With summer season in full swing and state legislatures adjourned for the summer, now is a great time to reflect on the status of privacy laws in the United States. As technology advances and our digital footprint expands, the needs for tighter data privacy regulations becomes increasingly important.
First off, let’s take a moment to recognize why so many states are taking the initiative to develop their own laws on data privacy. The United States does not have a comprehensive data privacy regulatory framework like the General Data Protection Regulation (“GDPR”), effective in the European Union since 2018. There is growing frustration among U.S. businesses that are challenged by the varying compliance requirements of several different states as well as GDPR rules that may also apply to them. On the other hand, there is frustration from consumers that feel their data is not well protected. This puts pressure on our state legislators to do what has yet to be accomplished at the federal level. Making the situation more complex are state arguments that any federal law that does ultimately pass should not pre-empt current state laws.
So, the question and answer remain the same. Will there soon be one comprehensive federal data privacy regime that all U.S. citizens and businesses can rely on? The answer: not likely.
It is worth noting that the federal government is not all together ignoring this issue. However, progress is slow, and some efforts like children’s online privacy command greater attention and sense of urgency than a more comprehensive data protection framework.
We have seen an increase in bipartisan efforts at the federal level to strengthen children’s online privacy through proposed legislation addressing concerns over the content that is made available to children, collection of data of minors, and targeted advertising to children and teens. An updated and expanded version of the Children’s Online Privacy Protection Act of 1998, Kids Online Safety Act, and numerous other bills related to protecting kids online are on the table for 2023. In addition, there are over 100 state level initiatives in the works.
And, not surprisingly, social media and artificial intelligence are adding to concerns over what and how to regulate the tech industry in the U.S. In 2022 the proposed American Data Privacy Protection Act (“ADPPA”) gained some momentum and included oversight on AI use in business. But the early progress of the ADPPA fizzled out, at least for now. A significant hurdle is the concern over pre-emption of state laws, in particular California’s far reaching privacy laws.
This leads us to a discussion of what is going on at the state level.
Individual states have been successful at passing legislation that will provide comprehensive protection of consumers’ data. At the start of 2023, California and Virginia were already enforcing comprehensive data privacy laws. On July 1, 2023 the new Colorado and Connecticut laws become effective followed by Utah’s law on December 31, 2023. Montana, Tennessee, and Texas (pending governor signature) laws will take effect in 2024, Iowa’s new law takes effect in 2025, and Indiana’s in 2026.
If you are counting, that’s ten states with comprehensive data privacy laws in effect now or coming soon. Several other states have active legislation relating to data privacy at the time of this writing, and a few have a chance of seeing comprehensive legislation making it all the way to the finish line during the respective state’s legislative session.
Most of the state laws enacted to date share similar protections for their citizens such as the right to opt out of the sale of personal data or targeted advertising and the right to access, correct, and/or delete certain information. And any business that conducts activity or targets consumers in one of these states could be subject to the privacy rules, even if it does not have a brick-and-mortar presence within the state. Except for California where a private right of action may be allowed in some cases, the enforcement of the laws will be handled through state agencies.
For companies that do business in multiple states, compliance is becoming increasingly tricky because each state law is nuanced. It is important to note that just because a state does not have a comprehensive data privacy and protection framework in place does not mean a business is off the hook. Other targeted laws might apply such as requirements for contacting consumers when there is a data breach.
As another example, Florida recently passed a Digital Bill of Rights that is not in the same category of comprehensive data privacy as the ten states mentioned above mainly because bulk of the law applies to businesses with annual global revenues exceeding $1billion. However, the Florida law does include provisions that apply to any business acting in Florida that also sells consumer data.
With the complexities increasing, it is always best to consult with professionals that will help you understand what actions you need to take now and what actions you should be prepared for in the near future. Just as technology advances, so too will the compliance requirements. Constant vigilance is best.
Every effort is made to provide accurate, complete, and current information in Milestone Law Group’s blog. However, Milestone cannot guarantee that there will be no errors. In addition, note that articles are current as of the date of original publication and therefore may no longer reflect the current state of the law.
The information in our blog is shared for informational purposes, not to provide specific legal advice. Receipt of this material does not establish an attorney client relationship. The blog should not be used as a substitute for competent legal advice from a licensed professional attorney. Please contact us if you have any questions.