About twenty States around the country have enacted some version of a consumer data privacy or protection statute. Six such statutes were enacted in 2024, with another six slated for legislative action going into the next year. When a new consumer data protection statute is passed for consumers and businesses, among the first questions asked is whether the data protections are strong or weak. In general, business interests resist these types of statutes and regulations, while consumers want more and enhanced protections for their data. There is always a heated legislative debate to shape the statute itself, and business interests often succeed in weakening the protections. Business interests have also successfully gotten one proposed data protection statute vetoed by the State’s Governor (New Hampshire). See the media report here.

To be honest, these consumer data privacy/protection statutes are now a bit “cookie-cutter.” That is, it is very clear that a statutory template is being used when State Legislatures begin to consider enacting new statutes. There are obvious reasons why this sort of formulaic approach to lawmaking can be bad. However, on the plus side, template-style statutes make it easier to compare and contrast the statutes. This then provides a somewhat easy method of determining if a consumer data privacy statute is “strong” or “weak” — this might also be termed “business friendly” or “consumer friendly.”

For example, one hotly debated issue concerns how “consent” is defined. In all of these statutes, for certain types of data processing and other activities — such as selling/sharing data or processing data for purposes of targeted advertising — controllers of data are required to obtain a consumer’s “consent.” A “business friendly” (or “weak”) consumer data privacy statute will contain a vague definition of “consent” that, ultimately, allows businesses (and regulators) to deem consent to exist through so-called negative actions. A “negative action” is when the consumer does nothing, and that is deemed a form of consent. The Iowa Act Concerning Consumer Data Protection provides a good example:

“6. “Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. “Consent” may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”

Legally, doing nothing is deemed in many cases to be an “affirmative action.” This definition of “consent” is very weak compared to other similar statutes. Thus, from just this one example, we can rightly determine that the Iowa statute is “business-friendly.”

On the other hand, we see a vivid contrast in the definition of “consent” in the Maryland Online Data Privacy Act (“MODPA”). The MODPA defines consent as follows:

“G) “Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer for a particular purpose. “Consent” includes: (i) a written statement; (ii) a written statement by electronic means (iii) or any other unambiguous affirmative action.

“Consent does not include: (i) acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other unrelated information; (ii) hovering over, muting, pausing, or closing a piece of consent; or (iii) agreement obtained through the use of dark patterns.”

From this definition, we can rightly see that the Maryland statute is “consumer friendly.”

There are a number of other issues which can be used to identify “strong” and “weak” data protection statutes. These include:

• Whether nonprofit entities are exempt
• Whether the statute applies when a consumer is “acting in an employment capacity”
• Whether the right to correct and delete data is limited only to the data supplied by the consumer or applies to all data held by the controller
• Whether controllers must accept “universal” privacy choices (though things like browser settings, apps, add-ons, etc.)
• Whether documented data assessment reports are mandated
• And more

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.