Currently, U.S. federal privacy regulations have been narrow or sector-specific: take, for example, the Gramm-Leach-Bliley Act (GLBA), which protects financial information; or the Health Insurance Portability and Accountability Act (HIPAA), which protects some health information. Absent a comprehensive federal framework, states have taken privacy legislation into their own hands. As of September 2023, eleven U.S. states have enacted comprehensive privacy legislation. Four of those states’ privacy laws are effective at the time of publication. Another twelve states have introduced privacy bills in 2023.
In general, the state-by-state approach to consumer privacy can cause confusion for entities handling personal data. Consider, for example, Texas and California, the two largest states to have passed comprehensive consumer privacy laws. The California Privacy Rights Act (CPRA) imposes limits on businesses and service providers, third parties, and contractors who receive or process personal information on behalf of those businesses. Under CPRA, a “business” must satisfy at least one of the following thresholds: (1) has annual gross revenues in excess of $25 million (2) annually buys, receives, sells, or shares the personal information of 100,000 or more consumers or households or (3) derives 50% or more of its annual revenues from selling consumers’ personal information. Meanwhile, the Texas Data Privacy and Security Act (TDPSA) contains neither a revenue threshold nor a minimum number of consumers whose personal data is processed or sold for the law to apply. Instead, the Texas law identifies a party as a “controller” (a person or entity who determines the purpose and means of processing personal data) if they (1) generate products or services consumed by Texas residents (2) process or sell personal data and (3) are not a small business, as defined by the U.S. Small Business Association. A company doing business in both states might not be subject to restrictions under CPRA, but it could be subject to TDPSA, due to the different thresholds. Cross-referencing these qualifications to ensure compliance requires significant time and resources.
Beyond the thresholds to qualify as a “controller,” or “business,” states are not consistent in their exemptions. Many states, such as Texas, Delaware, Montana, and Virginia, provide a consumer privacy exemption for government entities and nonprofits, and for personal information covered by federal statutes, such as the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act, and the Family Educational Rights and Privacy Act (FERPA). Oregon, on the other hand, has been stricter in its policy, choosing not to exclude nonprofits. Civil penalties may also vary: Utah caps fines at $7,500 per violation, while Montana doesn’t specify a civil penalty amount in its statute. Timelines requirements for redress also diverge: Virginia provides 30-days’ notice for a controller to remedy a violation, whereas Connecticut currently has a 60-day right to cure that will sunset at the end of 2024. Finally, states are not consistent in the rights they offer consumers. Colorado, for example, bequeaths consumers with the right to access, delete, and correct their personal data or opt out of profiling. On the other hand, Iowa allows its citizens the right to access and delete, but it does not permit them to correct personal data or opt out of profiling. When some consumers are able to opt out of profiling based on the state they live in, and others aren’t, the datasets used for targeting algorithms or automatic decision-making systems could become skewed, which can have legal ramifications. A comprehensive federal approach to online privacy would make it easier for companies that conduct business across multiple states to know what their obligations are for compliance and providing remedies, and it would give consumers consistent rights regardless of where they live.
In addition, states have differed in their enforcement approaches. The majority of states with privacy laws do not allow a private right of action, which would allow individuals to directly sue violating companies. This limitation has been criticized as a failure by some, placing total responsibility for enforcement on government regulators that may be strapped for time and resources. Relying solely on state agencies could result in under-enforcement, whether due to capacity or agency capture. Advocates for a private right of action assert that allowing individuals to sue directly would hold companies more accountable. However, constraining the private right of action to avoid an overwhelming number of lawsuits or ballooning expenses is an important consideration. Moreover, most individuals will not have the resources to mount a complex lawsuit themselves even if they are afforded a cause of action.
For example, in New Hampshire’s efforts to pass a law on consumer privacy, legislators have debated whether a private right of action should apply against government entities and private companies alike. Those in favor of allowing individuals to directly sue private companies argue that the private sector’s practices are more egregious than those of state agencies when it comes to manipulating and selling data. But those who support a private right of action limited to only government entities only point out that legal costs are immense, and opening up the private sector to a new, vast body of potential lawsuits will balloon litigation costs. Discovery alone for such cases is likely hefty – “well into the six figures.”
Attempting to balance the considerations mentioned above, the federal American Data Privacy and Protection Act (ADPPA), currently stalled in Congress, would be a comprehensive federal policy that would allow individuals to sue companies directly, after first notifying the FTC and their state attorney general to allow them a chance to intervene. Providing a standardized process for redress at the federal level could make litigation more predictable than the current state-by-state frameworks.
Nevertheless, and despite the drawbacks of the state-by-state approach, there is no consensus that the current federal proposals are preferable. One of the main critiques of the ADPPA relates to its preemption provision. With only a few exceptions for general consumer protection laws, ADPPA’s preemption provision would have overridden the privacy measures states have already enacted. Opposing this construction, the Electronic Frontier Foundation (“EFF”) has asserted that federal privacy law should act as the floor, not the ceiling, for consumer data protection. Compared to Congress, states have been more nimble in addressing their constituents’ needs and in implementing provisions to address specific nuances, such as biometric data and the role of data brokers. Additionally, strong statutes in one state can often serve as an impetus for other states to adopt similar measures; in this way, states are able to act as laboratories for policy and tinker with approaches without affecting the rest of the country. States may also act as a bulwark against industry capture, thanks to the diversity of perspectives they represent, whereas relying on one federal law and agency could temper enforcement depending on the partisan alignment of administrations. Thus, allowing states to continue innovating above a federal baseline would give states the latitude to react to concerns most relevant to their industries and citizens.
Thus, the best approach may be to establish a strong federal baseline that allows lawsuits in both federal and state court. Allowing states to play an active role in enforcing a comprehensive federal law would improve privacy enforcement overall by broadening the avenues for redress and expanding the resources available to consumers.