In the United States, in the last year, legislators have introduced and debated comprehensive consumer data privacy bills in at least 37 States. Many bills failed to pass Committee votes, but this is still a remarkable development given that the very first consumer data privacy law was only enacted in the United States four years ago. California passed the original all-encompassing consumer data privacy act in 2018. That was the California Consumer Privacy Act (“CCPA”).
Since 2018, California has amended the CCPA every year and at least eight bills have been introduced in the 2022 session to make further amendments. Further, two other States — Virginia and Colorado — have added their own comprehensive statutes. Both of those statutes go into effect in 2023. And now, Indiana and Oklahoma are close to passing comprehensive data protection statutes.
When passed in 2018, the CCPA was focused on protecting what is generally termed “personal identifiable information” (“PII”). This is information or data that allows the identity of the person to be determined from the data, either directly or from a combination of the data. Essentially, the CCPA required businesses that collected PII to notify consumers that PII was being collected, why it was being collected, to what purposes the PII would be used and regulated the sale and sharing of such information. The CCPA also required that businesses obtain consent for the collection of such data and provide at least two methods for consumers to contact a business with inquiries about what data has been collected. Since then, an important advancement in California was to extend the data protection laws to what is called “sensitive personal information” including data like usernames, security codes, race, gender, global spatial-location data, etc. These features are common in the bills being introduced around the country.
In addition, with the new bills being introduced, several trends can be seen. First, there is a push to expand the requirements to all businesses. Under the original CCPA, only certain large businesses were required to comply with the regulations. That size limit is being eliminated. For example, the Colorado statute, going into effect on July 1, 2023, applies to all businesses that collect consumer data, regardless of size.
Additionally, there is a substantial push to allow consumers a private right of action to sue for violations of the data protection laws. Business groups are, naturally, resisting this effort. Under the original CCPA, with some exceptions, there was no private right of action. Enforcement was administrative through the California Attorney General’s Office. This is also true for the Virginia and Colorado statutes. However, several of the bills introduced over the last year have included a private right of action in some circumstances. Lawmakers in California are also pushing for this
Further, there is a trend to significantly increase the penalties for violation of the new data privacy laws by invoking existing deceptive business practices legislation. For example, Colorado linked their new privacy statute to their deceptive business practice act. Under that act, punishments and fines can be as large as $20,000 per violation.
Finally, a number of the new bills are adding consumer rights and/or strengthening rights provided by the earlier legislation. Thus, many bills are attempting to regulate any sort of transfer of consumer data, not just the sale or sharing of such data. Many bills are also attempting to eliminate “loop-holes” where consumers are not informed of data shared internally or with affiliates. New rights include the right to correct erroneous data, the right to have data transferred, the right to have data destroyed and enhanced rights to non-retaliation. If you have legal questions about consumer privacy, data security or other legal issues related to internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.