US states introduce privacy proposals; debates over enforcement loom

Lawmakers in a least 10 states have introduced more than a dozen online privacy bills so far this year. But the state proposals could be undone by the same issue that’s stalled many privacy bills in recent years: whether to give consumers the right to sue for damages.

Washington state lawmakers are making their third attempt to pass comprehensive consumer-privacy legislation. Tech groups praised the latest proposal at the first public hearing last week.

The bill would give Washington residents the right to have companies delete or correct their personal data, and to opt out of data processing for some purposes, such as targeted advertising. There were also new provisions added in response to the Covid-19 pandemic.

The bill will help Washington “lead the way” on privacy protections for the entire country, said Molly Jones, vice president of government relations for the Washington Technology Industry Association

But there were familiar signs of trouble ahead at the Washington hearing. Like the previous two proposals, the latest version of the Washington Privacy Act would not give consumers the right to sue companies for damages. It would be up to the state attorney general to conduct investigations and impose penalties under the law.

Some like Jones said the bill, as written, provides strong enforcement and that it’s “important to underscore the delicate balance that has been struck in the enforcement language.”

But the Washington state attorney general, and advocacy groups such as the American Civil Liberties Union, pressed the bill’s primary sponsor, Senator Reuven Carlyle, to add a private right of action, something Carlyle has so far resisted.

The Washington Attorney General’s Office will “continue to advocate for a private right of action,” Legislative Director Yasmin Trudeau said, adding that the office is “encouraged by recent updates to the bill.”

Without adding a remedy for consumers, “those rights have no meaning,” said Larry Shannon of the Washington State Association for Justice.

Similar debates over enforcement are likely to play out in state legislatures across the country, where legislators have introduced a range of privacy bills aimed at protecting consumer data, and there’s a clear divide over enforcement.

Privacy bills proposed in Connecticut, Minnesota, Mississippi and New Hampshire include a private right of action for consumers. New York lawmakers have introduced five different privacy bills in the state legislature, and four include a private right of action.

Assembly Bill 680, named the New York Privacy Act, would require companies to disclose how they de-identify personal information, place safeguards around data sharing, and set up a new office of privacy and data protection. It also includes a private right of action.

Senate Bill 567 in New York would give consumers the right to request that a business disclose what information is collected about them, who it’s shared with, and for what purpose. It also gives state residents the right to sue for damages.

But privacy bills proposed in Oklahoma, Vermont and New Jersey would not explicitly give consumers the right to sue over alleged violations. Much like the Washington Privacy Act, S.B. 1392 in Virginia would allow residents to access, correct and delete their personal information. They could also opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling.

But Virginia's proposal also makes clear that while the attorney general has authority to fine companies up to $7,500 per violation, “nothing in this chapter shall be construed as providing a private right of action to violations of this chapter.”