Partner
About twenty States around the country have enacted some version of a consumer data privacy or protection statute. Six such statutes were enacted in 2024, with another six slated for legislative action going into the next year. When a new consumer data protection statute is passed for consumers and businesses, among the first questions asked is whether the data protections are strong or weak. In general, business interests resist these types of statutes and regulations, while consumers want more and enhanced protections for their data. There is always a heated legislative debate to shape the statute itself, and business interests often succeed in weakening the protections. Business interests have also successfully gotten one proposed data protection statute vetoed by the State’s Governor (New Hampshire). See the media report here.
To be honest, these consumer data privacy/protection statutes are now a bit “cookie-cutter.” That is, it is very clear that a statutory template is being used when State Legislatures begin to consider enacting new statutes. There are obvious reasons why this sort of formulaic approach to lawmaking can be bad. However, on the plus side, template-style statutes make it easier to compare and contrast the statutes. This then provides a somewhat easy method of determining if a consumer data privacy statute is “strong” or “weak” — this might also be termed “business friendly” or “consumer friendly.”
For example, one hotly debated issue concerns how “consent” is defined. In all of these statutes, for certain types of data processing and other activities — such as selling/sharing data or processing data for purposes of targeted advertising — controllers of data are required to obtain a consumer’s “consent.” A “business friendly” (or “weak”) consumer data privacy statute will contain a vague definition of “consent” that, ultimately, allows businesses (and regulators) to deem consent to exist through so-called negative actions. A “negative action” is when the consumer does nothing, and that is deemed a form of consent. The Iowa Act Concerning Consumer Data Protection provides a good example:
“6. “Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. “Consent” may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”
Legally, doing nothing is deemed in many cases to be an “affirmative action.” This definition of “consent” is very weak compared to other similar statutes. Thus, from just this one example, we can rightly determine that the Iowa statute is “business-friendly.”
On the other hand, we see a vivid contrast in the definition of “consent” in the Maryland Online Data Privacy Act (“MODPA”). The MODPA defines consent as follows:
“G) “Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer for a particular purpose. “Consent” includes: (i) a written statement; (ii) a written statement by electronic means (iii) or any other unambiguous affirmative action.
“Consent does not include: (i) acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other unrelated information; (ii) hovering over, muting, pausing, or closing a piece of consent; or (iii) agreement obtained through the use of dark patterns.”
From this definition, we can rightly see that the Maryland statute is “consumer friendly.”
There are a number of other issues which can be used to identify “strong” and “weak” data protection statutes. These include:
Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
The answer to this question is complex and nuanced. In the last decade or so, it has become fashionable to insist there is some stark dichotomy between what a trademark is and what a brand is. But the difference is not as stark as some marketers would like you to believe. The traditional definition of […]
Read more about Is a “Trademark” the Same Thing as a “Brand”?
The Circle R and the TM symbols both relate to trademarks and both can be physically placed on products, packaging, advertising materials, websites, etc. The Circle R symbol is an “R” enclosed in a circle (®). While both are trademark-related symbols, there are different eligibility requirements for use, meanings, and implications. Here is a quick […]
Read more about Trademarks: What is the Difference Between the Circle R and TM Symbols?
E-commerce businesses must comply with federal and State-level advertising laws and regulations. This is true of any business. But e-commerce businesses face special challenges because there is a whole array of potential methods of innocently, accidentally, or intentionally violating advertising laws. These include the potential to engage in false and deceptive advertising practices, such as […]
Read more about Is Your E-Commerce Advertising in Compliance With Existing Laws?