The State-by-State of Data Privacy Laws
Privacy Plus+
Privacy, Technology and Perspective
The State-by-State of Data Privacy Laws: This week, let’s provide an overview of the problems associated with the growing landscape of state data privacy laws (and suggest a possible solution).
Background:
Let’s set the stage point-by-point:
Worldwide: Almost every developed country, except the United States, has a data privacy law. But privacy means more than data privacy. It encompasses freedom, autonomy, respect for others, and limits on government.
The European Union recognizes both this right to privacy and a right to data protection. Its General Data Protection Regulation (“GDPR”) is the most robust data protection law, and it recognizes that the protection of personal data is a fundamental right of individuals (not just consumers). Many friendly countries deemed “adequate” in their protections by the EU have adopted variations of the European concept of privacy, and its GDPR.
On the other extreme, authoritarian regimes, like Russia and China, pay lip service to privacy by enacting laws that use that word. However, in substance, their laws grant the governments sweeping rights to access personal data and proprietary information, and constrain the movement of that data by imposing localization requirements. Those regimes view personal data as a valuable national asset and use it to build dossiers of personal data under the auspices of national security, using them for surveillance and other often malign purposes.
In the United States: There is no express constitutional right to privacy or the protection of personal data, no comprehensive federal privacy law, and no single federal law that regulates the protection of personal data. For this reason (and because of the government’s own use of such data), the United States has not received such an “adequacy” determination by the EU and is deemed “inadequate” in its protections.
Meanwhile, at the state level: Some states expressly recognize a right to privacy in their state constitutions, but no state expressly recognizes a constitutional right to the protection of personal data. California adopted the first so-called “comprehensive” state privacy law, the California Consumer Privacy Act (CCPA), in 2018. The law was the consequence of a ballot initiative and was passed quickly to prevent California from passing a more stringent privacy initiative via ballot. It went into effect in January 2020, and enforcement officially began in July 2020. Since then, it has been amended.
Additionally, there has been a recent onslaught of supposedly “comprehensive” state privacy laws (Colorado, Connecticut, Iowa, Indiana, Montana, Tennessee, Utah and Virginia, with Texas soon to come, and with Florida and some others considering more limited or focused versions). Though many characterize data privacy as a bipartisan issue, the laws differ substantially between red and blue states; but regardless, we view them all as focused entirely on essentially limited – if not downright illusory – data privacy protections.
Some Issues with State Data Privacy Laws:
It can be easily argued that the new state data privacy laws are providing mostly pretextual data privacy protections. Here is what we mean:
· Unregulated entities. The new “comprehensive” state laws aren’t really comprehensive. They apply to some businesses, but exempt others, along with state agencies, political subdivisions, and nonprofit organizations. The laws don’t directly cover data brokerages, actors in the AdTech industry, AI businesses that have scraped data from the Internet, the U.S. surveillance apparatus, or even the very politicians who are required to fix the problems, but whose own campaigns leverage the lack of regulation to constantly text, email and call their constituents. When the laws place obligations only on companies that have a direct relationship with consumers, are the worst privacy abusers regulated?
· Notice and consent are impractical paradigms. The state laws all focus on consumer notice and consent. Under the notice and consent model, a person ostensibly reads privacy notices posted on the websites they visit and consents to the collection and processing of their data at the very beginning. The data then flows to the company hosting the website, and down its supply chain and/or into the broader digital economy, guided (ideally) by the permissions set in the privacy notice. But no one reads privacy notices or consents to posted data privacy practices. (Who has time for that?) At best, everyone clicks through and hopes for the best. So how are notices helpful to anyone? And how is consent not illusory?
· “Privacy rights” aren’t helpful when you can’t meaningfully exercise them. The new state laws focus on residents in their roles as consumers, affording certain privacy rights (e.g., the right to correct, access, and delete personal data, as well as opt out of sales, targeted advertising, and certain profiling activities). However, the laws all restrict the exercise of those rights by providing that consumers may only petition those companies with whom have a direct relationship. Again, the laws don’t deal with the larger digital economy. They don’t allow for universal opt-outs, nor direct opt-outs of data broker databases. Instead, consumers carry the burden of discretely exercising their privacy rights—making their requests on a company-by-company, website-by-website, app-by-app basis. This is not only Impractical, it’s impossible, isn’t it?
· Data privacy should implicate public policy, not contracts: The state laws all require covered private companies to contract in a certain way with their service providers. Where service providers and vendors are so integral to the delivery of digital services and products, however, shouldn’t they be required to comply with defined standards, at minimum with respect to data security, as well as assuming some of the risk associated with their products and services? We would like to see technologies developed in adherence to secure-by-design and secure-by-default principles. But contracts are simply agreements between private parties. Contracts aren’t suited to handle public policy issues, like privacy. Where personal data impacts people so profoundly, preserving privacy shouldn’t be left up to private promises – it shouldn’t be negotiable. Everyone should have to follow the law, regardless of what the contracts say, and failure to meet the legal obligations should result in proportionate consequences.
· What about the world of data already out there? The state laws all apply prospectively. They do nothing to correct harm from what has already happened and keeps happening every day. Everyone’s personal data is already being exploited. What is needed is a way to take back control of that data. For example, there is no centralized registry or universal opt-out for data brokers or AdTech participants. To avoid their practices requires each person to employ technologies, engage expensive opt-out services (or try to decipher how to opt-out of each data broker’s database), and otherwise navigate the complexities associated with an evolving landscape.
A Possible Solution:
We believe that we must come to a consensus on what fair data privacy practices are, so that consumers don’t have to guess and decipher complex notices. Further, everyone should be held to a standard commiserate with the sensitivity of the data they hold. Compliance with that standard should prioritize cybersecurity, fair and reasonably expected use of the data, and control by individuals of their data as well as have some independent assurance, not unlike what the Department of Defense has done with its Cybersecurity Maturity Model Certification 2.0 Program. Enforcement should be open to the public to ensure sufficient oversight, especially as technology evolves—advocacy groups, plaintiffs’ lawyers, and regulators should all participate in ensuring compliance.
We continue to believe that a kaleidoscope of varying regulations (enforced mostly by state attorney generals) is the worst of all possible worlds for both sides – privacy advocates and data-reliant enterprises alike. Meaningful data privacy legislation must bind all participants in the digital space—all individuals, companies, nonprofits, and the government. Moreover, data privacy should be easy to understand – not a costly compliance exercise for experts and expensive software.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.