Connect with us


With More States Passing Privacy Legislation, Pressure for Federal Preemption Law Grows

Emerging state-level privacy bills have common threads with existing ones in California, Colorado and Virginia.



Photo of Utah Gov. Spencer Cox from February 2018

WASHINGTON, March 30, 2022 – As the federal government has yet to set comprehensive privacy legislation, states going their own way are finding some success following the California, Colorado, and Virginia consumer protection models.

Despite repeated calls from experts to address concerns surrounding consumer protection laws related to privacy, Congress has still not passed any legislation that would set a single, federal standards that Big Tech companies would have to adhere to.

Laura Ripso Vandruff, a partner with Kelley Drye – a law firm that handles consumer class action defenses, real estate, and manufacturing law – said during an event hosted by his firm on Thursday that emerging state-level privacy bills have common threads with existing ones. The longer the federal government delays addressing privacy legislation, the greater the burden of compliance will be for companies.

California, Colorado, and Virginia have successfully implemented their own laws, Utah’s legislature has sent a bill to Republican Gov. Spencer Cox to sign into law, and Oklahoma’s congressional House voted overwhelmingly in favor of a privacy law that will now pass to the Senate.

Florida, Massachusetts, New York, and Connecticut are some of the states that are also working on bills to address consume privacy, though they have not gained as much momentum.

“The bills that are being introduced and that have some traction are not necessarily copycat bills, but they have many common elements [with California, Colorado, and Virginia’s laws],” Kelley Drye partner Laura Ripso Vandruff said. “Things like opt-in for processing of sensitive data, opt-out for targeted advertising, [and] sales profiling. So, new consumer rights for access, affordability, deletion, correction, exclusion, categories of data or even categories of entities,” Ripso Vandruff said. She also pointed to private right of action, meaning that private citizens could seek punitive damages to compensate them against companies that violated their privacy rights.

Paul Singer, also a partner with Kelley Drye, noted that the bills that attempt more original strategies experience less success when it comes time to vote on them. “I think we are seeing that the bills that that take some of these more unique approaches are the ones that tend to be kind of stalling out, whereas the ones that are following some of the similar trends that we saw in Virginia and Utah are the ones that seem to be moving.”

Patchwork of privacy legislation will be challenge

But Singer said the longer the federal government delays addressing privacy legislation, the greater the burden of compliance will be for companies.

“As more state laws pass, [the more you are] dealing with a patchwork [of laws],” Singer said. “Trying to figure out compliance among these laws is going to get increasingly challenging as you go from four laws, to 14, to 40.”

Status of state legislation in progress

The New York Privacy Act, which would impose a distinctive duty of loyalty and care on companies collecting consumer data and called for regular data protection assessments, at least annually, is stuck in committee. Though there is still time, as New York’s legislative session does not adjourn until June, the bill has made little progress; it failed to pass in the 2021 legislative session and was reintroduced in January of 2022.

Tennessee legislative session ended before it could pass its bill, which featured a unique “safe harbor” clause for entities in compliance with the  NIST Privacy Framework. This would protect entities that reasonably comply with the NIST framework, but this clause has specifically faced push-back from entities such as Commonsense Media, who have argued that the framework should not be viewed as an alternative to the privacy bill, as it does not provide enough guidance to companies on how to responsibly handle consumer data.

Florida’s House Bill 9 is not advancing at this time, though it did pass in the House on March 2. This delay is likely in part due to its broad private right of action rules that would give citizens wide-ranging opportunities to pursue damages – as opposed to California’s narrowly defined private right of action which only would allow its citizens to seek damages in the event of data breaches. Florida’s private right of action would allow consumers to file suit against companies for a few reasons, including not deleting consumers’ data upon request, sharing or selling consumers’ data after a consumer has opted out, or sharing or selling the data of a consumer who is less than 16 years old, without consent.

Though some bills have met resistance, Singer added that consumers should not be too discouraged by partisan politics. “Do not assume that privacy is a partisan issue,” he said, pointing to Utah’s bill as an example of bipartisan success. “The reality is, is that privacy and the issues underlying is both a very Republican and a very Democratic issue, but maybe for different reasons.”

Singer explained that Republicans are often more concerned about how mass data collection can be used to manipulate consumers, whereas Democrats are often specifically concerned about the potential damage mass data collection can have on young people.

“Ultimately, they are getting at some of the same underlying issues with two different objectives, perhaps that have a lot of overlap, and it is going to continue to be that way.”


Lawmakers, FCC Take More Action Against Illegal Robocallers

There are new proposed rules that offer legal protections to those aiding in enforcement efforts against illegal robocalls.



Rep. Bob Latta, the primary sponsor of the Robocall Trace Back Enhancement Act

WASHINGTON, April 27, 2022 – Regulators and legislators in Washington continued their efforts to curb unlawful telephony use with proposed rules designed to crack down robocalls.

On Wednesday, Rep. Bob Latta, R-Ohio, introduced the Robocall Trace Back Enhancement Act – an amendment to the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act.

If signed into law, the bill would provide legal immunity for a broad range of entities engaging in private efforts to track, surveil, and report on illegal robocalling scams.

The protected parties include registered consortiums that handle call receiving, sharing, and publishing and all voice service providers and any informants that share covered information.

It would also grant the Federal Communications Commission jurisdiction to take enforcement actions based on the information collected during the aforementioned activities.

