How to Know if Your State’s Consumer Data Protection Act is Strong or Weak featured image

How to Know if Your State’s Consumer Data Protection Act is Strong or Weak

by John DiGiacomo

Partner

Internet Law

About twenty States around the country have enacted some version of a consumer data privacy or protection statute. Six such statutes were enacted in 2024, with another six slated for legislative action going into the next year. When a new consumer data protection statute is passed for consumers and businesses, among the first questions asked is whether the data protections are strong or weak. In general, business interests resist these types of statutes and regulations, while consumers want more and enhanced protections for their data. There is always a heated legislative debate to shape the statute itself, and business interests often succeed in weakening the protections. Business interests have also successfully gotten one proposed data protection statute vetoed by the State’s Governor (New Hampshire). See the media report here.

To be honest, these consumer data privacy/protection statutes are now a bit “cookie-cutter.” That is, it is very clear that a statutory template is being used when State Legislatures begin to consider enacting new statutes. There are obvious reasons why this sort of formulaic approach to lawmaking can be bad. However, on the plus side, template-style statutes make it easier to compare and contrast the statutes. This then provides a somewhat easy method of determining if a consumer data privacy statute is “strong” or “weak” — this might also be termed “business friendly” or “consumer friendly.”

For example, one hotly debated issue concerns how “consent” is defined. In all of these statutes, for certain types of data processing and other activities — such as selling/sharing data or processing data for purposes of targeted advertising — controllers of data are required to obtain a consumer’s “consent.” A “business friendly” (or “weak”) consumer data privacy statute will contain a vague definition of “consent” that, ultimately, allows businesses (and regulators) to deem consent to exist through so-called negative actions. A “negative action” is when the consumer does nothing, and that is deemed a form of consent. The Iowa Act Concerning Consumer Data Protection provides a good example:

“6. “Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. “Consent” may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”

Legally, doing nothing is deemed in many cases to be an “affirmative action.” This definition of “consent” is very weak compared to other similar statutes. Thus, from just this one example, we can rightly determine that the Iowa statute is “business-friendly.”

On the other hand, we see a vivid contrast in the definition of “consent” in the Maryland Online Data Privacy Act (“MODPA”). The MODPA defines consent as follows:

“G) “Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer for a particular purpose. “Consent” includes: (i) a written statement; (ii) a written statement by electronic means (iii) or any other unambiguous affirmative action.

“Consent does not include: (i) acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other unrelated information; (ii) hovering over, muting, pausing, or closing a piece of consent; or (iii) agreement obtained through the use of dark patterns.”

From this definition, we can rightly see that the Maryland statute is “consumer friendly.”

There are a number of other issues which can be used to identify “strong” and “weak” data protection statutes. These include:

  • Whether nonprofit entities are exempt
  • Whether the statute applies when a consumer is “acting in an employment capacity”
  • Whether the right to correct and delete data is limited only to the data supplied by the consumer or applies to all data held by the controller
  • Whether controllers must accept “universal” privacy choices (though things like browser settings, apps, add-ons, etc.)
  • Whether documented data assessment reports are mandated
  • And more

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side