The COVID-19 pandemic has rapidly accelerated our reliance on digital services and platforms, which brings new challenges and expectations for data privacy. But, to date, there has been little movement towards all-encompassing federal privacy legislation. Therefore, the issue of consumer data privacy has been left to the states to decide. During 2021, 23 states introduced some form of all-encompassing data privacy legislation to address the absence of federal privacy laws, with only two becoming law: Virginia and Colorado.
This Review is the first in a four-part series that will explore the proposed 2021 state privacy legislation, each of the Virginia and Colorado laws, and recent changes to the California Consumer Privacy Act stemming from changes mandated by California voters. This Review examines significant developments affecting companies as they navigate the ever-evolving data privacy landscape.
The 23 states that introduced privacy legislation this year are: Alabama, Alaska, Arizona, Colorado, Connecticut, Florida, Illinois, Kentucky, Maryland, Massachusetts, Minnesota, Mississippi, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Texas, Utah, Virginia, Washington, and West Virginia. Several of these states, including New York and Washington, had multiple bills addressing privacy submitted to committee, some were companion bills and some were competing.
Because so many bills remained in process, it is not certain what specific requirements will become law, but there are overarching principles that are likely to drive the flood of new laws. Unsurprisingly, the proposed legislation gives rights to the consumer, however, also unsurprisingly, there’s little uniformity among the 23 states on how “consumer” or “personal data” will be defined, nor the rights individuals will possess. The obligations of businesses differ to such an extent that implementation will require a flexible approach depending on the number of states in which a business operates. We’ve provided a breakdown of the notable elements of the data privacy legislation introduced in the 23 states below.
Activities in the Employment Context: Current laws suggest two emerging models for treatment of personal data in the employment context. In the California model, a consumer is broadly defined and, after January 1, 2023, activities in the employment context will be subject to the CPRA. In contrast, the Virginia/Colorado model, the definition of consumer excludes those acting in a commercial or employment context and thus the rights under the law do not extend to personal data in the employment context. Of the other 21 states with bills submitted in the 2021 legislative session, just over half followed the California model. Specifically, the legislation introduced in Alabama, Florida, Illinois, Kentucky, Massachusetts, Mississippi, North Dakota, Oklahoma, Pennsylvania, Texas, and West Virginia followed the California model. Additionally, Alaska excluded personal data collected in business-to-business type transactions, but not for a business’ own employees. In Minnesota, Washington, New York, states that saw multiple bills introduced, at least one bill followed the California model.
Creation of a private right of action: Nine states, Massachusetts, New York, North Carolina, Florida*, Minnesota, Mississippi, North Dakota, Washington*, and West Virginia, proposed a private right of action for violation of the law and the bill in Pennsylvania included a private right of action but only in the event of a security breach (*only one of the two introduced bills contained the provision)
Consumer right of access and deletion: Bills in all states except Kentucky and North Dakota included the right of access and the right of deletion as consumer rights
Consent for processing: Bills in Massachusetts, New York, North Dakota, and Washington included opt-in consent requirements that would place the onus on businesses to obtain consent prior to processing the personal data of a consumer, while all other states except Arizona and Texas included a right to opt-out of processing, which would allow a business to process data without express consent so long as there existed a mechanism to opt-out of such processing
Consumer right against automated decision making: The right against automated decision making protects against decisions made solely on the basis of automated processing without human input was only included in the Arizona, Colorado, Florida Massachusetts, Minnesota, New York, North Carolina, Utah, Virginia, and Washington legislation making it the least included of the consumer rights proposed
Notice Requirement: A requirement for businesses to provide notice to consumers of their personal data being collected was a requirement under every bill except West Virginia; the breadth of the notice differed in each proposed bill
Applicability Provisions: Those who will be subject to the privacy requirements run the gamut from being broadly applicable to any legal entity that collects personal data (e.g., North Dakota) to being limited by including record requirements and/or revenue requirements (e.g., North Carolina or Massachusetts)
As of this writing, bills in 15 states never advanced to a full legislative vote, bills in 6 states remain active but are still in committee, and bills in 2 states (Colorado and Virginia) were signed into law. While most of these bills never made it out of committee, monitoring the introduction of legislation at the state level remains necessary until the US has federal comprehensive privacy protections. Diverging privacy protections granted across states will continue to pose serious questions for businesses navigating this complex compliance environment.
The 2021 legislative session affirms that more comprehensive data privacy laws are coming. Without uniform federal legislation, data privacy legislation is going to be in a piecemeal fashion and organizations will have to decide whether to implement the most stringent rules or take a patchwork approach on a jurisdiction by jurisdiction basis. Even those outside of California, Colorado, and Virginia would be wise to begin (i) reviewing the nature and location of personal data on their systems, including both customer and employee data; (ii) reviewing policies and procedures that govern or relate to personal data, including both privacy notices and IT and other information security policies; and (iii) identifying agreements with third parties that process personal data.