Jennifer Huddleston and Gent Salihu
Prior to the 2022-2023 legislative session, five states (California, Virginia, Utah, Colorado, and Connecticut) had passed consumer data privacy laws, but now the patchwork of state laws has more than doubled. Congress has continued to debate a potential federal standard with the American Data Privacy Protection Act in the 117th Congress being the first such proposal to be voted out of a committee; however, without momentum around a federal standard and with continuing and new concerns about data privacy from consumers, many states are undertaking their own policy actions around data privacy.
The patchwork nature of these individual state laws can potentially amplify compliance costs for businesses operating across different states and create confusion among American consumers whose digital footprint often crosses state borders. The potential financial impact of complying with 50 distinct state laws could surpass $1 trillion over a decade, with a minimum of $200 billion being borne by small businesses. As this patchwork grows, what does data privacy look like as the 2022-2023 legislative session comes to a close?
What happened with data privacy in 2022-2023?
As of 2023, the majority of states have considered data privacy legislation, likely in response to consumer concerns on this issue — 32 state legislatures have kicked off the debate and presented bills. Ten states have already signed comprehensive privacy bills into law. Six states—Florida, Indiana, Iowa, Montana, Tennessee, and Texas—enacted data privacy legislation this year. Oregon is the latest state to pass a comprehensive law, which is now awaiting the governor’s signature. Additionally, there are five more bills under consideration as of July 2023. Most of these bills share similarities with the existing data privacy laws in California, Virginia, and Utah.
States with data privacy acts enacted in 2023 that have followed the California model
Of the five additional states that enacted data privacy laws this year, Indiana and Montana appear to most closely resemble California’s model, which relies heavily on administrative rules. Montana, for example, even goes beyond California by creating a right for consumers to revoke their consent to data processing. None of the states that have enacted laws this year have created a private right of action as seen in a limited capacity in the current California law.
States that have followed the Virginia or Utah model
Notably, a growing number of states have passed or considered a data privacy framework that more closely resembles the laws initially passed in Utah and Virginia. This includes Iowa, Tennessee, and Texas as well as a bill still under consideration in North Carolina. Such models provide baseline protections but typically have fewer obligations or areas of covered data, limit enforcement to the attorney general, and are more likely to provide safe harbors.
Still, each proposal remains unique. For example, Tennessee became the first state to create a compliance safe harbor for companies complying with National Institute of Standards and Technology (NIST) standards. Other states have considered similar carve-outs for existing standards. Such an approach may lessen some problems with the patchwork by providing a way for a single set of best practices that could be compliant from state to state.
Notable privacy bill trends to watch
In addition to the growing patchwork of state privacy laws, this latest legislative term has also provided additional information about the debates around data privacy legislation. Notably, private rights of action continue to raise concerns and may make proposals less likely to succeed. Additionally, a new trend of health privacy-focused bills is emerging at the state level.
Currently, four states that still have active bills—Maine, Massachusetts, New Jersey, and Rhode Island—contemplate creating a private right of action. However, to date, all bills from Hawaii to Mississippi to New York that included provisions on the private right of action have failed. New York’s failed “It’s Your Data Act” had foreseen that consumers “need not suffer monetary or property loss as a result of such violation in order to bring an action for a violation.” The Washington Privacy Act was passed only after eliminating the private right of action, which was later reinstated in a very limited form by allowing a private right of action only for injunctive relief without monetary damages.
The inclusion of a private right of action for statutory violations so that individuals can sue companies without the need to prove that actual harm inflicted upon them has grave consequences. Such private right of action for statutory damages raises significant concerns about how litigation could be used to prevent innovation. While a private right of action wouldn’t pose any significant issues if the burden of proof was solely tied to demonstrating the harm, the problem arises when there’s no requirement to prove harm. Such a provision could prompt a surge in class action lawsuits, thereby impeding innovation, especially among small companies that may become more risk-averse for fear of being sued.
