As expected, the start of 2021 has seen unprecedented movement in the U.S. with 22 states introducing comprehensive privacy legislation and even more introducing specific-use legislation. To date, hundreds of privacy bills were introduced across the states; to give some perspective, more than 50 privacy bills were introduced in New York alone. Undoubtedly a hot topic, it seemed anyone with an idea for a privacy bill put it in writing and introduced it to their legislature.
Most state legislatures are still working their way through the bills, but even so there are trends emerging that can help us understand how privacy is shaping up in the U.S. For example, many bills extend the standard consumer privacy rights of access, deletion and correction; the opt-out model for the sale of personal information is also popular. And bills that do these things while protecting businesses from the private right to action seem to advance with much less fanfare — and opposition.
Virginia’s Consumer Data Protection Act
Virginia is the only state to pass a comprehensive privacy bill into law so far this year. Modeled after the proposed Washington Privacy Act, Virginia’s Consumer Data Protection Act gives consumers the right to access, correction, deletion, and portability and obligations for data processors are fairly straightforward. One unique element of CDPA among U.S. proposals is that it requires data protection assessments for certain processing activities, reminiscent of requirements under the EU General Data Protection Regulation.
While Virginia deserves credit for crossing the finish line first, its law is underwhelming in terms of privacy protections on the global stage. With its opt-out model for targeted advertising, selling personal information and profiling and its lack of a private right of action, it lags behind many omnibus privacy and data protection laws.
Additionally, the scope of information covered by the law falls short of the standard fare. CPDA provides an exception for publicly available information that includes information for which organizations have a “reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience.” This exception eliminates a huge amount of personal information from the law’s protections, and differs from CCPA, GDPR and Washington’s proposed bill.
With so many states introducing a hodgepodge of comprehensive legislation and legislation targeted at genetic data, biometric data, data breaches, etc., requirements are quickly becoming even more cumbersome for organizations to navigate. In terms of compliance, the only thing more confusing than a patchwork of comprehensive privacy legislation is a patchwork of comprehensive privacy legislation intertwined with targeted privacy legislation. If this quarter is any indication, this is what the U.S. has coming down the pike.
So, the big question is: Has the start of 2021 provided enough movement for Congress to seriously consider federal legislation? The answer is anyone’s guess. A number of bills have been introduced, and the most likely candidate seems to be the Information Transparency and Personal Data Control Act, introduced by U.S. Rep. Suzan DelBene, D-Wash., which has garnered attention for its approach and support. Backed by 100 centrist lawmakers via The New Democrats Coalition caucus and endorsed by the U.S. Chamber of Commerce, the bill would require companies to obtain consumer opt-in for selling or sharing sensitive information and would allow consumers to opt-out for non-sensitive information.
The bill would preempt state privacy laws (CCPA and CDPA) and does not include a private right of action. Originally introduced in 2019, the current version reflects changes made based on stakeholder feedback. For instance, it now has a broader definition of sensitive information and significantly increased resources for the FTC, which would be tasked with enforcement. The proposed 2021 bill would give the FTC 500 new full-time employees dedicated to privacy and security matters (with 50 having technology expertise) and would increase enforcement funding from $35 million in the 2019 version to $350 million.
While the bombardment of state privacy bills kept interested parties on their toes during the first quarter of 2021, there has also been movement in other interesting and important areas of privacy. Taking a quick look at the international privacy community, progress inches along in negotiations concerning an enhanced EU-U.S. Privacy Shield agreement with President Biden announcing on day one that Christopher Hoff would lead the Privacy Shield negotiations; the EU issued a draft decision on U.K. adequacy; and the EU ePrivacy Regulation is the closest it’s been to passing since its first draft was introduced in 2017.
With so much happening in the privacy space, it’s hard to keep track of it all. Here’s what we’ll be watching:
- Washington: The state is inches away from passing the Washington Privacy Act — but we’ve been here before. More than once.
- The U.K adequacy decision: Will it suffer a similar fate to that of the EU-U.S. Privacy Shield agreement due to the country’s appetite for surveillance?
- India: We’ve been hearing for months that their much-anticipated privacy bill will arrive any day.
- Enforcement on big tech: Big tech remains the focus of privacy advocates and regulators worldwide.
- U.S. federal law: Have we finally reached the tipping point where a federal law will happen?
About the Authors:
Emily Leach is the privacy content director at Ethos Privacy, overseeing framework analysis and creation for the company’s privacy program management technology. Emily has been working in data privacy for 14 years, spending 11 years at the IAPP as manager of its online resource center and editor of the Privacy Tracker, among other responsibilities. Emily holds both CIPP/US and CIPP/E certifications from the IAPP.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.