PLEASE SIT DOWN BEFORE READING THIS
Is it actually possible that the United States Congress is on its way to enacting legislation that will potentially make regulatory compliance easier for businesses? Over the last half-a-dozen years, while the EU has enacted unified consumer data privacy and security laws, such as the General Data Protection Regulation (the GDPR), the United States federal government has been legislatively silent. The United States remains one of the only industrialized nations without a comprehensive national consumer data privacy and security law.
State Privacy Laws
To fill the void resulting from federal inertia, numerous states, starting with California in 2018, began enacting their own consumer privacy laws. This has introduced a hodge-podge of regulations that covered entities doing business in a specific state have to follow. Currently, as KJK has been chronicling for you, the following states have adopted their own state privacy regulations: California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah and Virginia. These state laws each have specific rules on who they apply to, what data is considered personal, what data can be collected, what data is deemed sensitive, and how data can be used. Some specifically allow consumers to correct perceived errors, others allow for consumers to sue for a violation. Individual state regulators are beginning to issue enforcement advisory and actions under these laws, further delineating the scope and detail of each state’s privacy law requirements. Additionally, despite having no national legislation, federal agencies are considering rulemaking for privacy issues, such as the Federal Trade Commission (“FTC”) starting the rulemaking process on commercial surveillance and data security.
The current situation means that covered companies doing business in multiple states must specifically conform to the requirements of all of those states (perhaps by following the most restrictive state regulation for each type of policy) and follow regulatory rulings that may be contradictory. Further, states are by no means finished. Kentucky Governor Andy Besher signed a new consumer data privacy law on April 4, 2024. Maryland is fairly far along in the consideration of its own version of consumer data privacy legislation, and numerous other states are working on their own state-specific legislation.
The American Privacy Rights Act
But wait – is there actually some light at the end of this federal tunnel? This month, bipartisan leadership of the House and Senate Commerce Committees (Rep. Cathy McMorris Rodgers, R-Wash and Sen. Maria Cantwell, D-Wash) introduced a discussion draft of a national consumer privacy protection law – the American Privacy Rights Act. The intent of the law is to replace the various state laws with one comprehensive single federal standard to make it easier for covered companies to know, understand, and follow the privacy regulations applicable to consumers.
Proposed Federal Legislation
This proposed new law specifically preempts all state laws covering the same areas and, among other things:
- Defines what legal entities are required to comply.
- Sets data security standards.
- Bans the transfer of consumers sensitive data to third-parties.
- Limits the data that an entity can collect.
- Describes what data the entity can keep.
- Requires companies to disclose if data is sent through, stored or processed in certain locations (like China).
- Provides consumers the right to stop the transfer of their data.
- Provides consumers the right to opt out of targeted advertising.
- Provides consumers the ability to see, collect, delete and transfer their own data collected by a covered entity.
The legislation also contains a proscription of using data in a discriminatory manner In a provision that has not garnered much attention, but could have a huge impact on how your company does business, the law would give consumers the right to opt-out of the use of algorithms that make decisions relating to employment, housing, healthcare, credit, education, etc.
Enforcement and Implications
Enforcement would be done through a new Bureau of the FTC, and the current FTC rulemaking discussed above would cease. Enforcement could also be accomplished both by state attorney generals, and through a private right of action given to consumers. Consumers would have the right to seek actual damages, injunctive relief, declaratory relief, and attorney fees and costs. Importantly, covered company executives would be individually liable for violations. And interestingly it appears that some state privacy regulations- though limited to actions relating solely to that state – are specifically included in the legislation (Illinois biometric and genetic data violations and California data breach damages).
Currently this is just a discussion draft – which means that it has not been introduced as formal legislation. But hopefully this is the first step in the long-awaited process of the federal government implementing a singular privacy policy allowing consumers and businesses to better understand both their rights and their obligations.
This legislation has a very long way to go – especially with Congresswoman McMorris Rodgers announcing that she will not run for reelection this year. KJK will continue to monitor the progress of this proposed legislation and to assist our clients with their privacy law compliance obligations.