Partner
About twenty States around the country have enacted some version of a consumer data privacy or protection statute. Six such statutes were enacted in 2024, with another six slated for legislative action going into the next year. When a new consumer data protection statute is passed for consumers and businesses, among the first questions asked is whether the data protections are strong or weak. In general, business interests resist these types of statutes and regulations, while consumers want more and enhanced protections for their data. There is always a heated legislative debate to shape the statute itself, and business interests often succeed in weakening the protections. Business interests have also successfully gotten one proposed data protection statute vetoed by the State’s Governor (New Hampshire). See the media report here.
To be honest, these consumer data privacy/protection statutes are now a bit “cookie-cutter.” That is, it is very clear that a statutory template is being used when State Legislatures begin to consider enacting new statutes. There are obvious reasons why this sort of formulaic approach to lawmaking can be bad. However, on the plus side, template-style statutes make it easier to compare and contrast the statutes. This then provides a somewhat easy method of determining if a consumer data privacy statute is “strong” or “weak” — this might also be termed “business friendly” or “consumer friendly.”
For example, one hotly debated issue concerns how “consent” is defined. In all of these statutes, for certain types of data processing and other activities — such as selling/sharing data or processing data for purposes of targeted advertising — controllers of data are required to obtain a consumer’s “consent.” A “business friendly” (or “weak”) consumer data privacy statute will contain a vague definition of “consent” that, ultimately, allows businesses (and regulators) to deem consent to exist through so-called negative actions. A “negative action” is when the consumer does nothing, and that is deemed a form of consent. The Iowa Act Concerning Consumer Data Protection provides a good example:
“6. “Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. “Consent” may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”
Legally, doing nothing is deemed in many cases to be an “affirmative action.” This definition of “consent” is very weak compared to other similar statutes. Thus, from just this one example, we can rightly determine that the Iowa statute is “business-friendly.”
On the other hand, we see a vivid contrast in the definition of “consent” in the Maryland Online Data Privacy Act (“MODPA”). The MODPA defines consent as follows:
“G) “Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer for a particular purpose. “Consent” includes: (i) a written statement; (ii) a written statement by electronic means (iii) or any other unambiguous affirmative action.
“Consent does not include: (i) acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other unrelated information; (ii) hovering over, muting, pausing, or closing a piece of consent; or (iii) agreement obtained through the use of dark patterns.”
From this definition, we can rightly see that the Maryland statute is “consumer friendly.”
There are a number of other issues which can be used to identify “strong” and “weak” data protection statutes. These include:
Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
Of all the factors that separate strong consumer data privacy statutes from weak ones, the presence or absence of a private right of action is the most consequential. A private right of action allows individual consumers — or plaintiff classes — to sue businesses directly for violations of the statute. Without one, enforcement is entirely dependent on the state Attorney General or another designated state agency, which has limited resources and will pursue only the most egregious cases.
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), contains a narrow private right of action limited to data breach situations — specifically unauthorized disclosure of certain categories of personal data resulting from a business’s failure to implement reasonable security measures. Cal. Civ. Code § 1798.150. Illinois’s Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq., contains a broad private right of action for any violation, and that statute has generated thousands of class action lawsuits resulting in hundreds of millions of dollars in judgments and settlements. Most of the newer state privacy statutes — Iowa, Virginia, Colorado, Connecticut — exclude a private right of action entirely, leaving enforcement to the AG. That absence alone is a reliable indicator that the statute is business-friendly.
Every state consumer data privacy statute contains exemptions. The breadth of those exemptions is a second strong indicator of whether a statute is consumer-friendly or business-friendly. Common exemptions include:
Maryland’s MODPA is notable for taking a narrower approach to exemptions than most peer statutes. The MODPA explicitly limits the employee-data exemption and imposes requirements on nonprofit entities that other states have not. That is part of why practitioners identify MODPA as among the more consumer-protective statutes enacted to date.
Another meaningful differentiator is whether a statute imposes affirmative data minimization obligations. A data minimization requirement prohibits a business from collecting more personal data than is reasonably necessary for the disclosed purpose of the collection. A purpose limitation requirement prohibits a business from using data collected for one purpose for a materially different purpose without fresh notice and consent.
The MODPA contains both requirements. Under MODPA, a controller may not collect personal data beyond what is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed.” That language closely tracks the EU General Data Protection Regulation (GDPR) Article 5(1)(c), which requires that personal data be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” Whether Maryland courts will interpret MODPA as aggressively as European data protection authorities have interpreted GDPR remains to be seen, but the statutory language signals legislative intent to impose genuine constraints on data collection practices.
Weaker statutes, by contrast, omit data minimization requirements and instead rely entirely on the opt-out framework: businesses can collect and process whatever data they want, and consumers bear the burden of finding and exercising opt-out rights on a website-by-website basis.
A cure period is a statutory provision that requires the AG to give a business notice of a violation and a specified window — often 30 to 90 days — to cure the violation before a formal enforcement action can be initiated. Business-friendly statutes include broad, unconditional cure periods. Consumer-friendly statutes either eliminate cure periods entirely or make them conditional on whether a violation is “curable” in the first place.
California’s CPRA eliminated the CCPA’s cure period as of January 1, 2023. Colorado’s privacy law allows the AG to exercise discretion in deciding whether to offer a cure opportunity. Virginia’s law contains a 30-day cure period that runs through 2025, after which the AG gains discretion. Iowa’s law maintains a 90-day cure period with no sunset — a significant business-friendly feature. The trend in more recently enacted statutes is to reduce or eliminate blanket cure periods, so a statute that still has an unconditional 90-day cure period is likely one that was shaped heavily by business lobbying.
The patchwork of state privacy laws is not going to consolidate into a single federal standard in the near term. Federal comprehensive privacy legislation has failed in Congress multiple times, and businesses that wait for federal preemption to simplify their compliance obligations are taking a significant risk. Contact the consumer data privacy and compliance attorneys at Revision Legal through the form on this page or call (855) 473-8474.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?