February 3, 2022

Data Privacy in America


KEY TAKEAWAYS

  • There are numerous federal laws that regulate specific industries and types of data, but there is currently no comprehensive federal data privacy law in the United States.
  • At least 15 states are preparing to consider data privacy legislation in 2022.
  • A recent poll found “more than 7 in 10 adults say the federal government should establish national standards for how companies collect, process, and share personal data to help protect the privacy and security of individuals in an increasingly online world.”

As people live more of their lives online, having control of their personal data and what companies are allowed to do with it have become larger priorities for them. There are numerous federal laws that regulate specific industries and types of data, like health information, but there is currently no comprehensive federal data privacy law in the United States.

The European Union General Data Protection Regulation and the California Consumer Privacy Act continue to be the two most prominent laws governing data privacy. Some states have followed California’s lead and passed their own data privacy laws, and at least 15 states are preparing to consider data privacy legislation this year.

State Data Privacy Law Status

State Data Privacy Law Status

Source: IAPP

new state laws

Colorado and Virginia both passed comprehensive data privacy laws with some similarities to the California law and the GDPR, along with some important differences.

The Colorado Privacy Act goes into effect in July 2023. The law requires covered entities to offer and honor the option to opt out from targeted sales and advertising. Colorado residents will have the right to access, correct, and delete their personal data. Residents are also given the right to data portability – meaning the right to move their data from one platform to another. There is no private right of action; enforcement is left to the attorney general and district attorneys. The law, unlike California’s, does not exempt nonprofit organizations from its requirements.

The Virginia Consumer Data Protection Act goes into effect in January 2023. It gives Virginia residents the right to access, correct, and delete their data, opt out of its collection, and appeal a business’s denial to act within a reasonable time. Businesses must respond to a consumer request within 45 days. The law also grants the right of data portability, and requires businesses to obtain consent before using personal data. Enforcement of the law is delegated to the Virginia attorney general. The law’s requirements apply to entities that conduct business in Virginia or produce products or services targeted at residents of the state.

senate action

Senators Roger Wicker and Marsha Blackburn recently led a letter to President Biden urging him to “work with Congress to enact a nationwide consumer privacy and data security law this year.” The senators said establishing a baseline privacy law in the United States “is a national imperative for maintaining a strong and secure digital economy.”

Americans generally support federal data privacy legislation. A recent poll found 56% of registered voters would support a proposal to “make it illegal for social media companies to use personal data to recommend content via algorithms.” Another poll found “more than 7 in 10 adults say the federal government should establish national standards for how companies collect, process, and share personal data to help protect the privacy and security of individuals in an increasingly online world.”

One technology think tank estimated that, in the absence of federal privacy legislation that preempts states from passing their own laws, state privacy laws could impose costs of $98 to $112 billion a year on out-of-state businesses, and more than $1 trillion over 10 years. At least $200 billion of that would fall on small businesses.

Senators have introduced legislation to establish a federal data privacy law. Last July, Senators Wicker and Blackburn introduced the SAFE DATA Act. The bill would give consumers the right to access; to correct, delete, and “port,” or move, their data from one platform to another. It would limit secondary uses of consumer data without consent and establish uniform data protections across the country, enforced by the Federal Trade Commission and state attorneys general.

Senator Blackburn also introduced the BROWSER Act. That bill would require communication and technology companies to clearly disclose their privacy policies and would give consumers the choice to opt in or opt out of data collection, depending on the sensitivity of the information.

The Commerce Committee has held several hearings examining data privacy and potential federal data privacy legislation. Last September, the committee held a hearing examining the FTC’s role and resources. A witness representing app developers urged Congress to act, testifying, “the single most impactful policy decision Congress can make to combat existing and future privacy harms is to enact comprehensive privacy legislation that grants strong consumer rights to the citizens of all 50 states simultaneously.”

In October 2021, the committee held a hearing on enhancing data security. Senators heard testimony on recent cybersecurity incidents and data breaches and on efforts to protect consumers’ data. One witness who represents startups testified: “A complicated regulatory and legal regime makes a disastrous situation worse for a startup in the wake of a data breach. Congress should create a federal framework that gives startups clarity on the measures they need to implement to protect consumer data and the steps they need to take if they suffer a data breach.”

Issue Tag: Technology