Comprehensive Data Privacy Laws Introduced in 37 States featured image

Comprehensive Data Privacy Laws Introduced in 37 States

by John DiGiacomo

Partner

Internet Law

In the United States, in the last year, legislators have introduced and debated comprehensive consumer data privacy bills in at least 37 States. Many bills failed to pass Committee votes, but this is still a remarkable development given that the very first consumer data privacy law was only enacted in the United States four years ago. California passed the original all-encompassing consumer data privacy act in 2018. That was the California Consumer Privacy Act (“CCPA”).

Since 2018, California has amended the CCPA every year and at least eight bills have been introduced in the 2022 session to make further amendments. Further, two other States — Virginia and Colorado — have added their own comprehensive statutes. Both of those statutes go into effect in 2023. And now, Indiana and Oklahoma are close to passing comprehensive data protection statutes.

When passed in 2018, the CCPA was focused on protecting what is generally termed “personal identifiable information” (“PII”). This is information or data that allows the identity of the person to be determined from the data, either directly or from a combination of the data. Essentially, the CCPA required businesses that collected PII to notify consumers that PII was being collected, why it was being collected, to what purposes the PII would be used and regulated the sale and sharing of such information. The CCPA also required that businesses obtain consent for the collection of such data and provide at least two methods for consumers to contact a business with inquiries about what data has been collected. Since then, an important advancement in California was to extend the data protection laws to what is called “sensitive personal information” including data like usernames, security codes, race, gender, global spatial-location data, etc. These features are common in the bills being introduced around the country.

In addition, with the new bills being introduced, several trends can be seen. First, there is a push to expand the requirements to all businesses. Under the original CCPA, only certain large businesses were required to comply with the regulations. That size limit is being eliminated. For example, the Colorado statute, going into effect on July 1, 2023, applies to all businesses that collect consumer data, regardless of size.

Additionally, there is a substantial push to allow consumers a private right of action to sue for violations of the data protection laws. Business groups are, naturally, resisting this effort. Under the original CCPA, with some exceptions, there was no private right of action. Enforcement was administrative through the California Attorney General’s Office. This is also true for the Virginia and Colorado statutes. However, several of the bills introduced over the last year have included a private right of action in some circumstances. Lawmakers in California are also pushing for this

Further, there is a trend to significantly increase the penalties for violation of the new data privacy laws by invoking existing deceptive business practices legislation. For example, Colorado linked their new privacy statute to their deceptive business practice act. Under that act, punishments and fines can be as large as $20,000 per violation.

Finally, a number of the new bills are adding consumer rights and/or strengthening rights provided by the earlier legislation. Thus, many bills are attempting to regulate any sort of transfer of consumer data, not just the sale or sharing of such data. Many bills are also attempting to eliminate “loop-holes” where consumers are not informed of data shared internally or with affiliates. New rights include the right to correct erroneous data, the right to have data transferred, the right to have data destroyed and enhanced rights to non-retaliation. If you have legal questions about consumer privacy, data security or other legal issues related to internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Copyright

The holders of copyrights for newspapers, magazines, books, and other publications are involved in numerous legal battles with owners of AI modules over alleged copyright infringement. The plaintiff copyright owners claim that the AI large language modules have been trained on huge quantities of copyrighted materials without permission and — most importantly — without payment. […]

Read more about Does the AI-Copyright Legal Fight Represent a National Security Threat?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Corporate

The owners of most small, closely-held businesses negotiate and sign some form of an “Owner’s Agreement.” An important part of such Agreements is the “Buy-Sell” provisions. These are often some of the most difficult to negotiate. The gist of the buy-sell part of the Owners’ Agreement is to establish the rules for what happens if […]

Read more about How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Status on Social Media Moderation Statutes and Cases

Status on Social Media Moderation Statutes and Cases

Internet Law

Social media content moderation by technology platforms was one of the “hot” legal topics in 2023-2024. Three States — California, Texas, and Florida — passed different statutes to either require more content moderation (California) or to limit such moderation (Texas and Florida). All the statutes, in one way or another, demanded more transparency and information […]

Read more about Status on Social Media Moderation Statutes and Cases

Put Revision Legal on your side

Let's Discuss Your Case