When Virginia joined California as the second U.S. state to successfully enact privacy legislation, there was a sense that the dominoes were about to tumble. That is, states would quickly start to pass bills that looked more or less like the California Consumer Privacy Act until there were enough states passing laws it would push the federal government to act. Companies will only tolerate so much of a compliance burden, and hiring lawyers and consultants for guidance on different (even if similar) legislation across 50 states is expensive, time-consuming and a headache. Eventually, tech lobbyists would push Congress to give them one rule all across the board.
But what will always get in the way, whether we're talking about federal or state privacy bills, is whether they include a private right of action (PRA). While California's law does provide a private right of action, meaning consumers can sue in case of a breach, Virginia's law does not provide such relief.
In Florida, the private right of action was the bill's kiss of death. The House failed to pass the bill into law because its Senate companion bill did not contain a private right of action, and some lawmakers worried about passing a bill without that provision. But for the business community, the bill's failure was seen as a win. Companies dare not expose themselves to the kind of risk a PRA presents. For example, in California, companies can face fines of up to $7500 per violation. If millions of records have been breached, that's an extraordinary cost.
Florida need not feel lonely in its failure here, though. Washington and Oklahoma also couldn't negotiate a deal before their legislative sessions ended. The question now is whether states watching these showdowns over PRAs are going to figure out a way to bridge the divide between industry lobbyists and those pushing for consumer rights. There may be tactics learned in the states' negotiations, these "laboratories of democracy," that could prove helpful when Congress gets closer to passing a federal privacy bill.
For now, though, I thank Florida for letting my Dad and me visit Minnie, and I hope it has better luck on privacy legislation next time.
Enjoy reading, and I'll see you next week!
Florida’s push to pass a privacy bill fails
Florida’s push to pass privacy legislation stalled last week when a bipartisan bill died in the House as the state’s 60-day legislative session came to a close. HB 969 would have given consumers the right to opt-out of the sale or sharing of their personal information. It also would have allowed consumers to file a lawsuit against companies who sold or shared their data after they’d opted out or if their data was breached.
2. Lawmaker re-introduces federal privacy bill, hopes second time’s a charm
Sen. Jerry Moran, R-Kan., has reintroduced the Consumer Data Privacy and Security Act. The bill, which was first introduced in 2020 but failed to make it out of a Senate committee, would create rules for U.S. businesses that collect, process and use consumers’ personal data, the report states. The bill doesn’t yet have a companion in the House.
3. Chinese regulator gives 33 mobile apps 10 days to comply or face fines
Reuters reports that China’s internet watchdog found 33 mobile phone apps broke data privacy rules by collecting data without consent. The Cyberspace Administration of China said the apps also collected more data than necessary and didn’t delete it, as required by law. Now, the companies have 10 days to come into compliance or face fines, the report states.
4. What are my obligations under the California Privacy Rights Act?
While many companies are still working to meet their obligations under the California Consumer Privacy Act, the law that will replace it looms ahead. Effective January 1, 2023, the California Privacy Rights Act builds on the CCPA’s requirements by carving out obligations on sensitive data, requiring data protection impact assessments and allowing consumers to opt-out of having their data used for profiling. In this piece, we compare CCPA to CPRA in an easy-to-read chart.
5. Irish privacy regulator’s proposed WhatsApp fine too small, counterparts say
Several EU data protection authorities are pushing back against Irish Data Protection Commissioner Helen Dixon’s draft decision on WhatsApp, a messaging service that Facebook owns. Dixon planned to fine WhatsApp up to 50 million euros for breaching the EU’s General Data Protection Regulation. But Dixon’s counterparts feel the fine is too small. Now, the commissioner’s office has triggered Article 65 of the GDPR, the “dispute resolution mechanism.”
6. Number of users blocking ads on mobile devices ‘surging’
The number of online users blocking ads is surging. While ad blocking on personal computers has remained level, a recent study indicates the number of people blocking ads on mobile devices has doubled in the last five years. In PageFair’s Adblock report, 58% of U.S. respondents said they’d blocked ads for privacy reasons, CNET reports.