(Opinion) From a trickle to a flood
The ever-increasing number of U.S. state privacy laws
(Opinion) From a trickle to a flood
The ever-increasing number of U.S. state privacy laws
LAW
Most, if not all, of the countries in the world who are economic leaders (and many who are not) have robust national data privacy laws designed to protect the privacy rights of individuals. The United States is not one of them.
Interestingly, the United States is perhaps the only major country that does not have a comprehensive federal consumer privacy law. (It does, however, have a federal law that protects the privacy rights of minors: the Children’s Online Privacy Protection Act, or COPPA.) The two major hurdles to enacting a federal law are whether similar state laws should be preempted, and whether individuals should be given a private right of action for violations of the law.
While for several years certain countries have had comprehensive data privacy laws, the enactment of the General Data Protection Regulation (GDPR) in the European Union ignited a succession of U.S. state privacy laws. In the absence of a federal privacy law, as of the date of this publication, approximately 40% of U.S. states (including New Hampshire) have enacted comprehensive consumer privacy laws.
California was the first U.S. state to enact a comprehensive privacy law — the California Consumer Privacy Act (CCPA). The various other state laws that have followed generally declined to adopt the CCPA model. Many state privacy laws (including New Hampshire) follow a different model, although each law has its own variants.
These privacy law versions tend to be somewhat less burdensome to businesses than the CCPA. Moreover, state privacy laws other than the CCPA have adopted terminology like that used in the privacy laws of Europe and elsewhere, making the privacy compliance concepts more familiar and uniform.
While the various state privacy laws have many similarities among them, each law tends to place its own spin on various aspects. For example, the applicability thresholds differ among the laws. Most depend for applicability on the number of residents of the state whose personal information is processed (and even then, the minimum number generally ranges from 35,000 to 100,000). Under some laws, the size of the entity or dollar volume of revenue may bring a party within the scope of the law.
And as if that were not enough, various states are enacting subject matter specific laws. For example, some states (e.g., Illinois, Texas, Washington) have enacted biometric privacy laws relating to biometric characteristics of individuals such as facial geometry or fingerprint patterns.
Much litigation has arisen from the Illinois Biometric Information Privacy Act. Another field that some states (e.g., California, Colorado, Connecticut and Montana) are focusing on is neural data privacy, relating to characteristics of an individual’s nervous system. A number of states are going beyond COPPA, enacting privacy laws designed to protect children, particularly in the online setting.
And while not necessarily privacy laws per se, some states are focusing on legislation addressing use of artificial intelligence (AI), that likely will interrelate at least to some degree with privacy laws.
The number and variety of privacy laws is daunting to say the least. They make compliance with all of them extremely difficult, if not impossible, for many businesses and organizations, especially smaller ones (although certain laws recognize that fact and provide some relief for smaller businesses and nonprofits).
As a result of this “flood” of U.S. state privacy laws, businesses and organizations have adopted varying compliance strategies. Some have sought to take a “lowest common denominator” approach to compliance, whereby they adopt the most protective aspect of the various privacy laws as to each compliance topic (e.g., if the time to respond to a data subject request is 30 days under one law and 45 days under another, the 30-day period is applied in all situations).
While in theory that sounds like a good approach, and might work in some instances, a major drawback is that it may significantly increase the burden to comply with legal requirements that otherwise would not be applicable.
An alternate approach utilized by some businesses and organizations is to use separate addendums to address the applicable laws of specific jurisdictions. This approach is useful if there are only a handful of state laws that are applicable, but becomes unwieldy if there are many state laws that must be complied with.
Each approach has its own merit — the first having the benefit of applying the same criteria in every case, the latter having the benefit of avoiding unnecessary compliance obligations.
At least some states would prefer their laws over a federal law, because they view their laws as more protective of individual privacy rights. However, provided a federal privacy law adequately protects individuals, having one comprehensive law certainly would be desirable from a compliance point of view. When compliance is too difficult, some businesses and organizations might simply choose to do nothing.
Having only one law to comply with could have the overall effect of increasing compliance, thereby actually expanding the protection of consumer privacy rights, while at the same time making compliance by businesses and organizations less burdensome.
Doug Verge is a shareholder and co-chair of the data privacy and security group at Sheehan Phinney.