FCC measures on cease-and-desist letters

In addition to this legislation, as part of her agenda to combat scam calls, on April 26 FCC Chairwoman Jessica Rosenworcel proposed closing a loophole to the STIR/SHAKEN regime afforded to small telcos.

Most telcos are required to adhere to cease-and-desist orders regarding illegal spam-calls and generally comply with actions taken by the FCC. The loophole in question gave smaller telcos greater latitude in how they chose to respond to FCC requests.

If adopted, the proposed regulation would require small telcos to abide by cease-and-desist orders, participate in robocall mitigation, cooperate with FCC enforcement, and take responsibility for facilitating illegal robocall traffic.

“International robocallers use these gateways to enter our phone networks and defraud American consumers,” Rosenworcel said in a statement, “We won’t allow them to bypass our laws and hide from enforcement.”

The new rule will be voted on at the FCC’s open meeting on May 19.

Continue Reading


Federal Privacy Legislation Needed As State Legislation Could Harm Smaller Players, Event Hears

Different state privacy laws stifle competition and places burdens on small companies, experts say.



Maneesha Mithal (far-left), Sara Collins (middle-left), Lartease Tiffith (middle-right), Brandon Pugh (far-right) on stage at "Beyond the Basics: The Many Pillars of a U.S. Privacy Law"

WASHINGTON, April 25, 2022 – While experts agreed that federal legislators need to take action on comprehensive privacy legislation, they disagreed on the specifics of how such regulation should be enforced.

Though some states have begun to establish their own frameworks for consumer privacy regulation, each framework puts forth different standards that online platforms would have to adhere to. These varied frameworks have raised concerns among many experts who consider a patchwork of legislation to raise the bar of compliance – a bar that could be lowered by federal legislation.

During an R Street panel on Monday, experts from the technology industry weighed in on the matter with their perspectives.

In March, Utah joined  California, Colorado, and Virginia and became the fourth state to successfully pass consumer privacy legislation. Several additional states, including Florida, Massachusetts, New York, and Connecticut have experienced mixed success with their bills and have not yet signed anything into law.

Lartease Tiffith, executive vice president for public policy at the Interactive Advertising Bureau, said that the US is an outlier among developed countries. “We are one of the few developed countries that [does not have a federal privacy law],” he said. “I think that in order to reflect the same common values as our colleagues who are in Europe and elsewhere around the world, we need [to make] one.”

Beyond the international perspective, Tiffith also emphasized domestic justifications for federal legislation. “I cannot think of a subject matter that is not more under the purview of Congress than interstate commerce,” he said. “The internet is everywhere – it is not limited by borders. So, we need to have one standard, one set of laws. It should not matter where you live – California, Utah, Virginia, Colorado – you should have the same basic privacy rights as anyone, anywhere.”

Various state legislation harder for smaller companies

Tiffith also explained that a patchwork of regulation would hit smaller businesses the hardest. “If you are a small or medium sized business and you are looking at investing more money into your products and service and delivering and reaching customers – you want to do that rather than spending time on hiring more lawyers to deal with ever complicating regulations.

“We need this for the next set of Amazons and Googles of the world to exists,” he said.

While the panelists were able to agree on the fact that current patchwork of laws is not sustainable, they did not agree on how to enforce a federal framework.

A federal body for consumer data protection

Sara Collins, senior policy counsel for internet advocacy group Public Knowledge, voiced benefits to creating a new data protection authority in the US – a body distinct from the Federal Trade Commission – that would focus expressly on matters related to consumer data protection.

Tiffith pushed back, however, arguing that the FTC already does a good job at handling these issues, and is only held back by what he views as under-resourcing. “If you compare the FTC to other protection authorities, they are very under-resourced,” he said. “So, I think instead of us standing up a whole new data protection authority, I think instead, let’s invest that money in the FTC, give them some rules, some limited rulemaking authority, and let’s give them a lot more staff and a lot more money.

“Let them be the cop on the beat,” he said.

Continue Reading


FCC Announces Majority of States Now Signed Onto Robocall Investigation Partnership

The FCC signed on five states this month and seven last month.



Illustration from C-Zentrix

WASHINGTON, April 7, 2022 – The Federal Communications Commission said Thursday it has partnered with further five more state attorneys general to combat illegal robocalls.

The agency said Thursday it had signed on Alaska, California, Tennessee, Pennsylvania and Washington state to investigate the robocalls, which can lead to scams. Thursday’s news comes on the heels of a March 28 announcement, when the agency said it signed similar memorandum of understanding with Connecticut, the District of Columbia, Idaho, Kentucky, Minnesota, New Jersey, and Wyoming.

Altogether, the agency, which announced the federal-state partnership effort in February, said it has signed on the majority of the United States.

“It shows that we are united when it comes to fighting robocalls—urban, rural, north, south, east, and west,” said FCC Chairwoman Jessica Rosenworcel. “Today I invite every state and U.S. territory to join this effort and establish information sharing and cooperation structures with the FCC so we can work together to investigate and put an end to spoofing and robocall scam campaigns.”

The agency, which has made fighting illegal robocalls a key mandate, has previously credited states with catching those that allow robocalls.

Earlier this month, the FCC credited the North Carolina Department of Justice in an investigation that identified thinQ Technologies as a “facilitator” of robocalls. The agency, which is working with the Traceback Consortium to identify the culprits, has already sent more than a dozen cease and desist letters to those it has identified in investigations.

Continue Reading


Signup for Broadband Breakfast

Get twice-weekly Breakfast Media news alerts.
* = required field