Most Americans are not only concerned about how organizations use the data they collect but are also uneasy over how entities protect their data. Although the federal government has laws addressing privacy, those statutes regulate federal government data collection and use, but importantly does not include rules concerning the collection of use of data in the private sector.
The U.S. government’s approach in the privacy arena further contrasts with the European Union’s omnibus approach, where the latter has developed the comprehensive General Data Protection Regulation to provide individual control and rights over personal data. The federal government’s sectoral approach only targets specific areas of society. For example:
- The Privacy Act of 1974 addresses personally identifiable information collected by federal agencies;
- The Health Insurance Portability and Accountability Act regulates the disclosure of patient healthcare information;
- The Gramm-Leach-Bliley Act includes a provision regulating information collected by financial institutions from consumers and outlines protocols when such information is breached; and
- The Children’s Online Privacy Protection Act regulates the online collection of children’s personal information who are under thirteen years old.
In contrast to the federal government’s sectoral approach, states have begun pursuing an omnibus approach to privacy to fill the privacy gap. Propelled by constituents’ concerns that their data is being collected without proper protections regardless of industry or sector, states are moving toward a universal privacy regime as opposed to a fragmented system focused on discrete subject matter. This shift mirrors the one occurring in Europe that, in turn, is propelling similar bills in Congress. Now that the United States and the European Commission recently announced that they have agreed in principle on the Trans-Atlantic Data Privacy Framework, Congress will likely be closely examining how state initiatives unfold as it drafts its own federal legislation.
Thus far, only five states have enacted comprehensive data privacy statutes. California’s Consumer Privacy Act (CCPA)—as amended by the California Privacy Rights Act (CPRA)—, Colorado’s Privacy Act. Connecticut’s Data Privacy Act, Utah’s Consumer Privacy Act, and Virginia’s Consumer Data Protection Act. Each of these five states share basic core rights: to access personal information, to correct inaccurate information, to delete information, to limit use of data for profiling or targeted advertising, to data portability, and to opt out of the sale of personal information. Two of the main differences is that Utah does not include a right to correct inaccurate information and only California permits a private right to action (albeit one limited to a breach of specific personal information, such as social security numbers, government identification numbers, financial account access information, medical or insurance information, biometric and genetic data, or email access information). In addition to these states, a handful of states have one or more bills in committee.
Other states have privacy laws that narrow into a subset of data privacy, such as biometric privacy. Biometric data includes measurements of physical characteristics— fingerprints, voice patterns, facial recognition, and eye measurements. One of the most well-known biometric privacy law is Illinois’s Biometric Information Privacy Act (“BIPA”), which includes a private right to action (which permits individuals, rather than an attorney general or government agencies, to remedy breaches on their own) and has resulted in an explosion of BIPA lawsuits.
On the state level, debates between business and consumer advocates have coalesced over whether to include a private right to action and, if so, how expansive the right should be. This issue has hindered further states’ development of comprehensive privacy statutes. On one hand, businesses argue that data transfers are a standard part of operating a business, and a private right to action will lead to a flood of frivolous individual or class action litigation. In turn, increased litigation costs will hamper business resources and health—as well as chill innovation nation-wide. On the other hand, consumer advocates argue that individuals are in the best position to vindicate their rights, especially where a burdened government agency cannot or will not. Further, the threat of private actions would encourage businesses to comply with their legal obligations. Individual action would also allow for government agencies to spend resources addressing widespread violations or violations against vulnerable populations. In the end, the path through this standoff may require compromise through a limited private right to action.
On the federal level, proposed litigation faces an additional hurdle: whether a federal law should preempt state laws and, if so, to what extent. Businesses argue that a federal statute must include a preemption provision. Businesses hope a preemption provision will shield them from defending data privacy lawsuits against fifty different state laws and a federal law. Data holders argue that being subject to a patchwork of different laws across a medium untethered to political boundaries would be not only expensive but also result in a fractured Internet with radically different privacy regimes based on mere location. Although consumer advocates would likely agree to a preemption provision if the federal law were comprehensive, they balk at the prospect of a weak federal law that would preempt stronger—and hard-fought—state laws that already provide comprehensive rights and remedies.
Several pieces of proposed legislation have been introduced or exist in draft form, such as the House’s recent draft American Data Privacy and Protection Act. The draft act could be enforced by the Federal Trade Commission, state attorneys general, and private individuals—which contrasts with the majority of states that have declined to provide a private right of action. The draft also contains a preemption provision over similar state laws—except Illinois’s BBIPA and Genetic Information Privacy Act as well as the CCPA. This draft bill has the potential to stagnate given congressional polarization, the lack of widespread state bills to give insight into long-term effects, the private right to action provision, and the notable exceptions to preemption. In particular, the California Privacy Protection Agency—the state agency that regulates the CCPA—has loudly protested this federal bill. It opposes preemption and limitations on further state privacy regulation. In essence, California raises a concern echoed by consumer groups: a federal bill should not undo the states’ past privacy achievements or hinder future advances.
Overall, several states have designed their own data privacy laws while others remain in the drafting process. Congress has watched these developments but has struggled to advance its own bills. As seen in the last few years, bills will continue to be introduced but ultimate success will require governments to overcome private right to action and preemption questions. Although congressional deadlock has hindered successful federal legislation, the United States will ultimately need to act to catch up with data privacy standards elsewhere or else face the economic consequences of an out-of-date privacy regime.
