January 28 is International Privacy Day, and this day is an opportunity to learn about recent developments in the legal landscape for privacy law. It is also a good opportunity to highlight how far privacy rights have come, and in particular, to provide a synopsis of the recent progress in the United States in enacting comprehensive privacy laws.
What is International Privacy Day?
In 2007, the Council of Europe designated January 28 of each year as “Data Protection Day,” to raise awareness among governments and businesses of the importance of protecting individuals’ privacy online and to encourage governments to promote respect for privacy rights of their citizens. The Council chose that date because of its significance 26 years earlier, in 1981, as the beginning of ratification of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, which was the first international treaty promoting international protection of personal data. In 2009, the United States Congress passed resolutions with similar objectives, naming that day as “National Data Privacy Day.” In the years since, many countries around the globe have developed their own systems for protecting the privacy rights of individuals – some more than others – and in many ways the constructs for privacy rights that the United States and the EU have developed have served as models for others to follow.
State of the Continents
In the years since, Europe has created a viable comprehensive privacy infrastructure, now in large part centered around the EU’s General Data Protection Regulation (GDPR). This infrastructure includes legal standards, regulatory processes, oversight authorities, and concepts for businesses to implement with suppliers, customers and partners, and in many ways, they have influenced both the legal framework and even the terminology that many countries are applying to their privacy regimes. On the other side of the Atlantic, the U.S. has not implemented a comprehensive, nation-wide privacy legislation. Instead, over the years the federal government has enacted numerous, effective privacy laws and implemented regulations that are sectoral in nature – i.e., they establish privacy protection rules that are specific to designated industries or sectors of the economy. The Health Insurance Portability and Accountability Act (HIPAA) for healthcare, the Telephone Consumer Protection Act (TCPA) for telecommunications, and the Gramm-Leach-Bliley Act (GLBA) for the financial sector come to mind. But there is no privacy law in the U.S. that is applicable across all industries and to a broad class of entities as is the case in Europe. A number of bills have been introduced to try to do so, but so far only one seemed likely to pass. In 2022, legislation titled the “American Data Privacy and Protection Act” or ADPPA was introduced to establish comprehensive federal protection for online privacy. It provided a number of protections and procedural options for consumers, limited the transfer and processing of certain data (such as social security numbers), and required data minimization for large scale data collectors, among other provisions. The Federal Trade Commission would have the authority for rulemaking to implement the ADPPA. The ADPPA appeared to have strong bipartisan support, and it was widely seen as having a good chance for enactment. That support was not enough, as it was opposed by certain large technology entities and other interests, and competing bills sapped what momentum it had. The 117th Congress ended without its passage.
State of the States
Among the U.S. states, comprehensive legislation has been progressing, with a significant uptick in the last twelve months, and a synopsis of the “state of the states” is worth reporting on, as the various and diverse state requirements will likely have the greatest impact on U.S. privacy compliance in the absence of a federal counterpart.
As of January 2024, 13 states have fully enacted comprehensive privacy laws. Many others have specific privacy laws for specific sectors or narrowly tailored issues (as but one example, laws concerning use of aerial drones in surveillance purposes is a growing trend) but at the state level the main focus has been on comprehensive statutes and their implementing regulations. At least 59 bills of this kind have been introduced at the state level in the last seven years, with 13 becoming law, seven of those in 2023, and New Jersey just this year (January 16, 2024). While California took the lead in 2018 with the California Consumer Privacy Act (CCPA) which has garnered the most attention, other states took a little more time in developing their own versions. Since then, Colorado, Utah, Iowa, Texas, Virginia, Connecticut, Montana, Tennessee, Indiana, Delaware and Rhode Island have followed suit, with the most recent just over a week ago by New Jersey. However, only six states in total currently have enforcement mechanisms in place; the remainder will roll out actual enforcement over the next two years. Only 14 states have not seen comprehensive privacy bills introduced. If this trend continues, the states are well on their way to filling the legislative void at the federal level in the next few years.
Impact of the States
Just to provide some context for the potential impact of these state laws, there is much in common among them, but the differences are what stand to cause the most confusion in the marketplace. All 13 require various forms of privacy notices; California requires notice at the time of data collections, the others prior to use of the data. All require businesses to respond to consumer requests within specific windows (ranging from 45 to 90 days), but most do not try to dictate a specific process. Seven of the states have or will soon require universal opt-out processes by which consumers can demand that their personal information be excluded form use – a growing trend in the privacy field, and one which is often difficult to implement. Nine of the states require sellers or processors of personal data to implement effective risk assessments, and all require some degree of technical, administrative and physical security procedures.
All 13 of the states’ laws have exemptions based on the nature of the data and nature of the entity (government, business, nonprofit, etc.). All but California exempts commercial business-to-business data, a factor that by itself makes the CCPA extremely relevant to companies nationwide that do business in that state. The state laws have exemptions for data that is already regulated at the federal level by HIPAA, GLBA, and other specific federal laws. One of the issues under debate for a federal comprehensive law has been whether state privacy laws would be preempted by the federal law – an important issue affecting the future of EU-U.S. cross border data transfers. Those exemptions are more than a mere nod to the federal sectoral laws; they stand to prevent the enacted state laws from being overruled judicially and, perhaps minimize the risk of Congress legislating any future federal comprehensive law that expressly preempts those state laws – the logic being that there is no need for preemption if the states are already effectively building in the mechanisms for state and federal laws to mesh. Conversely, though, if too many states have their own laws that ultimately conflict with each other too much, that could cry out for preemption, if only to simplify the compliance requirements nationwide. Another interesting aspect of the state laws so far is that they do not impose legal obstacles based solely on cross border (state or international) transfers of data as is the case with the GDPR in Europe – perhaps to avoid the commercial “roadblocks” that the EU has imposed on itself.
New Hampshire will likely be the next state to enact a comprehensive privacy law. Senate Bill 255 passed the legislative hurdles earlier this month and awaits the governor’s signature. It would become effective in January of 2025. Given the rapid increase in enactments in the past 12 months, it is likely that the states’ conglomeration of privacy laws may soon make any federal legislation moot; if only the state laws were more uniform!
What about in my own backyard?
For our clients in North Carolina, the news is a mixed bag. The state senate introduced Senate Bill (SB) 525 in April of 2023, titled the North Carolina Consumer Privacy Act, and it is similar in substance to those of several of the other states, though it does diverge in key aspects from those of California and Colorado. The bill does not provide for a private right of action, so suits for violations would have to be initiated by the Attorney General, who has exclusive enforcement authority (California allowed for individuals to file suit, but only for data breaches). Of interest, this bill would allocate damages for violations across various data controllers and processors responsible for a violation, rather than focusing on just one culprit. The bad news is that this bill has sat in committee since April of 2023 with no window for movement. The good news that it is not alone, and that suggests a strong desire among North Carolina legislators to enact reasonable privacy laws. Various sectoral privacy bills are also in committee and have been for months. House Bill (HB) 564 for financial privacy; SB 733 for identity theft protection; HB 828 (companion to SB 603) addressing confidentiality of animal services records; HB 778, companion to SB 104, concerning privacy for photographs of criminal bookings; SB 367 pertaining to intercept communications; SB 330 to protect judges’ personal information; HB 644 concerning social media algorithmic control; and HB 564 for financial privacy have all been in committee for most of 2023. The point is that these bills show how much North Carolina does care about privacy and data security, and hopefully this legislation will be pushed along soon. Perhaps 2024 will be the year!