect and process personal information. The measure boasts 44 cosponsors, already nearly a majority of Oklahoma’s 101-member House of Representatives, which requires 51 votes for passage. With 31 Republicans and 13 Democrats onboard, this development perhaps presages a new front in the simmering “techlash,” where both parties agree to funnel grievances, thus far limited to platform and censorship issues, into the privacy space. If that turns out to be the case beyond Oklahoma, we could be in for a tumultuous 2021, with the resulting pressure on federal lawmakers likely escalating to unsustainable levels.
At this juncture, the exact composition of the emerging privacy patchwork remains unclear, despite its imminent growth. But while a multitude of state privacy laws is certainly not ideal for app developers in the short run, it may be the painful but necessary step to kick-start negotiations at the federal level. As always, we will continue to follow closely and remain a resource in the interim.