We’re witnessing a period of unprecedented progress in data privacy legislation, both within and outside the United States. Since the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act 2018 (CCPA) put significant stakes in the ground, more jurisdictions have moved to enact stricter data privacy regulations and tougher penalties.
Privacy laws are essential for many reasons not least because in an increasingly digitized world, businesses must be better stewards of vast volumes of users’ personally identifiable information, to uphold the fundamental human right to privacy and to protect users from harm.
The march to stronger and more comprehensive data privacy protections has been slow and checkered, particularly in the US where our lack of a federal privacy law puts us behind the EU and some other countries. California has led the way with the CCPA and now its successor the California Privacy Rights Act 2020 goes further. But generally, real widespread change, including to enact a federal US privacy law, has been frustrated by debate over details. Happily, we’re expecting some significant moves at the state level in 2021.
On March 2, 2021, Virginia signed its data privacy legislation into law, making it the second US state with a comprehensive consumer privacy law. The new Consumer Data Protection Act applies to businesses that control or process personal data of at least 100,000 consumers, and to businesses that control or process personal data of at least 25,000 consumers and derive over half their gross revenue from selling personal data.
Now we’re watching four more states with great interest.
Four more US states are set to enact state privacy legislation this year
Many states are modeling their own comprehensive data privacy bills on the CCPA, with provisions to protect consumer rights and oblige businesses to better manage customer data. According to the IAPP 13 states have active bills and four look likely to enact their privacy legislation in 2021.
- New York – This state has two bills on the table. The New York Privacy Act is nearly the same as the CCPA but also gives consumers who suffer an injury the right to recover statutory damages and any individual who has their privacy violated the right to file a civil suit. The Right to Know Act would restrict businesses from disclosing personal information and require those that collect consumers’ data to reveal what information they disclose to third parties.
- Washington – The proposed Washington Privacy Act allows consumers to access, delete and correct their personal data and to opt out of having a company sell their data for advertising purposes. It covers companies in Washington that process the data of at least 100,000 consumers a year and those that generate more than a quarter of their revenue from processing data and process the data of at least 25,000 consumers.
- Oklahoma – The slated Oklahoma Computer Data Privacy Act applies to businesses with $10 million in annual revenue that buy, sell, receive or share for commercial purposes the personal information of 50,000 or more consumers, households or devices. It also applies to businesses that derive a quarter or more of their annual revenue from selling consumers’ personal information. Under the proposed law, consumers will be able to ask businesses what information they have about them and to delete their information. Businesses would have to allow consumers to opt in or out of the sale of their personal data and to prohibit the retention of that data.
If successful in enacting their proposed laws, these five states would join California, Maine (considered one of the nation’s strictest regimes) and Nevada in having comprehensive state privacy regulations.
This progress is both important at the state level and a positive indication of real progress at the federal level. And while not all the proposed bills will become law, they are a useful barometer of where privacy law in the US might be headed.
Canada aims to have the strictest data protection laws in the world
Late in 2020, Canada announced it would be modernizing its federal private sector privacy legislation and backing it up with steep fines for non-compliance. Companies outside Canada that deal with Canadian consumers will need to comply with the new laws if passed.
Canada is taking a two-step approach: amending and renaming the Personal Information and Electronic Documents Act 2001 (PIEDA) to create the Consumer Privacy Protection Act and establishing a specialized privacy and data protection tribunal through the Personal Information and Data Protection Tribunal Act.
In announcing these changes, our northern neighbor made it clear their new privacy law would be stronger than the CCPA and one of the strictest data privacy regimes in the world. Some commentators see Canada’s move as “a bold first step towards reasserting its position as a global leader in privacy protection.”
What regulatory progress means for business
Largely, business is advocating for a federal privacy law in the US rather than the patchwork of state regulations, to simplify compliance obligations. While negotiations are bogged, there are two bills on the table that commentators think will help shape a future national law: the Consumer Online Privacy Rights Act (COPRA) and the Safe Data Act. It will be interesting to watch what happens next, but commentators hope such strong pushes from so many states will serve as a positive prod for Congress.