Comprehensive Data Privacy Laws Introduced in 37 States featured image

Comprehensive Data Privacy Laws Introduced in 37 States

by John DiGiacomo

Partner

Internet Law

In the United States, in the last year, legislators have introduced and debated comprehensive consumer data privacy bills in at least 37 States. Many bills failed to pass Committee votes, but this is still a remarkable development given that the very first consumer data privacy law was only enacted in the United States four years ago. California passed the original all-encompassing consumer data privacy act in 2018. That was the California Consumer Privacy Act (“CCPA”).

Since 2018, California has amended the CCPA every year and at least eight bills have been introduced in the 2022 session to make further amendments. Further, two other States — Virginia and Colorado — have added their own comprehensive statutes. Both of those statutes go into effect in 2023. And now, Indiana and Oklahoma are close to passing comprehensive data protection statutes.

When passed in 2018, the CCPA was focused on protecting what is generally termed “personal identifiable information” (“PII”). This is information or data that allows the identity of the person to be determined from the data, either directly or from a combination of the data. Essentially, the CCPA required businesses that collected PII to notify consumers that PII was being collected, why it was being collected, to what purposes the PII would be used and regulated the sale and sharing of such information. The CCPA also required that businesses obtain consent for the collection of such data and provide at least two methods for consumers to contact a business with inquiries about what data has been collected. Since then, an important advancement in California was to extend the data protection laws to what is called “sensitive personal information” including data like usernames, security codes, race, gender, global spatial-location data, etc. These features are common in the bills being introduced around the country.

In addition, with the new bills being introduced, several trends can be seen. First, there is a push to expand the requirements to all businesses. Under the original CCPA, only certain large businesses were required to comply with the regulations. That size limit is being eliminated. For example, the Colorado statute, going into effect on July 1, 2023, applies to all businesses that collect consumer data, regardless of size.

Additionally, there is a substantial push to allow consumers a private right of action to sue for violations of the data protection laws. Business groups are, naturally, resisting this effort. Under the original CCPA, with some exceptions, there was no private right of action. Enforcement was administrative through the California Attorney General’s Office. This is also true for the Virginia and Colorado statutes. However, several of the bills introduced over the last year have included a private right of action in some circumstances. Lawmakers in California are also pushing for this

Further, there is a trend to significantly increase the penalties for violation of the new data privacy laws by invoking existing deceptive business practices legislation. For example, Colorado linked their new privacy statute to their deceptive business practice act. Under that act, punishments and fines can be as large as $20,000 per violation.

Finally, a number of the new bills are adding consumer rights and/or strengthening rights provided by the earlier legislation. Thus, many bills are attempting to regulate any sort of transfer of consumer data, not just the sale or sharing of such data. Many bills are also attempting to eliminate “loop-holes” where consumers are not informed of data shared internally or with affiliates. New rights include the right to correct erroneous data, the right to have data transferred, the right to have data destroyed and enhanced rights to non-retaliation. If you have legal questions about consumer privacy, data security or other legal issues related to internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

2025 Changes to Trademark Fees

2025 Changes to Trademark Fees

Trademark

There are some significant changes coming to the United States Patent and Trademark Office (USPTO) that will affect trademark filings beginning January 18, 2025. These changes include the introduction of the Trademark Center, new fees, and revised application requirements. Here is an overview of the key changes: The USPTO will retire the TEAS system, which […]

Read more about 2025 Changes to Trademark Fees

Automated Decision-Making Technology: California Releases Proposed Regulations

Automated Decision-Making Technology: California Releases Proposed Regulations

Internet Law

In today’s competitive e-commerce landscape, automated decision-making technology is becoming more and more important. From personalized product recommendations to targeted advertising and streamlined logistics, these systems help ecommerce businesses adapt and grow. But new regulations are on the horizon, and these changes could reshape the way e-commerce businesses use automation. The California Privacy Protection Agency […]

Read more about Automated Decision-Making Technology: California Releases Proposed Regulations

FTC Adopts Final “Click to Cancel Rule”

FTC Adopts Final “Click to Cancel Rule”

Internet Law

The Federal Trade Commission (FTC) has issued final amendments to its trade regulation rule concerning negative option plans, also known as the “click to cancel rule.” This rule aims to address widespread deceptive practices that prohibit customers from cancelling services in the same manner in which they signed up. Here’s a detailed summary of the […]

Read more about FTC Adopts Final “Click to Cancel Rule”

Put Revision Legal on your side