With More States Passing Privacy Legislation, Pressure for Federal Preemption Law Grows

WASHINGTON, March 30, 2022 – As the federal government has yet to set comprehensive privacy legislation, states going their own way are finding some success following the California, Colorado, and Virginia consumer protection models.

Despite repeated calls from experts to address concerns surrounding consumer protection laws related to privacy, Congress has still not passed any legislation that would set a single, federal standards that Big Tech companies would have to adhere to.

Laura Ripso Vandruff, a partner with Kelley Drye – a law firm that handles consumer class action defenses, real estate, and manufacturing law – said during an event hosted by his firm on Thursday that emerging state-level privacy bills have common threads with existing ones. The longer the federal government delays addressing privacy legislation, the greater the burden of compliance will be for companies.

California, Colorado, and Virginia have successfully implemented their own laws, Utah’s legislature has sent a bill to Republican Gov. Spencer Cox to sign into law, and Oklahoma’s congressional House voted overwhelmingly in favor of a privacy law that will now pass to the Senate.

Florida, Massachusetts, New York, and Connecticut are some of the states that are also working on bills to address consume privacy, though they have not gained as much momentum.

“The bills that are being introduced and that have some traction are not necessarily copycat bills, but they have many common elements [with California, Colorado, and Virginia’s laws],” Kelley Drye partner Laura Ripso Vandruff said. “Things like opt-in for processing of sensitive data, opt-out for targeted advertising, [and] sales profiling. So, new consumer rights for access, affordability, deletion, correction, exclusion, categories of data or even categories of entities,” Ripso Vandruff said. She also pointed to private right of action, meaning that private citizens could seek punitive damages to compensate them against companies that violated their privacy rights.

Paul Singer, also a partner with Kelley Drye, noted that the bills that attempt more original strategies experience less success when it comes time to vote on them. “I think we are seeing that the bills that that take some of these more unique approaches are the ones that tend to be kind of stalling out, whereas the ones that are following some of the similar trends that we saw in Virginia and Utah are the ones that seem to be moving.”

Patchwork of privacy legislation will be challenge

But Singer said the longer the federal government delays addressing privacy legislation, the greater the burden of compliance will be for companies.

“As more state laws pass, [the more you are] dealing with a patchwork [of laws],” Singer said. “Trying to figure out compliance among these laws is going to get increasingly challenging as you go from four laws, to 14, to 40.”

Status of state legislation in progress

The New York Privacy Act, which would impose a distinctive duty of loyalty and care on companies collecting consumer data and called for regular data protection assessments, at least annually, is stuck in committee. Though there is still time, as New York’s legislative session does not adjourn until June, the bill has made little progress; it failed to pass in the 2021 legislative session and was reintroduced in January of 2022.

Tennessee legislative session ended before it could pass its bill, which featured a unique “safe harbor” clause for entities in compliance with the  NIST Privacy Framework. This would protect entities that reasonably comply with the NIST framework, but this clause has specifically faced push-back from entities such as Commonsense Media, who have argued that the framework should not be viewed as an alternative to the privacy bill, as it does not provide enough guidance to companies on how to responsibly handle consumer data.

Florida’s House Bill 9 is not advancing at this time, though it did pass in the House on March 2. This delay is likely in part due to its broad private right of action rules that would give citizens wide-ranging opportunities to pursue damages – as opposed to California’s narrowly defined private right of action which only would allow its citizens to seek damages in the event of data breaches. Florida’s private right of action would allow consumers to file suit against companies for a few reasons, including not deleting consumers’ data upon request, sharing or selling consumers’ data after a consumer has opted out, or sharing or selling the data of a consumer who is less than 16 years old, without consent.

Though some bills have met resistance, Singer added that consumers should not be too discouraged by partisan politics. “Do not assume that privacy is a partisan issue,” he said, pointing to Utah’s bill as an example of bipartisan success. “The reality is, is that privacy and the issues underlying is both a very Republican and a very Democratic issue, but maybe for different reasons.”

Singer explained that Republicans are often more concerned about how mass data collection can be used to manipulate consumers, whereas Democrats are often specifically concerned about the potential damage mass data collection can have on young people.

“Ultimately, they are getting at some of the same underlying issues with two different objectives, perhaps that have a lot of overlap, and it is going to continue to be that way.”