Virginia-style privacy bills gain traction in US state legislatures

As Utah prepares to become the fourth state to enact a consumer privacy law, the patchwork of US privacy regulations the tech industry dreaded and predicted is taking shape — slowly.

California and Virginia drew the broad contours of that regulatory quilt already when they passed the first state privacy laws in the US. But key differences have emerged, and they’re becoming stark.

While both states give consumers nearly identical rights over their data, their approach to enforcement differs dramatically. At one end is California, with its new oversight agency and threat of civil litigation, and at the other is Virginia, with a more business-friendly approach to privacy regulation, backed by the tech industry.

More state legislatures are following Virginia’s approach under the Virginia Consumer Data Protection Act, and introducing proposals that put state attorneys general in charge of enforcement, with minor tweaks around the edges.

Last year, Colorado passed a privacy law largely modeled after the VCDPA, but gave the state AG additional rule-making authority. This year, Utah pushed through — in less than two weeks — a consumer privacy bill also modeled after the VCDPA that’s now waiting at the governor’s desk, where approval is widely expected.

Other states could follow. Legislators in at least 30 US states introduced about 60 consumer privacy bills this year. The chances for passage, however, are slim.

Once again this year, state legislatures have demonstrated just how challenging passing comprehensive privacy laws can be, regardless of which privacy model lawmakers follow. Lawmakers in Florida and Indiana managed to pass privacy bills out of the chamber where they were introduced, but they languished on the other side and died when the legislature adjourned. Florida's bill contained a limited private right of action, and Indiana's did not.

In Washington state, lawmaker have been trying for four years to pass a consumer data-protection law. Virginia lawmakers even used early versions of the proposed Washington Privacy Act as a model for their privacy law. But familiar debates over giving consumers the right to sue for violations and giving businesses time to fix problems felled privacy proposals once again this year in Washington.

Although many state legislatures have adjourned this year, privacy bills are still in alive in several states, including Connecticut, Iowa, Massachusetts, and New York.

Whether they follow Virginia or California, the state proposals introduced this year have much in common. Nearly all of them follow the EU's General Data Protection Regulation (GDPR) example and give residents new rights over their data, including the ability to opt out of third-party data sales.

They would require businesses to disclose what categories of data they collect and why, and whether that data is shared with or sold to third parties. They would be required to adopt comprehensive security practices.

But key differences are apparent. A handful of the proposals are modeled more closely after the California Privacy Rights Act, a ballot initiative that created the first stand-alone privacy oversight agency in the country. The newly created California Privacy Protection Agency is preparing to issue new rules slated to take effect next January.

Proposals introduced in Massachusetts, New Jersey, Pennsylvania, and Washington state would create new oversight agencies modeled after the CPPA that would issue rules and regulations.

California privacy law also gives residents the right to sue for damages if a company was negligent and allowed their data to be breached. A few proposals in states such as Florida, Massachusetts, Pennsylvania, and Washington also include a private right of action.

The majority of state proposals introduced this year, however, are more closely modeled after Virginia’s Consumer Data Protection Act, which regulates companies more loosely than California privacy law.

In state legislatures across the country this year, backers of Virginia-style privacy bills offered California as a cautionary tale of regulatory overreach. Virginia’s law is a better model because it’s easier to understand and therefore less burdensome on companies than California’s privacy law, they said.

Virginia’s privacy law provides similar data-protection rights, and unlike California doesn’t include a private right of action, which could flood courts with frivolous, costly litigation, they argued. Instead, enforcement authority in Virginia rests with the state attorney general, which is a more streamlined approach, they said.

Privacy advocates counter that while Congress sits on the sidelines, the tech industry is successfully rushing weak privacy bills in Republican-led states like Utah, and consumers end up with minimal privacy protections.

Consumer groups such as Consumer Reports have urged Utah’s governor to veto the bill, arguing that it gives businesses too many exemptions and loopholes that make it weaker than Virginia’s privacy law.

Unlike other state privacy laws, the Utah bill limits consumers’ right to delete personal data they’ve provided to companies, and companies are not required to fix inaccuracies, privacy advocates say. Utah residents can’t opt out of data profiling under the proposal, unlike residents in Virginia, Colorado and California.

Iowa state legislators are now quickly advancing a copy-cat bill, HF2506, that also doesn't include a right to correction, and also doesn't give consumers the right to opt out of profiling. Iowa’s legislature adjourns April 19.

Last week, a coalition of consumer, privacy, and civil rights groups wrote to the bill’s sponsors urging them to strengthen the proposal, particularly its enforcement provisions.

The Iowa House voted to advance the bill to the Senate by a 91-2 vote on Monday.