New State Privacy Laws Creating Complicated Patchwork of Privacy Obligations
With the passage of 19 comprehensive state data privacy laws and even more industry or data specific state privacy laws, the long-feared "patchwork" of state privacy laws is quickly becoming unmanageable for many U.S. companies. The breaking point may be the recent passage of privacy laws in Maryland, Minnesota, and Vermont — each of which departs considerably from the dominant models of U.S. state privacy law and significantly increases the compliance burden for U.S. companies.
Time will tell whether this patchwork finally moves Congress to pass a federal privacy law. In the meantime, U.S. companies with national operations face a dizzying array of privacy requirements that rival the EU in their complexity.
State privacy patchwork — where it began
In 2018, California became the first U.S. state to pass a comprehensive data privacy law, the California Consumer Privacy Act ("CCPA"). Passed as a ballot initiative, the CCPA was designed to give consumers enhanced insight into how businesses used their personal information and a degree of control of the sale of their information.
As initially passed, the CCPA provided California residents with basic rights regarding their personal information, including the right to know; the right to request deletion; the right to opt-out of the sale of their information; and the right to non-discrimination. The CCPA also included transparency and operational obligations, including certain mandated disclosures and limitations on the use of data for secondary purposes.
By the end of 2022, the U.S. privacy landscape had evolved with the passage of the California Privacy Rights Act ("CPRA"), which amended the CCPA, as well as the passage of privacy legislation in Colorado, Connecticut, Utah and Virginia.
2022-2024: state patchwork expands
The number of states to implement privacy laws grew considerably in 2022 and 2023. By the end of 2023, 12 states had passed privacy laws.
The trend continued in the beginning of 2024, as four more states passed comprehensive privacy laws. By April of 2024, the total number of U.S. states with comprehensive privacy laws had grown to 16. Those states are California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia.
Another wrinkle: targeted privacy laws
If these new comprehensive laws were not enough, a number of states over the past few years have also passed targeted online privacy laws addressing specific issues such as biometrics, health data, children's privacy, data brokers, and Artificial Intelligence. For example, in 2023, Washington passed the My Health My Data Act ("MHMDA"), which governs the collection, processing, and disclosure of consumer health information.
Consumer health information under this act is defined broadly, creating significant new obligations for entities typically exempt from federal health regulations. Some of the newer comprehensive privacy laws, like Connecticut, include "consumer health data" into the scope of the law, creating a kind of "Frankenstein" like monster of privacy obligations.
Similarly, California and Maryland have passed dedicated children's privacy protection laws which would create significant new obligations for businesses whose online services "may be accessed" by children under the age of 18, a significant departure from the federal standards set under the Children's Online Privacy Protection Act, which applies to children under 13.
The straw that broke the camel's back? Maryland, Minnesota, and Vermont
Notwithstanding the steady trickle of new state privacy laws, many U.S. companies were able to manage their growing privacy obligations by focusing on compliance with the California privacy law, the most complex in the country. These companies took the view, not incorrectly, that compliance with the CCPA ensured compliance with all state privacy laws, with some minor adjustments for particular state requirements. Recent events, however, may have broken that compliance model.
Beginning in April 2024, three more states — Maryland, Vermont and Minnesota — passed comprehensive privacy laws, bringing the total number of U.S. states with comprehensive privacy laws to 19. These new laws are a substantial departure from the dominant U.S. state model, introducing entirely new compliance requirements that do not exist under any U.S. state privacy law, even California's.
Maryland's Online Data and Privacy Act ("MODPA"), for example, adds a unique new data minimization requirement that limits the personal data collected by companies to what is reasonably necessary and proportionate to provide and maintain a product or service requested by the consumer. The effect of this linguistic shift could be significant — depending on how it is interpreted — particularly in the context of online website tracking analytics technologies.
The Maryland law also goes beyond the scope of California and other U.S. state privacy laws by prohibiting the sale of sensitive personal data even with consent, and placing controls on the processing of data regarding individuals that businesses "should have known" were under 18.
Similarly, Minnesota's new law creates significant new internal compliance obligations by, for example, requiring companies to maintain an "inventory" of personal data processed and document and maintain a "description of policies and procedures" adopted to comply with the bill's provisions. Further, Minnesota's law creates a new right for consumers to challenge the results of, and obtain additional information about, decisions made through "profiling", which includes many forms of online tracking and targeting. This new right is likely to further complicate management of website analytics and tracking technologies.
Finally, Vermont's Data Privacy Act — which has not yet been signed by the governor — includes a first of its kind private right of action for consumers. This private right of action includes $1,000 in liquidated damages per privacy violation and will significantly increase the risk of actual and threatened litigation for any companies subject to the law.
Handling the patchwork
Collectively, these new comprehensive and targeted state privacy laws create significant operational complexities for national companies. Merely complying with the CCPA may not bring U.S. national companies into full compliance with newer state privacy laws, and the delta (regulatory gap) may be considerable.
Companies may have to choose, for example, whether to implement Maryland-only privacy controls to address the state's ban on the sale of data of children below the age of 18 or roll out those controls on a national basis. Companies face a similar challenge in complying with Minnesota's law, which gives consumers a right to access and object to profiling decisions.
Given the copy-cat nature of state legislatures, it is likely that the next round of states to pass privacy laws will adopt some of these new rights and obligations. Defaulting to a single state's privacy requirements may not be feasible from a legal or business perspective. Complications grow as companies face a litigation environment that often focuses on minor differences between a company's online privacy disclosures and actions, which increases the legal risk of a simple mistake in privacy compliance.
Federal Regulation
In light of the complexity of the state privacy patchwork, many businesses are hoping for a comprehensive federal regulation to set a common compliance standard. On April 7, 2024, Senator Maria Cantwell (D-WA) and Representative Cathy McMorris Rodgers (R-WA) released the latest draft (https://bit.ly/452roDH) of the proposed federal American Privacy Rights Act ("APRA").
APRA is based on the American Data Privacy and Protection Act, which foundered in Congress in 2022, in part because California objected to its preemption of the CCPA. With each new law proposed and passed each month, the clamor for a federal standard will only grow. As these laws continue to diverge, and as the appetite for online regulations grows across party lines, there is a serious question as to whether even California can stand in the way of a federal standard.
"New State Privacy Laws Creating Complicated Patchwork of Privacy Obligations," by Philip N. Yannella and Timothy W. Dickens was published in Westlaw Today on June 7, 2024.