No Time To Read? LISTEN In English On-The-Go!
The good news is that there are several US states which are on track to pass new data privacy laws during 2021.
Data privacy legislation is a difficult topic to get your head around. There can be multiple dimensions, sector-specific rules, and various national and, in some cases (such as in the US), local laws enacted to cover a multitude of issues.
Some of these laws focus on consumer protection, while others concentrate on regulating data brokers or how ISPs should protect their customers’ data. Let’s review the progress and what is being proposed.
These states are on track to pass data privacy laws this year
Illinois led the way in 2008 with the Biometric Information Privacy Act, a law that lets Illinois residents sue companies that collect their biometric data (face scans, fingerprints, etc.) without their consent. After Europe passed the General Data Protection Regulation (GDPR) in 2016, which entitles people to obtain any data collected on them and have their records deleted, California decided to use it as a framework for its own law. Two years later it introduced its version of the GDPR, called the California Consumer Privacy Act. California has since passed an amendment, called the California Privacy Rights Act, that clarifies the original law and adds a governing body called the California Privacy Protection Agency that can bring action against violators.
Here’s a rundown of other state-level privacy laws beyond those in Illinois and California, plus the bills that could be passed into law this year.
Nevada adopted the Privacy of Information Collected on the Internet from Consumers Act in 2019, which allows consumers in the state to opt out of personal data collection.
In 2020, Vermont passed a law that requires data brokers to inform consumers when their personal information has been leaked or breached.
Maine’s new privacy law went into effect in August 2020, after a short one-month delay. Unlike other privacy laws in the U.S., this one is aimed squarely at Internet Service Providers. It prevents them from sharing or selling personal customer data without explicit consent.
This year, Virginia’s House and Senate both approved the Consumer Data Protection Act. The governor signed it into law in March. The new rule gives Virginians many of the same data protection rights as California’s law. This includes the ability to “access, correct, delete, and obtain a copy of personal data and to opt-out of the processing of personal data for the purposes of targeted advertising.” The law will go into effect in January 2023.
In January, New York legislators introduced several privacy bills. The New York Privacy Act replicates much of the EU’s GDPR but adds a private right of action. This will allow individuals to bring lawsuits based on violations rather than relying on a governing body to do it. Another law, Assembly Bill 27, amends New York’s general business law to include a new biometric privacy act that guards against the non-consensual collection of a person’s physical identifiers. This law also gives individuals the opportunity to seek legal action if they can make a case for how their rights have been violated.
After several attempts to pass a data privacy law, Washington may be in the home stretch. The State Senate just introduced a new version of the Washington Data Privacy Act. The bill allows consumers to find out what data has been collected about them, ask for a copy of it, correct or delete that data, and have that data transferred to another platform. Critics have called the law, which was created in collaboration with Amazon and Microsoft, “toothless.” They prefer another bill, recently introduced in the House, called the People’s Privacy Act, which is more explicit about biometric data rights and requires companies to obtain explicit consent before processing or sharing personal data. It’s not yet clear how this will play out, but the state is likely to embrace one of these rules (if not an amalgamation of both) this year.
Utah passed the Electronic Information or Data Privacy Act in 2019, which required law enforcement to obtain a warrant before requesting personal data from companies. It now has another consumer privacy law currently in committee. The Consumer Privacy Act was introduced in February and allows consumers to access, copy, and delete any personal information that a company collects about them. It also empowers the attorney general to investigate a company’s data practices. The law would require companies to provide transparency around what kind of personal data they collect, who they share it with, and how customers can exercise their rights to obtain their own data.
The Oklahoma Data Privacy Act was introduced in January. It’s similar in scope to several other data privacy laws that aim to provide consumers access to data that’s been accumulated about them and giving them the opportunity to have it deleted. Oklahoma’s law limits the kind of companies that are subject to these rules to those that earn 25% of their revenue through personal data sales, data brokers with more than 50,000 users, or companies that make more than $10 million annually. Those that fall into this category must have a web page on their website that tells consumers that their data may be sold and how to opt-out of that sale.
There are several other bills currently on the docket in Alabama, Arizona, Florida, Connecticut, and Kentucky, all of which follow a similar format to California’s CCPA. These laws rely on consumers to opt out of data collection, rather than pushing companies to obtain consent before collecting data—a win for tech companies. Still, the more states embrace these laws, the more consumers will have a right to know what information has been collected on them and an opportunity to stop it.