US state privacy proposals largely follow California, Washington examples

At least 18 US state legislatures have proposed comprehensive consumer privacy bills this year giving their residents more control over their personal online information.

Virginia sent a consumer privacy bill to the governor’s desk last month, where it’s now awaiting approval. Meanwhile, similar bills are moving forward quickly in Utah and Oklahoma. Proposals in Florida and New York have the backing of their state governors, a Republican and a Democrat, respectively.

While the state proposals give residents many of the same new rights over their online data, there are enough differences to worry business groups, who’ve testified at state legislatures across the country, warning that a confusing, profit-depleting patchwork of state privacy laws will become reality if the proposals become law and Congress fails to act.

But the various privacy proposals also make clear that the outlines of that regulatory quilt have been drawn already, largely by two states: California and Washington.

— New rights for residents —

A little more than half of the state proposals are modeled in some form after the California Consumer Privacy Act and its follow-on legislation, the California Privacy Rights Act, including bills introduced in Alabama, Florida, Kentucky, Minnesota, and Illinois.

Other states are following legislators in Washington state, who are trying for the third straight year to pass the Washington Privacy Act, including Connecticut, Maryland, Virginia, and Utah. New York and Minnesota are considering both styles of privacy bills.

All the state proposals attempt to follow the EU's General Data Protection Regulation (GDPR) by requiring businesses to tell consumers what categories of data they are collecting and why. Businesses have to say whether that data is being shared with or sold to third parties before being collected, under the proposals, and they’re required to adopt comprehensive security practices.

They also give residents new rights to access, correct, and delete their online data, and let them opt out of third-party data sales.

Oklahoma state legislators are going a step further and considering a bill that would require opt-in consent before certain companies can collect and sell online data, the first proposal of its kind in the US, its co-sponsor said. That bill was sent to the House floor for consideration this week.

— Key differences —

But there are also key differences, most notably in enforcement. Bills modeled more closely after the CCPA often contain provisions that let consumers sue for damages over alleged violations, including proposals in Illinois, Minnesota, and New York. California residents can only sue under the CCPA if their personal information was not stored securely and was compromised in a data breach.

Republican lawmakers haven’t typically backed giving consumers the right to sue. But Florida’s proposal, introduced by a Republican state legislator and backed by Republican Governor Ron DeSantis, is modeled closely after the CCPA and would allow a limited private right of action for data breaches, just like the CCPA. That bill has been sent to multiple committees for consideration.

But allowing a private right of action has been strongly opposed by business groups. Oklahoma’s bill has bipartisan support, and as originally written would have given residents the right to sue for injunctive relief, actual damages, and statutory damages of up to $7,500 for any intentional violation, even broader then the CCPA’s private right of action. But that provision was taken out in the latest amended version.

Proposals modeled after the WPA, which has the backing of Microsoft and Amazon, don’t give consumers the right to sue, which some argue makes them too business-friendly. Debates over the lack of a private right of action killed the proposed WPA twice before, and the latest version of the WPA is moving forward again, without one. This year, there's a competing consumer privacy bill in the Washington legislature that does include a private right of action.

Similar concerns have been raised about Virginia’s privacy proposal, which is modeled closely after the WPA and also lacks a private right of action. But unlike the WPA, the Virginia proposal has sailed through the legislature with broad support.

The scope of the Washington-style bills is also narrower than CCPA-style proposals. They typically apply to businesses that control or process personal data for at least 100,000 residents, or that make more than 50 percent of their gross revenue from the sale of personal data and control or process personal data for at least 25,000 consumers.

Bills more like the CCPA are broader and would apply to companies with annual gross revenues of between $25 million and $50 million; or that annually buy or sell the personal information of 50,000 or more consumers; or that make 50 percent or more of their annual revenue from selling personal information.

Oklahoma’s proposal has one of the broadest proposed scopes, with a revenue threshold of only $10 million.

— Risk assessments —

Proposals styled after the WPA also require risk assessments from companies, and much like the GDPR they specifically define the duties of both “controllers” and “processors,” unlike the CCPA-style proposals.

These bills assign new obligations to controllers and processors such as transparency, purpose limitation, data minimization and data-security requirements.

Despite growing hopes, and fears, that Virginia and other states will join California in passing privacy legislation, there are already notable disappointments and reminders of how hard it can be to pass a privacy law of any kind.

Privacy proposals in North Dakota and Mississippi were both killed by committees in February. And as Oklahoma legislators have shown already this year, changes are also still expected to proposals that are moving forward, which could gut key provisions.

Meanwhile, privacy groups are still calling on Virginia Governor Ralph Northam to veto the Virginia Consumer Data Protection Act because it’s too business friendly, or add a reenactment clause and send the bill back to the legislature to try again.