New state privacy initiatives turn up heat on Congress

Congress is coming under increasing pressure to create a federal framework for data privacy laws as states forge ahead with their own plans.

Virginia is poised to become the second state to pass a data privacy bill this week, with several other states considering proposals that vary in regulation standards and enforcement practices, potentially creating the kind of privacy patchwork that the tech industry has been warning about for years.

Those states would follow in the footsteps of California, which passed a comprehensive privacy bill in 2018 before expanding it through a ballot measure in November.

“Just California in and of itself has [had] a major impact because it’s such a large state economy,” said Omer Tene, vice president of the International Association of Privacy Professionals. “Even without other states joining the fray, there was a lot of pressure building in Washington, D.C., to pass federal privacy legislation, if only to put in place something that preempts California law.”

“Now you add to that the splintering of the environment to different laws — each one requiring slightly different things because there is no harmonization at the state level — and that increases exponentially the headache for compliance officers and privacy officers and counsel at companies that have to now start just watching,” he added.

Virginia’s state Senate unanimously passed its Consumer Data Protection Act last week after the House passed a companion bill at the end of January. The legislature has until Thursday to reconcile the bills, after which the legislation heads to Gov. Ralph Northam’s (D) desk.

The governor’s office did not respond to a request for comment on whether Northam would sign the measure.

Virginia’s data privacy bill would give consumers the right to opt out of having their personal data processed for targeted advertising and the right to confirm if their data is being processed.

If signed into law, the provisions would take effect in 2023 and apply to all businesses that control or process the personal data of at least 100,000 consumers, derive more than 50 percent gross revenue from the sale of personal data or process the personal data of at least 25,000 consumers.

Unlike the data privacy bill in California, however, Virginia’s version lacks a private right of action, meaning individuals are limited in their ability to sue, leaving enforcement largely up to the state attorney general.

Other state proposals are in the works. Lawmakers in Washington state restarted debate on a privacy bill similar to Virginia’s last month, Gov. Andrew Cuomo (D) has backed a proposal in New York and Oklahoma and Utah are currently weighing proposals.

“The endgame is federal privacy legislation, there’s no doubt about that … the variables are when and what does that look like,” said David Stauss, a partner at Husch Blackwell who focuses on privacy and cybersecurity.

But efforts to establish a framework at the federal level have sputtered in recent years, with Democrats and Republicans agreeing on most basic tenets while remaining far apart on whether legislation should preempt state bills and if consumers should have the right to sue companies over data misuse.

The prospects for a breakthrough are higher than they have been before, though, with the combination of state pressure and Democratic control of the Senate and White House for the first time in a decade.

“These efforts only heighten the need for a federal framework on digital privacy and consumer protection, incorporating not just traditional privacy protections but also measures on things like dark patterns,” said Sen. Mark Warner (D-Va.) of his state working to craft a comprehensive privacy law.

Rep. Suzan DelBene (D-Wash.), who along with Warner and other Democrats reintroduced a privacy bill focused on the pandemic last month, said that in the absence of a federal standard, “states are going at this on their own.”

“While there’s a role for states to play here, without a national standard your rights would change as you travel from state to state,” she said in a statement to The Hill. “That won’t work in our digital world.”

Industry groups are expected to ramp up the pressure on Congress as well.

“The threat of a patchwork is real,” said Craig Albright, vice president of legislative strategy at the trade group BSA | The Software Alliance.

“The compliance problems with multiple states having their own privacy regimes is still an issue without a national standard compliance,” the group’s senior director of state advocacy Tom Foulkes added.

Sen. Richard Blumenthal (D-Conn.) said state efforts could motivate opponents of a federal privacy bill to change their tune.

“The special interests that have resisted privacy rules for decades have to decide whether they want to continue the uphill fight against each state legislature and ballot initiative, or whether they are ready to come to the table on strong and enforceable national standards,” he told The Hill in a statement.

And while Senate Republicans can still block privacy bills with a filibuster, Democrats in the Senate can at least push bills through committees and schedule floor votes on them. Having President Biden in the White House should also help Democratic efforts, according to Tene.

“The Biden administration itself, I think, can be expected to be more proactive on this,” he said.

“The Trump administration wasn’t obstructionist, they didn’t try to prevent federal privacy legislation, but they didn’t try to shepherd it through either. One can expect the Biden administration to be more proactive on this front.”