2021 was an active year for privacy legislation! The continued COVID-19 pandemic further increased the use of technology and our dependence on digital platforms, and privacy continued to be a relevant concern as legislators introduced bills.
On the federal level, eight comprehensive privacy bills were reintroduced in 2021 between March and November. All had been previously introduced in the last four years, and none of the bills have moved past introduction or committee; signaling that while privacy remains an issue, it is not yet a high enough priority to move to a congressional hearing. The bills included: Del Benne’s “Information Transparency and Personal Data Control Act” (HR 1816), Schatz’s “Data Care Act” (S 919), Moran’s “Consumer Data Privacy and Security Act of 2021” (S 1494), Klobuchar “Social Media Privacy Protection and Consumer Rights Act” (S 1667), Gillibrand’s “Federal Data Protection Act of 2021” (S 2134), Wicker’s “Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act” (S 2499), Matso’s “DATA Privacy Act” (SB 3065), and Eshoo and Zofgren’s “Online Privacy Act” (HR 6017).
On the state level, 26 states and the District of Columbia contemplated 61 comprehensive privacy bills. The states that introduced privacy legislation spanned the political and geographic spectrum: Arkansas, Arizona, Alaska, California, Colorado, Connecticut, Florida, Illinois, Kentucky, Maine, Maryland, Massachusetts, Minnesota, Mississippi, New York, North Carolina, New Jersey, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, Texas, Virginia, Washington, Washington D.C., and West Virginia. Of these bills, more than half followed the California Consumer Privacy Act (“CCPA”) model.
Of the state bills introduced, the trends include:
- Most bills included the right for consumers to request access to their data, except bills from Rhode Island and North Dakota.
- Most bills included the right for consumers to request deletion of their data, except for 11 bills spanning 7 states (New York, New Jersey, Connecticut, Illinois, Oklahoma, Rhode Island, and North Dakota).
- 5 bills included consumer rights related to automated decision-making. These rights follow the trend of federal interest in regulating automated decision-making and the discussion around creating an “AI bill of rights.”
- 39 bills contemplated some version of a private right of action, though in some cases, it was limited to specific harms, limited in possible recovery, or later removed from the bill.
- 4 states saw multiple competing comprehensive privacy bills introduced, with New York leading with nine.
However, only Colorado and Virginia joined California in enacting comprehensive privacy legislation. We have previously blogged about the Colorado and Virginia laws, which will take effect in 2023. The Colorado Privacy Act (“CPA”) and the Virginia Consumer Data Protection Act (“VCDPA”) are quite similar. Each adopts elements of both the EU General Data Protection Regulation (“GDPR”) and the CCPA. Similar to the CCPA, they create personal data privacy obligations for businesses that process the personal information of over 100,000 residents of the state or who derive revenue from the sale of personal data of over 25,000 residents of the state (though under the VCDPA, businesses must derive 50% of their gross revenue from the sale of personal data). Similar to GDPR, they impose several duties on controllers, including the duty of transparency, purpose specification, and data minimization. Importantly, these laws provide consumers with the rights to access, delete, and correct their personal information in addition to the right to opt-out for the purposes of targeted advertising or profiling. They both also generally prohibit discrimination against those who exercise their rights under the law. These two laws are enforced by each state’s respective Attorney General, and do not contain a private right of action.
Many people expected Washington State’s comprehensive privacy bill to pass on its third attempt, but despite the legislature’s large Democratic majorities in both houses, lawmakers stalled on whether, and how, to include a private right of action. The Washington bill’s failure illustrates how privacy issues often transcend political affiliation; often, hot-button issues like private rights of action, consumer consent requirements, and restrictions on automated decision-making give rise to disagreements both between, and within, parties. Accordingly, we expect that successful bills are likely to be limited to more widely-accepted rights, such as consumer data access/deletion and the right to opt-out of targeted advertising.
The VCDPA goes into effect on January 1, 2023, and the CPA goes into effect on July 1, 2023. Despite the low success rate for bills introduced in 2021, we expect to see more privacy legislation in 2022. Accordingly, organizations that operate nationally should consider “future-proofing” their privacy and data protection programs by adopting privacy best practices for all US consumers, instead of on a state-by-state basis.