When it comes to updating data privacy laws, here's what's happening at the state level
Data privacy legislation is a difficult topic to get your head around. There can be multiple dimensions, sector-specific rules, and various national and, in some cases (such as in the US), local laws enacted to cover a multitude of issues.
The good news is that there are several US states which are on track to pass new data privacy laws during 2021. Some of these laws focus on consumer protection, while others concentrate on regulating data brokers or how ISPs should protect their customers’ data. Let’s review the progress and what is being proposed.
The modern data privacy movement in the US got its start back in 2008 with Illinois’ Biometric Information Privacy Act. The area got a major boost with the passage of the EU’s General Data Protection Regulation (GDPR) back in 2016, which took effect in 2018, and increased international discourse on comprehensive privacy legislation. Since then, California has enacted a comprehensive privacy law, the California Consumer Privacy Act (CCPA), and voted for strengthening those protections last November by creating a new consumer privacy agency.
Meanwhile, Alabama, Arizona, Florida, Connecticut, Kentucky, New York, and Virginia (which could have a new law this month) are all contemplating their own series of laws that mirror some aspects of the GDPR and the CCPA as well. This post has a nice summary of the laws being proposed for 2021. Some states, such as Washington, have tried to pass laws in the past several years but haven’t been successful — yet.
Any good data privacy law should really encompass the following seven basic rights for consumers:
Some laws have various limits placed on how big a business has to be before being subjected to these rules. For example, Oklahoma is considering a law that says companies must earn at least $10 million in annual sales or a quarter of their revenues from data sales and data brokers who have at least 50,000 consumers. Other laws, such as being proposed in Nevada, just require data brokers to annually register with the Secretary of State. That isn’t much protection, to be sure— almost every kind of business has to register themselves anyway.
Some states, such as California, have created their own privacy enforcement agencies to bring violators to justice. In other states, consumers can initiate their own privacy-related lawsuits, rather than waiting for governments to take action.
Other states are looking at laws that protect the private data held by various ISPs operating in that state, such as Nevada, Minnesota and Maine. These laws prevent ISPs from sharing or selling data. Some laws are even more specific, such as Connecticut and Delaware, which both require employers to give notice to employees prior to monitoring email communications or Internet access. And Colorado and Tennessee require states and other public entities to adopt a policy related to the monitoring of public employees' email.
The aforementioned Fast Company article summarizes these developments by saying that “2021 could be the year that privacy laws become more pervasive in the US.”
If you are looking to do your own legal research, you might want to start with the NCSL website, which lists the actual law citations for each state and links to various state privacy portals that have been set up by their governments. This post also has links to laws in Canada, the EU and elsewhere about new privacy developments.
Finally, given Vice President Harris’ involvement in setting up various California privacy laws when she was Attorney General, we can expect her to take the lead on new federal legislative privacy protections. However, figuring out your individual rights varies from country to country and from state to state, so it's wise to practice patience when figuring out the exact rights that you have.
As more communities install automated license plate readers (APLRs) to monitor vehicle traffic, there are growing concerns about the privacy and efficacy of these tools.
It's encouraging that Google is recognizing that users care about privacy. However, user data is still ultimately a product being sold to advertisers.