There’s been some movement in state and federal data privacy laws in the United States. Here are three things to know about the regulatory landscape in 2023:
1. More states are introducing data privacy laws
The International Association of Privacy Professionals (IAPP) says state-level momentum for comprehensive privacy bills is at an all-time high.
The California Privacy Rights Act (CPRA) became fully effective on January 1, 2023. This Act is an amendment of the pioneering California Consumer Privacy Act which has been around since 2020.
Also on January 1, 2023, the Virginia Consumer Data Protection Act came into effect, while the Colorado Privacy Act and the Connecticut Personal Data Privacy and Online Monitoring Act both take effect on July 1 this year.
Utah will join the states leading the way on data privacy when the Utah Consumer Privacy Act takes effect on December 31, 2023.
Follow the tracker for a clear picture of the current state of play:
We believe one reason for increased state momentum is probably the stalling on a federal data privacy law (see point 3). Some states have no doubt realized that their citizens can’t wait any longer. And that leads us to point 2 …
2. Protecting privacy through law is a growing priority for Americans
We’ll let the IAPP’s infographic speak for itself:
Consumers globally have been growing louder in their demands for data privacy for some time.
In 2020 we reported:
- High profile, significant, and regular data breaches have spooked consumers.
- Consumers generally get that they have to trade certain personal information for services, but are now warier of sharing their personal data.
- Consumers want to control their own data and will act to do so if they can.
- Levels of consumer trust for brands is generally low.
- Consumers will abandon brands or delay purchases where they perceive a risk to their personal data.
- The regulatory screws are tightening to protect consumers.
Indeed, privacy is the defining issue of this decade that we predicted it would be. So it’s good news that …
3. A federal data privacy law is (finally) looking more likely
The US is one of the only major global economies without strong national privacy laws akin to the GDPR.
While hopes for a federal data privacy law in the US have been raised and dashed many times over many years, the American Data Privacy and Protection Act has progressed further than any other attempt at a US federal data privacy bill and is looking increasingly likely to pass.
Two sticking points have been whether bills would pre-empt state law or enable enforcement of a private right of action. Democrats argue for a private right of action that will give consumers legal rights if government fails to enforce the federal law, while Republicans want a federal law to pre-empt state laws to end the patchwork of compliance obligations on business. A counterpoint on the Republicans’ pre-emption position is that some states with strong laws, such as California, may end up with weaker protections if a federal law pre-empts CPRA.
The ADPPA is a compromise position. It’s worth viewing the IAPP’s Federal Data Privacy Tracker to understand the details of ADPPA and each of the other privacy-related bills proposed in Congress to date.
You might also like:
The US Data Privacy Law “Floor”: What Deserves Basic Protections?