Are State-Level Privacy Laws Sustainable Long Term?
Since Europe’s General Data Protection Regulation’s (GDPR) implementation more than three years ago, individual US states have struggled to pass their own data privacy laws. In fact, only two states have been successful so far: California’s Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA). And while there are several federal privacy laws within different industries (healthcare, finance, etc.), in terms of a general federal law that encompasses all data—consumer and otherwise—nothing has come to fruition yet.
Two dozen states have been trying to get their own laws passed in 2021 alone, which are all in varying degrees of motion. Some have failed while others are still active. So, why is that? What is keeping some of these bills from passing?
Key Consumer Rights
There are several consumer rights and business obligations that some of the proposed bills contain and some don’t. A couple notable ones that were absent from many of the state bills that failed this year are the Right to Restriction and Private Right of Action.
- Right to Restriction – Right to Restriction refers to consumers being able to tell companies how they want their data to be handled and stored. Neither CDPA nor several bills that recently failed to pass include this language. CCPA and GDPR, however, did include Right to Restriction, meaning consumers can tell a business they cannot share or sell their data to third parties, or they can opt out of a company using data for advertising and storage purposes. Also, in GDPR, consumers have a right to opt out of automated decision making.However, there are caveats to this right: If giving data to a third party is required for the business to deliver its services, the business will continue to share it. Additionally, if a company shares data with the authorities or an analytical firm, and there’s no service that benefits the consumer, the consumer can’t opt out because he or she is not receiving any communications from it.
- Private Right of Action – Including private right of action in a data privacy bill allows a consumer to sue a company directly if that company mishandles their data or falls victim to a security breach in which the consumer’s data was exposed. Interestingly enough, if Florida’s privacy bill had passed, its private right of action would have allowed consumers to sue for any violation of the law, not just in the case of a breach or hack.Several rejected privacy laws didn’t include language that would give consumers that right to sue. Others were rejected because they included private right of action: Many businesses are not keen on the potential for significant legal exposure that would come from consumer class-action lawsuits. As it stands, the only enacted privacy law that currently includes private right of action is California’s CCPA.
Additional Considerations for Future Bills
Based on past regulations, we know a few items that should be taken into consideration when shaping the next wave of state privacy bills, including carve-outs and means of enforcement.
- Stricter Carve-Outs – Most of the existing carve-outs in past laws were focused on things within the public sector, such as mortgage statements or utilities. Within the CDPA, for example, many organizations are not required to comply because they are covered under existing regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA).Future bills should be stricter with these carve-outs. Not requiring certain companies to follow the new privacy laws instead leaves them only complying with regulations from the 90s (like HIPAA and GLBA)—which are in need of updating. It also creates disjointed protection for data, which is what should be avoided in the first place.
- Greater Enforcement – Both current and proposed laws don’t have enough enforcement in terms of how the state governments will impose these regulations once they are in effect. Right now, it seems the laws act more as guidance, with businesses often deciding if it will be cheaper to take the necessary steps to comply with data privacy laws, or pay the fine for not adhering. Oftentimes, companies only have to answer to their lack of compliance during a data breach or if consumer complaints start piling up.GDPR has the Data Protection Authorities (DPA), whose job is to assess companies that have complaints against them, and then fine them if an investigation finds they are not complying with the law. By comparison, in the US, the Attorney General—who is already extremely busy—is in charge. If the US eventually enacts a federal privacy law (like GDPR), there will need to be some kind of review or enforcement board also created to ensure compliance and assign the appropriate penalties.
The Power of Tech
The largest tech firms in the US are rather proactive in their lobbying efforts when it comes to some of these new privacy laws and proposals. Many are pushing for a federal privacy law so that they can focus their efforts on complying with one federally mandated law, rather than individual state ones.
Additionally, a US federal-level law could make it easier for US-based companies to share data with the EU, as one thing that GDPR allows is transparent data trading with other entities that have safeguards that mirror its own. Otherwise, companies are not allowed to share data across seas.
California’s CCPA includes this—meaning that corporations are free to transmit data that comes from California. However, what if a company’s data centers are in Washington, D.C.? We might start to see some corporations move those data centers to California in order to freely share data with the EU, further bolstering the Silicon Valley economy and hurting the East Coast.
The Future is Federal
Globally, several other countries have already enacted data privacy laws, including Brazil, South Africa, Canada, Australia, and Japan. The US is in a bit of limbo without one; there exist only scattered laws across the states in various stages of passing. That’s why there could be a US federal-level data privacy law coming in the near future—indeed, a bill was introduced in March 2021.
If and when the government does create and pass this law, it will undoubtedly go above and beyond what CCPA and CDPA already do. It will likely encompass data protection of multiple industries, including the financial and healthcare sectors, much like GDPR does. This means American and global companies would have to comply with the federal law first, and then if a state’s law goes above and beyond that, they’ll be required to comply with that too.
Global economics are all data-driven, putting data privacy at the center of discussions and importance. In forming these acceptable levels of control requirements and safe data handling, countries are forming these digital partnerships of data trade. The US could soon be on the front lines with its own federal law, but in the meantime, states are taking matters into their own hands.
Building sustainable compliance across multiple laws and mandates begins with comprehensive optics into the sensitivity of data and automatic organization-wide control over it. Let PKWARE help you achieve and maintain worldwide data compliance.