“There are a lot of proposals in many state legislatures,” said Hayley Tsukayama of the Electronic Frontier Foundation. “But with the coronavirus, many have reassessed their priorities about what’s moving and what’s not … and many [proposals] are not.”
Still, legislative movement is expected when the nation returns to some level of normalcy, and when it does, California will likely retain its reputation as a leader in the quest for online privacy with its California Consumer Privacy Act (CCPA), which went into effect on Jan. 1, 2020. Some states view it as a template for their own measures.
“California is definitely a standout in a lot of different ways … it has set the standard and the bar that other states are following,” said Ashley Johnson, of the Internet Technology and Innovation Foundation (ITIF). The Golden State’s efforts have spurred action — or at least discussion — of the issue at the federal level. But whether a bipartisan compromise can be achieved remains to be seen.
Here’s a look at what some digital privacy experts view as standouts in legislative online privacy efforts at the state level, and some of the sticking points in those and federal proposals.
Federal Proposals
Two key bills are pending in the Senate Committee on Commerce, Science and Transportation — one from Committee Chairman Roger Wicker, R-Miss., and another from ranking member Maria Cantwell, D-Wash. The bills contain some similar provisions to California’s and some overlap, but differ in key areas. Wicker’s bill would override any state measure, and Cantwell’s would not. Cantwell’s also contains the controversial private right of action provision, which has been the sticking point in some state legislation. Wicker’s contains no such provision.Johnson believes it is important that a federal bill override state measures so “every company in the U.S. knows what to expect,” rather than have to adapt to 50 different sets of rules. Her organization also does not support private right of action provisions. She said the CCPA’s provisions granting private right of action in limited circumstances has kept proponents of the provision from compromising on the federal level in that regard.
“They have gotten their way in California,” she said, adding that her organization would rather see a federal law where the Federal Trade Commission has jurisdiction in enforcing privacy and could fine a company if they don’t follow the law.
Tsukayama says private right of action is a provision her organization, EFF, believes is foundational to any good data protection measure.
California
The California Consumer Privacy Act of 2018 is multi-faceted, granting consumers the right to request a business to disclose the personal information it has collected about them as well as the source of the information and its business purpose. Consumers may request that the information be deleted by the business. The measure also allows consumers to opt out of a business’ sale of their information. The law went into effect Jan. 1, 2020, but the California Attorney General’s Office, as of early May, had not yet completed writing its implementing regulations and is expected to do so in July.Johnson, of ITIF, says one of the most controversial aspects of the law is its private right of action provision, which allows consumers to sue a company that has collected their data if a data breach occurs. Johnson also believes the act “disincentivizes” data collection needed for emerging technologies such as artificial intelligence and the Internet of Things (IoT).
“We think it might stymie innovation in AI and IoT,” she said.
Tsukayama, of EFF, said one of her organization’s concerns about the CCPA is it only allows private right of action lawsuits in limited circumstances involving data breaches. Her organization has proposed follow-up legislation allowing people to sue companies for every privacy violation, not just data breaches. In addition, EFF is concerned that the CCPA does not have strong enough enforcement provisions. Under the act, the state attorney general would bring suit in cases of violation. Tsukayama said the AG’s office has stated it can only handle two to three such cases per year.
“We run the risk of having these really grand-sounding pieces of legislation that sound like they do a lot, but when the rubber hits the road, there’s not enough resources there to make sure consumers get the protections that are in the laws,” said Tsukayama.
Daniel Castro of ITIF (and a Government Technology columnist) said he supports the CCPA’s provision of “notice to cure,” where a company, if given notice of a violation, would then be advised to amend the violation within a set period of time.
“In a way, that idea can potentially mitigate a lot of concerns about lawsuits,” said Castro.
Castro said other states are looking to implement similar notice to cure provisions in their legislation.
California has recently enacted other privacy laws, including measures that require the AG’s office to make information from data brokers available on its website and a law pertaining to smart televisions that prohibits the recording of voices through voice recognition software.
Other States
Maine and Nevada have recently passed privacy laws that are fairly comprehensive, according to Johnson.“These efforts aren’t just concentrated where you would expect the most technologically aware states — like our Californias, New Yorks or your Washingtons,” said Johnson. “All states are looking at it.”
Online privacy legislation is also pending in Illinois, Wisconsin, Massachusetts, Minnesota, Pennsylvania and New Jersey.
Measures in Washington and New York failed — largely over private right of action provisions.
Johnson said the New York measure introduced a controversial legal concept of information fiduciary, which introduced a legal standard of care regarding collected personal data.
“It was something a lot of people could not get behind,” she said.
Many states also are weighing proposals that address a specific area of digital privacy such as biometrics. Illinois passed a biometrics law that was part of the $500 million Facebook settlement. Vermont passed a bill requiring data brokers to register annually with the secretary of state and provide specific data collection information to consumers. Nevada passed a law requiring operators on the Internet to designate an address where consumers may submit a request not to sell their information. Other states have recently passed laws requiring employers to notify employees of potential Internet monitoring.
Tsukayama said she believes the coronavirus crisis will change the tenor of the online privacy debate, drawing more people into the debate, since more people are online now, giving the passage of bills a greater sense of immediacy.
“We are spending so much time online now, and using all of these tools that have not been used this much before the crisis,” she said, with people using Slack for book clubs, Zoom for family reunions or office conferences, and other online tools. “I actually think that privacy protections are more important than ever.”