States that have enacted data privacy laws and those pursuing them are migrating into disparate camps in their approaches to privacy protections, setting up a clash if Congress enacts federal legislation.
In the absence of nationwide policy, 13 states have enacted their own laws. California, the first state in the nation to pass a comprehensive law, formed a camp of its own with its 2020 measure that allows consumers to directly sue tech and online companies over data breaches involving personal information such as names, social security numbers and email addresses.
Twelve other states have taken a different approach, modeled on a bill first proposed in Washington state in 2019 but that has so far not been passed in that state. Data privacy laws now in effect in Colorado, Connecticut, Delaware, Indiana, Iowa, Florida, Montana, Oregon, Texas, Tennessee, Utah and Virginia don’t allow individuals to sue tech companies for data breaches, and instead offer consumers a mix of basic and substantive protections.
California and the other states are similar in that each allows its attorney general to bring lawsuits against companies for violations.
Privacy advocates who are lobbying for action in other states, however, are pushing in another direction: a bipartisan congressional proposal that was approved in the House Energy and Commerce Committee in 2022 but failed to get broader support in Congress. That proposal would seek to minimize data collection.
Members of Congress from both parties, including Sen. Maria Cantwell, D-Wash., chair of the Senate Commerce Committee, and Rep. Cathy McMorris Rodgers, R-Wash., chair of the House Energy and Commerce Committee, have pledged to pursue federal data privacy legislation in the current session.
They are under pressure to act because of the rapid onset of artificial intelligence systems that use large volumes of data, threatening to worsen privacy protections for Americans. But with the November election fast approaching, Congress has little time left to reach consensus and pass a law that has eluded it for years.
Legislatures in seven other states are considering dozens of privacy bills in 2024.
Mozilla, a nonprofit foundation and maker of the Firefox web browser, wrote to lawmakers in Massachusetts and Maine on Jan. 11 asking them to consider proposals modeled on the stalled federal legislation instead of the Washington state model.
The letter’s author, Noam Kantor, a senior public policy analyst at the nonprofit, said in an interview that Mozilla wants tougher standards for a key element of privacy known as data minimization that was included in the federal proposal but not in many state ones.
Data minimization asks companies to collect only the data necessary to provide a service or sell a product.
Laws in states such as Connecticut act like they call for data minimization, but they’re “actually not really putting any constraints on the kind of use and abuse of data we see in the marketplace,” Kantor said. “And that worries us because data minimization to Mozilla is a really important factor of privacy law.”
The Connecticut law says companies and other entities “must limit collection of personal data to what is adequate, relevant and reasonably necessary for the disclosed purposes for which the data is processed.”
The federal proposal from 2022 says that any entity covered by the legislation “may not collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate.” But it also goes on to list more than a dozen “permissible purposes” for which data may be collected, a prescriptive clause that some of the other laws lack.
Washington state Sen. Joe Nguyen, who chairs the chamber’s Environment, Energy, and Technology Committee, was an author of the 2019 data privacy proposal in that state. He said in an interview that many legislatures and state regulatory agencies lack the wherewithal to enact technology legislation that is specific and prescriptive.
The data minimization requirement in the Washington proposal was a “constant [under] the philosophy that you should minimize the data that you’re using from consumers as best as possible,” he said.
The proposal, sponsored by former Washington state Sen. Reuven Carlyle, was left open-ended to avoid a situation in which technology “becomes moot and then you have to pass another law to fix it,” said Nguyen, a Microsoft executive before entering politics.
That’s a big problem for part-time state legislatures with minimal staff that may not be adept enough to rapidly amend laws, Nguyen said. Additionally, some states lack the expertise and resources to develop legislation from scratch and must borrow proposals from elsewhere.
So why has Washington failed to enact data privacy legislation? Nguyen said the five unsuccessful attempts are attributable to consumer advocates pushing to include a private right of action similar to California’s provision.
The authors of the Washington proposal chose to lay power of enforcement with the attorney general because “when you’re talking tech companies with trillions of dollars, people will sue you just to sue you and hope for a settlement,” Nguyen said.
Yet Washington’s model, which adapted many parts of the European Union’s privacy law known as General Data Protection Regulation, “has had a lot of influence,” said Kate Goodloe, managing director at BSA Software Alliance, a trade group that represents more than 40 firms including Cisco Systems Inc., Oracle Corp. and Microsoft Corp.
“That approach creates a new set of privacy rights for individuals and set of obligations on businesses, including both consumer-facing businesses and business-to-business data processors,” she said in an interview. Privacy laws in Virginia, Connecticut and Colorado use the same structure “but add more substantive protections for consumers.”
Other states use it as an anchor but have removed some protections.
In the meantime, Washington state still lacks a law.
Nguyen said he won’t reintroduce the measure this year. “You only can fit so much stuff in at any given time, and knowing that this policy is very tough, and it’s failed multiple times, I don’t want to spend my time working on a policy that I know is going to be controversial when there are other things that I need to do.”