California’s new consumer privacy act likely to remain only comprehensive US privacy law

California’s new consumer privacy act is likely to remain the only comprehensive privacy law in the US for a while.

Washington state legislators this week failed to pass their own sweeping data privacy bill, for the second year in a row, bringing into sharp relief one of the most difficult challenges in enacting privacy legislation: agreeing on who should enforce it.

The Washington Privacy Act was among the most highly anticipated privacy measures introduced this year. Like the California Consumer Privacy Act, Washington state’s proposal established consumer rights for access to and correction and deletion of data. It also gave residents the right to opt out of data-processing and the right to data portability, creating rights for state residents not available elsewhere.

More than a dozen states have also introduced their own comprehensive privacy bills this year modeled, to varying degrees, after the CCPA and Europe’s General Data Protection Regulation.

But no state proposal so far has had the momentum of the proposed WPA. Although public hearings have been held on privacy bills in Connecticut, Maryland, New York, New Hampshire and Wisconsin, most remain in the chamber of the legislature where they were introduced.

Several state bills have already been tabled, held for further study or withdrawn, including proposals in Virginia, Rhode Island, New Jersey, Maryland and Mississippi.

In Washington state, lawmakers were once again unable to reach an agreement about who should enforce their proposal: the attorney general or consumers empowered with the right to sue companies over violations.

The proposed WPA had strong support and momentum after it was introduced by Senator Reuven Carlyle, a Democrat from Seattle, in February, without a private right of action. The WPA passed the state Senate in February with almost unanimous support. Soon after, it passed the state House of Representative.

But House members included an amendment giving residents the right to sue under the state’s consumer protection law. Senators refused to accept the change, and while both sides tried to work out a compromise in a conference committee, they couldn't, lawmakers announced Thursday.

The same dispute had doomed similar legislation introduced by Carlyle last year.

The same disagreement over granting consumers the right to sue over alleged violations continues to divide lawmakers in the US Congress attempting to draft federal privacy legislation, along the usual party lines, with Democrats largely in favor and Republicans against it.

Republican Senator Jerry Moran of Kansas and Democratic Senator Richard Blumenthal of Connecticut worked for nearly two years to find common ground on a nationwide comprehensive privacy law. But Moran introduced his own bill this week after they couldn't come to an agreement over whether to include a private right of action.

Moran’s bill would preempt state laws like the CCPA and doesn't include a private right of action. It would give state attorneys general the authority to bring civil actions on behalf of their residents.

With no likely compromise expected in Congress anytime soon, and with Washington state’s privacy bill dead, the CCPA appears likely to remain the only comprehensive law regulating consumer privacy in the US.