The United States, with its distinct litigation system, and features such as the absence of a “loser pays” rule, is more susceptible to the abuse of the private right of action for statutory violations. Illinois’s Biometric Information Privacy Act provides such a right in the context of certain collection of data and has seen everything from photo tagging to trucking companies be sued. Most of the resulting funds have gone to attorneys, with limited amounts to the class members alleged to be “violated” by the action. In the photo tagging case, Facebook was directed to pay $650 million without the necessity of demonstrating any harm. In the trucking case, truck drivers secured a $228 million judgment because, as employees, they were required to scan fingerprints to confirm their identity, again without the need to show actual harm.
A new emerging trend to watch is the ongoing debate surrounding the sponsorship of bills aimed at regulating consumer health data, primarily focusing on reproductive health data. Washington is the first state to pass such a law, which is set to take effect in 2024. In a post-Roe context, it is likely that similar legislation — particularly in blue states — will emerge, regulating actors that are not governed by HIPAA. Given the broad scope of what is classified as health data, debates on its definition, collection, and usage are likely to be heated. Such laws also raise unique compliance questions for a variety of popular apps that are not regulated as medical devices but provide consumers with empowering ways to track information from blood sugar to mental health.
What do state data privacy laws mean for consumers, innovators, and the federal privacy policy debate?
States are acting on data privacy in part because of the continued interest in the issue from constituents. In 2022, more than 80% of voters polled supported the idea of a federal data privacy law. Given that data privacy remains a concern and due to the lack of progress on a federal bill, it is unsurprising that much of the debate over data privacy has shifted to a local or state level where legislatures are able to move more quickly. But is this good for consumers and innovators?
Is there a case for data privacy legislation anyway?
While many polled consumers are in favor of data privacy legislation, there remains a great amount of difference in the actual privacy preferences they have. In fact, the overwhelming support for data privacy becomes far more complicated when you consider questions like how much an individual would be willing to pay for social media or other products as opposed to an ad-supported version. Similarly, research has shown a “privacy paradox” where revealed preferences for privacy tend to be weaker than stated preferences.
If policymakers are to consider legislation around data privacy, they should focus on real and widely agreed-upon harms, not merely expressed preferences. This approach prevents a shift toward a more European “privacy fundamentalism” that is more likely to result in conflicts both with other rights, like speech, as well as create a static approach that could deter innovation including those that may improve privacy.
Understanding the problems of a patchwork approach
The continuing, emerging patchwork of data privacy laws at a state level is likely to lead to both increased costs and confusion. This is true not only for the businesses that handle data but also for consumers.
A state-by-state approach makes it uncertain for both innovators and consumers what may or may not be done with their data. For consumers, this can create confusion about why certain products or features may not be available in their state or what rights they have when it comes to obtaining or correcting their data online. Particularly for small businesses, a state-by-state approach is likely to significantly raise costs as new compliance concerns arise in each state. In some cases, this may result in applying the most restrictive standard necessary, but in other cases, it may require development of specific features to comply. In either case, again both consumers and innovators lose out. Consumers may find themselves losing features because of standards imposed by legislatures in other states and innovators may find themselves focusing on compliance rather than the improvements that best serve their customers.
Far from being the second-best solution, it is almost inevitable that proposals will eventually conflict with one another which makes it impossible to comply with all such state laws. The most obvious example of this would be if one state chooses an opt-out model while another chooses an opt-in model, but many other conflicts could arise around issues such as data minimization or retention.
Given the potential and likelihood for conflicts and the burden on out-of-state businesses, a state-by-state approach also should give rise to dormant commerce clause concerns. The interstate (and international) nature of data means that a federal standard should be considered constitutionally necessary in this case.
Conclusion
The 2022-2023 session saw a doubling of the number of states with consumer data privacy laws. While policymakers may feel they are responding to constituent concerns, the patchwork approach remains problematic for both innovators and consumers.