With the prospect of a federal data privacy law still remote, state legislatures have moved forward with their own versions of California’s Consumer Privacy Act (CCPA).
Ten states are currently considering data privacy legislation: Alabama, Alaska, Colorado, Connecticut, Illinois, Massachusetts, Minnesota, New Jersey, New York, and Texas, according to a tracker from the International Association of Privacy Professionals (IAPP).
Legislation in several states where a privacy law had strong support—Florida, Oklahoma, and Washington—failed to pass because lawmakers disagreed on enforcement.
The Florida bill, HB 969, would have imposed new disclosure requirements on companies that collect information on customers who use the company’s app or Website. Customers would have the right to access the personal data collected on them, the right to correct that data if it contained errors, the right to delete it, and the right to opt out.
But the sticking point in Florida was the bill’s private right of action, which would allow customers to sue businesses that violated any provision of the law. The bill died April 30 because its supporters could not overcome business opposition to private right of action, the Miami Herald reported.
For the third consecutive year, a data privacy bill failed to pass in the state of Washington in April, primarily because of opposition to the bill’s private right of action, the National Law Review reported.
A bill in Oklahoma also died in April because of opposition to a requirement allowing consumers to proactively consent for businesses to collect their data, known as an opt-in provision, the National Law Review said.
“It has become clear that the main gate to passage of any data privacy bill is not going to be substance; it is going to be how the bill is enforced, and, in particular, whether a bill includes a private right of action,” said Nathan Taylor, partner at law firm Morrison & Foerster.
For many businesses, private right of action poses the potential for significant legal exposure through consumer class-action lawsuits, said Vivek Mohan, partner in Mayer Brown’s Cyber-Security and Data Privacy practice.
Private right of action also presents concerns for compliance specifically, he said. If a state data privacy law is enforced by the state attorney general, businesses seeking in good faith to comply with the law can have a conversation with the regulatory body. Regulators can offer guidance and interpretation of the law, helping a company adjust its efforts toward more substantial compliance.
Private right of action, conversely, can appear to businesses to be “an opportunistic gotcha game,” where the guidance changes as lawsuits are resolved, Mohan said.
Of the states with pending data privacy legislation, only Massachusetts, Minnesota (one of two bills), and New York (all three bills) contain private right of action provisions, according to the IAPP.
The only state data privacy bill currently in force, the CCPA (effective as of Jan. 1, 2020), offers a limited private right of action that consumers can invoke only if their personally identifiable information was lost in a hack or breach.
Nearly 50 class-action lawsuits were filed through Jan. 1, 2021, seeking damages related to CCPA-related violations, according to Morrison & Foerster. Children’s clothing retailer Hanna Anderson paid $400,000 to settle a CCPA-related lawsuit in November.
Other lawsuits pending include class actions against Walmart, Zoom, and Houseparty, in which consumers alleged the companies mishandled their personal information.
Two other state data privacy laws have passed since the CCPA took effect. Both will be enacted in January 2023. Neither change the state of play on private right of action.
The California Privacy Rights Act (CPRA) ladles additional responsibilities onto businesses on how they should handle private data such as: prohibiting companies from sharing sensitive information about customers’ health, finances, race, ethnicity, and precise location; tripling fines for violations related to children’s data; and putting new limits on how companies can collect, share, and sell customers’ personal data.
The private right of action provision remains unchanged from the CCPA.
The CDPA does not contain a private right of action, giving the Virginia attorney general the sole power to enforce the law.
Had Florida’s bill passed, its private right of action would have resulted in a significant widening of the legal basis to sue when compared to the private right of action contained in the CCPA.
Consumers could have sued for any violation of the law, not just when a breach or hack occurred.
Florida’s bill “would have created a lot of headwind for the business community’s legislative efforts in other states,” Taylor said.