Here’s a Crash Course on State Comprehensive Privacy Legislation

Last year, Delaware, Florida, Indiana, Iowa, Montana, Oregon, and Texas all passed major privacy bills, bringing the number of states with a comprehensive privacy law to thirteen. This year, New Jersey has already joined that list, and New Hampshire appears to be on the verge of enacting a comprehensive law, with many more states likely to consider legislation this session.

With privacy laws on the books in over a quarter of the states, a consensus on what a privacy law should look like has developed. States have largely followed the model set by Virginia, enumerating certain rights to consumers with enforcement by the attorney general. But the devil is in the details, and each state that has passed a law has brought its own unique variations on the template. What are some of the issues at stake as other state lawmakers debate what should be included in their comprehensive privacy legislation?

Scope: Who Do These Privacy Laws Apply To?

The first question for any law is, who does this apply to? The enacted privacy laws typically apply to businesses that service a certain number of that state’s residents or are a data broker that generates revenues from the sale of data. For example, Virginia’s law applies to any company that controls or processes data for 100,000 residents, or companies that process data for 25,000 residents if they derive 50 percent of revenues from the sale of data. 

However other states have expanded the scope to include other businesses. California’s privacy law applies to any company that makes at least $25 million in gross annual revenue, in addition to those companies that process the personal information of at least 100,000 consumers or derive half of the revenues from the sale of personal information. A Utah bill this session proposes to broaden their privacy law to do the same. 

Florida went the other direction and narrowed the scope of its law to only apply to companies with at least $1 billion in annual revenues that either derive half of their revenues from the sale of online advertisements, operate a consumer smart speaker and voice command service with a virtual assistant, or operate an app store with a least 250,000 software applications for consumers. Lawmakers were wary of a broad privacy law that would present onerous compliance measures for Florida businesses and instead focused the law on large technology companies. 

Definitions: Personal Information, Sensitive Data, and More

How states define terms in privacy laws can matter greatly. Most states define personal information as information that can be linked or is reasonably linkable to an identifiable individual — information like names, addresses, phone numbers, email addresses, social security numbers, any kind of identification number, online usernames and passwords, and IP addresses. But most states will require special protections for certain “sensitive data,” requiring consumer consent before collecting and using such data. States typically define “sensitive data” as information relating to protected class status (i.e., race, gender, religion, sexual orientation), biometric or genetic data, and precise geolocation, and increasingly states are also including the data from a known child as warranting further protection. But different states may vary in what is covered. For example, California includes union membership information and Oregon includes status as transgender or non-binary or status as the victim of a crime.

Other definitions can be just as important. California broadly defined “consumer” to mean any natural person, meaning that personal information derived from employer/employee relations is covered. Laws in Virginia and Utah define “sale” in regard to personal data as only transactions involving an exchange for monetary consideration, which exempts sharing data among affiliates. 

Consumer Rights in State Privacy Laws

Most comprehensive privacy laws enacted so far enumerate similar consumer rights over the data collected — a right to confirm what is being collected, a right to access that data, a right to correct any perceived inaccuracies, a right to have the data deleted, the right to a portable copy of the data, and a right to opt out of having the data processed for certain uses — typically targeted advertising, creating a profile of the consumer, or selling the data to a third party. But there can be variations on those rights. Utah’s law does not include a right to correct, nor the opportunity for consumers to opt out of having data processed for profiling. 

While all enacted privacy laws allow companies to collect and process data until the consumer opts out, some advocates have called for laws that require consumer consent before the processing of data. Many comprehensive privacy laws have required consent before certain “sensitive data” can be collected. A proposed bill in Maine would prevent the collection and processing of data for targeted advertising, the sale of personal data, or profiling for automated decisions until a consumer opts in. 

Enforcement of State Privacy Laws (It's Usually Up to the State AG)

All of the privacy laws passed so far have left enforcement to the state, typically the state’s attorney general. Privacy advocates have argued for a private right of action to allow consumers to sue for perceived violations. However, concerns over litigation costs have either stymied bills with a private right of action or caused those provisions to be stripped in amendments. Still, advocates argue that states frequently lack the resources to pursue cases and that a private right of action is needed to give enforcement teeth, something recent bills in Michigan and Utah propose to do. 

Every privacy law has included a “right to cure,” giving businesses a chance to remedy any perceived violation before penalties are levied, although Florida’s law gives the attorney general discretion whether to grant that right. Those cure periods can range from 30 to 90 days, depending on the state. Many states also plan to sunset the right-to-cure provisions. California's right to cure expired this year, while Connecticut businesses have until the end of this year to cure within 60 days. 

 A Patchwork of State Laws

Privacy laws may also vary in what kind of information or groups are exempted from the law (such as non-profits). Obligations for “controllers” and “processors” may differ state-by-state, as well as how those terms are defined. States are increasingly insisting on “data minimization,” restricting what purposes data can be used for and how long it can be retained. Most states require data protection assessments, but Iowa and Utah do not. Tennessee added a wrinkle by providing a safe harbor for businesses if they maintain a written privacy program that “reasonably conforms” to the framework set by the National Institute of Standards and Practices (NIST).

In the absence of a federal law, states have cobbled together a patchwork of privacy laws with consensus on a few provisions. But laws will still vary in the details from state to state, creating compliance difficulties for many companies. Congress continues to propose legislation, but the odds remain long for anything passing on the federal level.