DIY data protection: As Congress stalls, states take charge
- By Andrea Little Limbago
- Mar 23, 2020
With so much focus on federal data protection regulation, it would be easy to miss the tectonic shifts underway at state capitols. Last year alone, more than 90 different data protection, security and privacy proposals were introduced. The California Consumer Privacy Act (CCPA), which went into effect in January, has been the most far-reaching, but it is not alone. From Florida to Maine to Texas, states are taking the lead in innovating data protection regulation. By the end of 2019, more than half the states either proposed new privacy legislation or established a task force to do so. Absent any progress at the federal level, states will continue to push for greater data protection and regulation, augmenting security and privacy while also increasing complexity to an already dynamic landscape.
Choose your own privacy adventure
While there has been growing interest in data protection in the United States, there was a significant inflection point in 2018 as several forces combined to create the perfect privacy storm. First, the steady flow of data leaks continued as Marriott, British Airways, T-Mobile, MyHeritage, and countless other corporate breaches exposed sensitive personal data. Second, the European Union’s General Data Protection Regulation (GDPR) introduced sweeping data protection that impacted any company with European Union citizen data. Finally, and arguably the most impactful, the Cambridge Analytica data sharing scandal awoke public awareness about the vast implications of data monetization and sharing.
This confluence of events dramatically shifted public opinion in the United States and helped drive momentum and the rapid passage of the CCPA. Numerous other states are now similarly approaching data privacy through overarching omnibus legislation: integrating numerous data protection requirements under a single regulatory umbrella. New York’s proposal last summer built upon the CCPA momentum, but it differs in a few key areas. Instead of relying on the attorney general for enforcement, the New York proposal includes a private right of action and applies to any organization with New York resident data as opposed to the $25 million in annual revenue cutoff in the CCPA. The New York bill also includes data fiduciaries, which prohibit businesses from using data to the benefit of the business and the detriment of the individual.
Other states similarly integrate aspects of the CCPA, while customizing as well. Nevada’s law, for instance, does not have opt-in requirements, while opt out applies to a narrower scope of information. It also includes less time to respond to data requests and defines the sale of data differently. Nebraska’s recent proposal, in contrast, maintains more similarities to the CCPA with its focus on personal information and the right to know what is collected, how it is used, who accesses it, as well as the right to deletion and opt out. They both also include fines up to $7,500 for each violation. Finally, Florida’s proposed Consumer Data Privacy Act shares some common features with both the CCPA and Nevada’s privacy legislation, including a focus on the right to opt out of sales of personal data and a notice of what data is collected. Proposals in Maryland and Massachusetts are similar to the CCPA, but opt out includes any data disclosures, not just sales. Maryland chose enforcement by its attorney general, while the Massachusetts law has a robust private right of action.
These are a few examples of an omnibus approach to data privacy, and additional proposals are likely to emerge over the next few years absent a federal privacy law. At the same time, several states are opting for point solutions to data privacy instead of taking the omnibus approach. That is, they are focused on narrowly addressing a specific data privacy issue. For instance, last year Vermont passed the country’s first law targeting data brokers -- those entities that gather data from a wide range of sources. The new law requires data brokers to register, uphold baseline security practices and notify if a breach occurs. It also prohibits the use of the data for criminal purposes.
Maine opted instead to focus on internet service providers. Coming into effect on July 1 of this year, the Maine law bars ISPs from, “using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access.”
Instead of focusing on data aggregators and collectors, a half-dozen states have focused on the actual kind of data itself. For instance, the Illinois biometric law is a decade old, but has been making headlines lately for its use in class action lawsuits against Facebook and Google. Texas, Washington, California, New York, and Alaska are among those states that have passed or expanded existing laws to cover biometric identifiers.
What’s next: Full speed ahead for states
Despite both political parties expressing support for a federal data protection regulation, including dueling proposals at the end of 2019, security and privacy proposals failed to gain any traction in Congress. With little hope for Congressional action on data protection, and with mounting public demand in favor of it, states will continue to be the major drivers of data protection regulation in the United States.
For each state capitol, there is a seemingly endless array of components that could comprise a data protection regulation. What data is covered? Which and what size of businesses are covered? Should reasonable security measures be required? Does it cover selling data or disclosing data to any third party? How will enforcement be handled? Will it include a data fiduciary? How will users opt in and opt out?
These are just some of the questions that state legislators will have to debate. Based on what has been proposed so far, these laws look to duplicate the trajectory of data breach notification laws. There are now 54 different data breach notification laws -- one for each state, and one in Washington, D.C., Guam, Puerto Rico, and the U.S. Virgin Islands -- each of which has its own nuance and time frame.
At the federal level: One law to rule them all?
As the variety in state-level regulations demonstrates, Congress faces many decisions when it comes to federal data privacy regulation(s): An omnibus approach or point solution regulations? Which data will be covered and will there be a private right of action? These are just a few of the considerations. As the U.S. deliberates on a federal law, Congress must ensure that the solution is not worse than the problem.
Of course, there will be many forces seeking to undermine any U.S. federal data protection regulation. As the details get debated, three overarching components should be reinforced throughout: harmonization, reasonable safeguards and a whole-of-society approach. First, ensuring a baseline consistency is essential to overcome today’s complex data ecosystem. This will require fending off special interests seeking to dilute many of the recent state-level policies. Next, introducing reasonable security safeguards has proved to incentivize more robust security practices and provide positive business returns. Finally, data protection can benefit from a herd immunity approach, applying to both the private and public sectors while also empowering individuals with greater selective control over their data. The onus should not be entirely on any specific entity, but requires a unique combination of incentives, penalties, transparency and controls to help elevate data protection across society.
For more than a decade, data theft and questionable data sharing practices have largely gone unregulated in the United States. This status quo is not sustainable. The CCPA is just the first of a state-level movement that aspires to implement modern data protection regulations appropriate for the digital revolution. Lacking any concrete signs of progress at the federal level, states will continue to be the driving force of data protection innovation, providing greater privacy and security protections while introducing ever greater complexity in an already dynamic compliance landscape.