Last year saw continued movement toward the implementation of federal data privacy legislation. In July, the American Data Privacy and Protection Act (ADPPA) became the first online data privacy bill to pass committee as the House Energy and Commerce Committee approved it with near unanimous support. The bill approached data privacy from the perspective of data minimization, permitting those companies to which the law would apply to collect data only for specified purposes (one of the specified purposes is for targeted advertising, which could lead to opposition down the road as many data privacy advocates prefer to have this practice banned outright).
Federal Status of Data Privacy Legislation
Legislators from both parties compromised on several issues under the bill that have derailed previous efforts at federal data privacy legislation, namely whether the law should preempt state law (the law would preempt state law with a number of exceptions) and whether the law should allow for a private right of action (the law would allow for a private right of action two years after taking effect). However, because preemption remains a sticking point with key participants, no action was taken on the ADPPA by the adjournment of the 117th Congress on January 3, 2023, and it will be up to the new Congress to move the bill forward.
In addition, in August, with the prospects of the passage of the ADPPA lessening, the Federal Trade Commission (FTC) issued an Advance Notice of Proposed Rulemaking seeking public comment on the prevalence of commercial surveillance and data security practices that harm consumers. Specifically, the FTC invited comment on whether it should implement new rules covering the ways businesses collect, hold and use consumer data. It is expected to take months for the FTC to sort through the comments received. Even if the FTC does ultimately decide to move forward with the next step in its rulemaking authority to create data privacy rules, it will likely take several years for final rules to be implemented.
State Status of Data Privacy Legislation
Though there has been some movement toward federal data privacy legislation, data privacy legislation in the U.S. continues from the various states. Momentum for state privacy laws is at an all-time high. In fact, in 2022, over half of the states introduced comprehensive privacy bills and five states passed comprehensive privacy laws to go into effect in 2023.
Two of the laws went into effect on January 1, 2023: the California Privacy Rights Act, which amends the original California Consumer Privacy Act, and the Virginia Consumer Data Protection Act.
Other data privacy legislation will go into effect later this year:
- The Colorado Privacy Act will take effect on July 1, 2023;
- The Connecticut Data Privacy Act will also become effective July 1, 2023; and
- The Utah Consumer Privacy Act will go into effect on Dec. 31, 2023.
Several states have already introduced new privacy bills in 2023, including Oregon, New York, Indiana, Hawaii, Massachusetts and Tennessee.
Even though many of the state laws have similarities and follow the consumer consent-based structure of the EU’s General Data Protection Regulation (GDPR) (in fact, many of the state laws becoming effective in 2023 use terminology found in the GDPR), because of the continuing challenges involved in passing a federal data privacy law, U.S. businesses are faced with having to navigate the privacy requirements of many states. It would not be surprising if businesses must soon maneuver through a privacy landscape involving different laws from nearly all fifty states.
The Information Technology and Innovation Foundation estimates that the annual cost to U.S. businesses to comply with out-of-state data privacy requirements in all fifty states would be around $100 billion. It also estimates that U.S. small businesses would bear a significant portion of this amount ($20 – $23 billion). Given the huge financial cost to U.S. businesses and the potential confusion to consumers created by differing data privacy rights from state to state, perhaps soon Congress will be compelled to enact comprehensive data privacy legislation that preempts state law.
Tom Sowers approaches legal issues from a businessperson’s perspective. A Shareholder at Berman Fink Van Horn, Tom’s practice focuses on representing businesses and their owners in a wide range of transactional matters and legal issues.