Anyone paying attention would tell you that U.S. states are suddenly in a hurry to pass data privacy laws. But Virginia looks like it's just straight peacocking. Its bill, The Consumer Data Protection Act, went from introduced to done deal in two months after it passed on Feb. 19. Now, the governor has until March 1 to sign or veto it. There's little doubt he'll sign. Meanwhile, the U.S. government has struggled to pass federal privacy legislation for years. It's clear that state governments are telling U.S. lawmakers, "If you're not going to do it, we'll do it ourselves."
Virginia joins California in a lonely winner's box of states that have figured out how to pass a comprehensive privacy law. Some say Virginia is the push the federal government needs. The tech companies, law firms and their clients will only tolerate a complicated and expensive compliance landscape for so long. It's far easier to comply with one standard than several.
Julian Flamant, a privacy attorney at Hogan Lovells, said the flurry of state bills is COVID-19 fallout; the pandemic put progress on a time-out. As we come out of the most dangerous of times, so do the proposals that waited their turn.
"Last year at this time, there were like 16 comprehensive bills, and they all just went on hiatus when COVID hit," he said. "Most of them had some substantive interruption in their legislative cycle, so all of those bills kind of just died. And this year, they're back."
Oklahoma, Hawaii, Minnesota, Connecticut and Florida are all considering proposals. But Washington and New York seem most likely to move after Virginia.
Here's some perspective on those proposals through both a "pro-business" and "privacy advocacy" lens.
Virginia's Consumer Data Protection Act (CDPA) would apply to businesses that "control or process data for at least 100,000 Virginians and commercial entities that make at least 50 percent of revenue from the sale and processing of at least 25,000 customers' personal data. It would allow Virginians the "right to know" which companies are collecting their data and to tell them they don't want that data used for targeted advertising, among other rights. Unlike California's privacy law, the bill does not allow consumers to sue over violations of the law. Instead, the state's attorney general has full enforcement authority.
"The CDPA contains new consumer rights that many U.S. businesses would have to consider for the first time," Flamant said. Specifically, the right to data correction and the requirement that businesses obtain opt-in consent to process sensitive data.
In California, under its latest privacy law, the California Privacy Rights Act, users can "opt-out" of sensitive data collection. There, Virginia's standard aligns more closely with the bill Washington is considering.
Stacey Gray, Senior Counsel at Future of Privacy Forum, said it's not so much the bill's content that's interesting. It's its flight path.
"The unique and interesting thing about Virginia is the speed and unanimity with which it's moving," Gray said.
But Joe Jerome, director of state advocacy at Common Sense Media, said that kind of speed is dangerous and risks the thoughtfulness required to pass a balanced law. He thinks the bill is too pro-industry, he's worried about the bill's provisions on permissible data uses for targeted advertising purposes and he thinks there are far too many exemptions for businesses.
Virginia's law, the CDPA, does not apply to government entities, non-profits, entities already governed in "regulated sectors" or publicly available data. The rub is the law's definition of publicly available data is pretty broad, and that's a concern to privacy advocates. If you make a law, but it only applies to a fraction of the players, does it truly protect the people?
"All the lawmakers are convinced the bill is great, for reasons both good and uninformed," Jerome said, just a day before the bill passed. "They have not been open to any comments or feedback from advocacy groups. And they've been very receptive to trade associations."
Jerome said the bill's provisions on when data can be sold for targeted advertising "could be narrowed in a way that's responsible and respectable to business. I think that's the biggest issue. The bill has so many exceptions."
Already, a multi-stakeholder group is assembling to propose amendments to the bill, and Jerome said he hopes the attorney general and the governor back "commonsense improvements" to the law before it comes into force two years from now.
It's that enforcement date Flamant is worried about. The California Privacy Rights Act, which replaces the California Consumer Privacy Act, becomes effective Jan. 1, 2023. If the Virginia bill passes as is, they share a birthday.
"In some ways, it's less about whether it's a good or bad bill; it's about whether businesses that will have to comply with that will be able to," he said. Any company doing business nationwide is on the hook.
Washington state has tried for three consecutive legislative sessions to pass something and failed. Now, Washington lawmakers are again considering a bill by Sen. Reuven Carlyle (D-Seattle). This time, pundits agree it's more likely to succeed because a new committee will review it. The Civil Rights and Judiciary Committee replaces the Innovation, Technology and Economic Development committee, which debated the failed Washington Privacy Act.
"It's a whole new cast of characters interested in hearing the bill," Jerome said.
Gray said she's 50/50 on whether the Washington bill survives. She said Washington's speaker of the house has indicated support to include a private right of action as a remedial course for alleged violations of the law. Often, it's that specific allowance that makes-or-breaks privacy bill negotiations. Companies do not want the law to include the right to get sued. And they've got a lot of money to put toward making sure it doesn't.
However, the most recently proposed Washington bill does include stronger enforcement from the state attorney general than its predecessors, which could help it pass, Gray said.
Flamant said it's important to note the WPA and Virginia treat sensitive data similarly. Under Virginia's bill, companies would have to get opt-in consent to use sensitive data. And that won't be easy breezy.
"And it's a pretty high consent standard," he said, referring to the bill's GDPR-like language requiring consent to be "freely given, unambiguous and explicit. So that's an example of something businesses are going to have to be thoughtful about. We're kind of moving to the highest common denominator."
The New York Privacy Act (NYPA) expired in the last legislative session. But when the state's 2021-22 legislative session opened on Jan. 6, several privacy bills were introduced. Many of them highly resemble the NYPA.
More importantly, at his recent State of the State Address, Gov. Cuomo announced plans for a privacy bill in his fiscal year budget. The governor's law would require companies to disclose data collection. It would also classify health, biometric and location data as "sensitive" and requiring certain protections. Also, a Consumer Data Privacy Bill of Rights would allow New Yorkers to access and control their data.
Gray said in announcing the bill as a priority, the governor "signaled to everybody in the New York legislature that the governor's office is very serious about passing privacy legislation."
It seems that's the bill to watch. As privacy attorney Jessica Lee said on Twitter, "The best chance at getting Cuomo to sign a bill is to make sure it's the one he proposed."
The obvious question is whether an influx of state privacy bills will push the federal government to move. Flamant thinks it's likely.
"So California has a law, Virginia has a law. If Washington passes a law, we could be at the threshold where lawmakers in congress realize intervention is required," he said. "The companies that have to comply with these laws would probably be more in favor of a privacy law."
Jerome is not convinced. He thinks lawmakers on both sides are struggling.
"A lot of these lawmakers are looking for a solution to be handed to them, and the reality is they're gonna have to make a decision. What interests do they want to serve?" he said. "At the end of the day, you cannot please everyone. Does this bill meaningfully improve privacy? And privacy for whom, and against what?"
It looks like that's for lawmakers to figure out. But the proverbial train has left the station.