As 2021 comes to a close, it is a great time to take stock of the present state of affairs with respect to U.S. privacy laws. With the relatively recent passage of comprehensive privacy laws in California, and additional countries adopting laws that closely follow the principles of the EU’s General Data Protection Regulation (GDPR), along with increasing public concerns regarding how companies manage customers’ personal data, legal practitioners entered 2021 with high hopes that comprehensive federal privacy legislation may finally be on the horizon. Nevertheless, in a trend that is likely to continue in the year ahead, it was the states rather than federal legislatures that successfully added to the ranks of privacy laws with which businesses will soon need to comply.
This year began closely on the heels of the passage of a new privacy law in California. On November 3, 2020, Californians passed the ballot initiative for the California Privacy Rights Act (CPRA), which will go into effect on January 1, 2023, but will apply to personal information that companies collect from California residents beginning January 1, 2022. The CPRA will supplement the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020, and provides new obligations for businesses that are similar to some of the requirements of GDPR, including a new purpose limitation that limits businesses’ collection, use, retention, and sharing of personal information, heightened protections for sensitive personal information, and increased disclosures to consumers about companies’ data retention practices.
When California first passed the CCPA in 2018, many thought this law might eventually prompt passage of a federal bill, but while the passage of a federal privacy law remains elusive, several states have joined California by considering their own versions of a comprehensive privacy law.
On March 2, Virginia joined California as the second state to pass such a law. The Virginia Consumer Data Protection Act (VCDPA), which takes effect on January 1, 2023 simultaneously with the CPRA, is similar to the California law in many respects, providing Virginia consumers with new rights to access, correct, delete, and obtain copies of the personal information a covered business holds about them. The Virginia law is, however, expected to be more business-friendly and incorporates many of the common-law concepts of proportionality and reasonableness that are central to the GDPR.
On July 8, Colorado became the third state to enact a comprehensive privacy law, which will take effect in July 2023. With a few notable exceptions, including more explicitly defining what constitutes an “identified or identifiable individual,” the law closely tracks the VCDPA.
Several other states have introduced bills that remain in committee. In Minnesota, HF 1492, known as the Minnesota Consumer Data Privacy Act, is also modeled after the VCDPA and GDPR. Another key state to watch in 2022 is Massachusetts, where the legislature continues to debate the Massachusetts Information Privacy Act (MIPA). If passed, MIPA would impose fiduciary duties of care, loyalty, and confidentiality with respect to personal information; establish a new enforcement entity known as the Massachusetts Information Privacy Commission (MIPC); and provide plaintiffs not only with a private right of action but the opportunity to obtain liquidated damages of at least 0.15% of the defendant’s annual global revenue or $15,000 per violation, whichever is greater. The New York legislature has considered several different versions of a comprehensive privacy law since passing the SHIELD Act in 2019. Notably, New York Senate Bill 567, introduced in January 2021, would put into place a California-style privacy law that provides consumers with a private right of action, and Assembly Bill A680 (the “New York Privacy Act”) was re-introduced in January 2021 and establishes GDPR-style rights for data subjects as well a concept of businesses as “data fiduciaries” that must “exercise the duty of care, loyalty and confidentiality expected of a fiduciary” with respect to personal data of consumers. And in Ohio, House Bill 376, the “Ohio Personal Privacy Act,” which was introduced in July 2021, includes many provisions similar to those in the CCPA but specifically prohibits private rights of actions and provides an affirmative defense for companies that have a security program that complies with the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Version 1.0). None of these bills passed in 2021, but we probably have not seen the last of them.
In 2021 states also passed sectoral laws protecting specific types of personal information. For example, on June 29, Florida’s governor signed H.B. 833, known as the Protecting DNA Privacy Act targeting the collection, use, retention, maintenance and disclosure of Floridians’ DNA. Similarly, California recently enacted the Genetic Information Privacy Act, which addresses the privacy and security of direct-to-consumer genetic testing. In addition, as we will explore further in a later blog post in this series, 2021 has also seen states start to expand or establish telemarketing statutes, similar to the federal Telephone Consumer Protection Act (TCPA). These state laws—like SB 1120, passed by Florida in July 2021—include more modern definitions of auto-dialer that are broader than the TCPA’s definition, as interpreted by the Supreme Court earlier this year.
Looking ahead to 2022, the momentum is likely to remain at the state level. While members of Congress continue to introduce both comprehensive and sector-specific data protection legislation, such as the Consumer Data Privacy and Security Act in April 2021, one of the main roadblocks continues to be the private right of action. One need look no further than the California, Virginia, and Colorado privacy laws to observe the divergence on this issue, with California granting a private right of action to consumers (albeit limited to a data breach), while Virginia limits enforcement to the attorney general and Colorado similarly allows for enforcement only by the attorney general or district attorneys. The other primary roadblock for a federal law is the issue of preemption. With more and more states passing their own comprehensive privacy laws, the question of whether a federal law can preempt those state versions, in whole or in part, remains the subject of much debate.
Given the low prospects for a passage of a comprehensive privacy law at the federal level any time soon, we can safely assume that the patchwork of privacy laws in the U.S. will not only continue but expand in the New Year. The Ropes & Gray Data, Privacy and Cybersecurity Practice will continue to monitor the developing privacy laws in the United States and abroad. Subscribe to www.RopesDataPhiles.com for updates.