An update on data privacy and protection legislation

David Strom 9 Mar 2021

When it comes to updating data privacy laws, here's what's happening at the state level

Data privacy legislation is a difficult topic to get your head around. There can be multiple dimensions, sector-specific rules, and various national and, in some cases (such as in the US), local laws enacted to cover a multitude of issues.

The good news is that there are several US states which are on track to pass new data privacy laws during 2021. Some of these laws focus on consumer protection, while others concentrate on regulating data brokers or how ISPs should protect their customers’ data. Let’s review the progress and what is being proposed.

Further reading:
What’s up with WhatsApp
Helsinki becomes the first city to employ new data trust network

The modern data privacy movement in the US got its start back in 2008 with Illinois’ Biometric Information Privacy Act. The area got a major boost with the passage of the EU’s General Data Protection Regulation (GDPR) back in 2016, which took effect in 2018, and increased international discourse on comprehensive privacy legislation. Since then, California has enacted a comprehensive privacy law, the California Consumer Privacy Act (CCPA), and voted for strengthening those protections last November by creating a new consumer privacy agency.

Meanwhile, Alabama, Arizona, Florida, Connecticut, Kentucky, New York, and Virginia (which could have a new law this month) are all contemplating their own series of laws that mirror some aspects of the GDPR and the CCPA as well. This post has a nice summary of the laws being proposed for 2021. Some states, such as Washington, have tried to pass laws in the past several years but haven’t been successful yet. 

Here's what to look for in data privacy laws

Any good data privacy law should really encompass the following seven basic rights for consumers:  

  1. The right to be informed about the collection and use of consumers’ personal data at the time the data is obtained. This should, in particular include how sensitive data such as biometric data is collected. 

  2. The right for consumers to access their data, including copies of the data and further information on the means of collection, what's being processed, and with whom it is shared. 

  3. The right to correct mistakes in these collections, or to request timely erasure. This can be particularly important for consumers where decisions that affect them might be made on the basis of this data.

  4. The right to restrict processing of data. 

  5. The right to data portability, without impacting the usability of the data. UK banks, for example, now have to guarantee this to allow customers to move accounts more readily. The US Health and Human Services agency is even contemplating the ability of patients to obtain full copies of their medical records.  

  6. The right for consumers to object to how their information is used for marketing, sales, or non-service-related purposes.

  7. The rights of third-party users, such as advertisers, of your data. This has been a key sticking point for Facebook, for example, and the basis of the Cambridge Analytica scandal a few years ago. 

Some laws have various limits placed on how big a business has to be before being subjected to these rules. For example, Oklahoma is considering a law that says companies must earn at least $10 million in annual sales or a quarter of their revenues from data sales and data brokers who have at least 50,000 consumers. Other laws, such as being proposed in Nevada, just require data brokers to annually register with the Secretary of State. That isn’t much protection, to be sure almost every kind of business has to register themselves anyway.

Some states, such as California, have created their own privacy enforcement agencies to bring violators to justice. In other states, consumers can initiate their own privacy-related lawsuits, rather than waiting for governments to take action.

Other states are looking at laws that protect the private data held by various ISPs operating in that state, such as Nevada, Minnesota and Maine. These laws prevent ISPs from sharing or selling data. Some laws are even more specific, such as Connecticut and Delaware, which both require employers to give notice to employees prior to monitoring email communications or Internet access. And Colorado and Tennessee require states and other public entities to adopt a policy related to the monitoring of public employees' email.

Where to go for additional legislation information

The aforementioned Fast Company article summarizes these developments by saying that “2021 could be the year that privacy laws become more pervasive in the US.”

If you are looking to do your own legal research, you might want to start with the NCSL website, which lists the actual law citations for each state and links to various state privacy portals that have been set up by their governments. This post also has links to laws in Canada, the EU and elsewhere about new privacy developments.

Finally, given Vice President Harris’ involvement in setting up various California privacy laws when she was Attorney General, we can expect her to take the lead on new federal legislative privacy protections. However, figuring out your individual rights varies from country to country and from state to state, so it's wise to practice patience when figuring out the exact rights that you have. 

--> -->