What is the future for privacy legislation and how should business leaders prepare?

April 1, 2022 - Virginia and Colorado made headlines in 2021 for passing comprehensive privacy legislation, not long after California passed similar legislation. Utah just joined their ranks after Gov. Spencer Cox (R) signed the Utah Consumer Privacy Act into law on March 24, 2022.

As business leaders prepare to bring their operations into compliance with new privacy statutes, they must certainly familiarize themselves with the frameworks in California, Virginia, Colorado and Utah. Understanding the statutory similarities and differences in these states will be critical to an effective compliance program.

But businesses should also evaluate their exposure in other states — and not just in those states actively considering privacy legislation. State attorneys general can, and will in appropriate circumstances, invoke existing consumer protection laws to safeguard consumers' privacy rights. The New York Attorney General's settlement with Zoom in May 2020 is a perfect example of how AGs will often rely on existing laws to demand that companies devote sufficient resources to ensuring the privacy and security of consumer data.

Momentum is gathering for state privacy laws

Consumer protection legislation, in any form, can be challenging to pass (or improve upon) — either with or without the support of a state AG. The fact that privacy advocates in Virginia, Colorado and Utah were able to work with stakeholders in the private sector, and public officials, to pass comprehensive privacy legislation speaks volumes about their dedication to these issues and the collaborative nature of their relationships on the ground. These relationships will continue to be critical as the state AGs and their staff prepare to interpret and enforce these new laws.

Whether it is through rulemaking in Colorado, or less formal guidance issued by the AGs in Virginia and Utah, there will be enormous pressure on the AGs in these three states to "get it right" at the risk of jeopardizing the ability of other states to pass similar legislation. Businesses looking to have a voice in these conversations should, when possible, engage in the rulemaking process in Colorado. The Colorado AG's webpage may be found here.

In Virginia and Utah, businesses should look for less formal opportunities to provide their perspectives to the state AGs — either by attending local working group sessions like the ones held in Virginia last year or relying on experienced state AG counsel to select the right time and place to engage with the AG.

Additional states are expected to pass comprehensive privacy laws, either in 2022 or 2023. As of early March 2022, for example, there were data privacy bills pending in almost half the states and territories, including Connecticut, Hawaii, Massachusetts, Minnesota, Oklahoma, and Wisconsin. Some of these bills carried over from 2021, but many are new and remarkably similar to the California Consumer Privacy Act. These similarities to the CCPA also make them quite similar to the new laws in Virginia, Colorado and Utah (a bonus for lawyers who must study, interpret and advise clients across multiple states), but it is anyone's guess what form these bills will take if eventually passed.

Some states are broadening the scope of their privacy laws

Although the Virginia, Colorado and Utah laws are remarkably similar, not every legislative proposal is tracking the California or Virginia model. Policymakers in Massachusetts are debating extraordinarily expansive proposals that would apply more broadly than even the CCPA, and which would allow consumers to bring private lawsuits for alleged violations.

Yet, the business community has been remarkably consistent in its opposition to state privacy laws containing a private right of action, so it will be interesting to see how the debate in Massachusetts unfolds. Massachusetts already has some of the most expansive state data security laws in the country, and data security matters have been high priorities for the Massachusetts AG's office in the past.

Therefore, it seems likely that the AG will be a formidable advocate for consumer privacy legislation in Massachusetts. When it comes to a private right of action, though, now that Virginia, Colorado and Utah have passed legislation delegating enforcement exclusively to the AGs, any proposal that allows for lawsuits by individual consumers will continue to face very long odds.

Other states are opting for less comprehensive approaches

But businesses monitoring state privacy legislation should keep in mind that certain policymakers may be interested in more incremental improvements to existing state consumer protection laws. Case in point: Nevada. The state's original online privacy law was first enacted in 2017 and required websites to inform consumers about their data practices by posting privacy policies.

The law was later amended in 2019 with SB 220 — a bill that was similar to the CCPA, but more limited. That amendment gave Nevada consumers the right to tell website operators not to sell certain personal information, but at the time, the law only applied to "operators" of websites and online services (whereas the CCPA applies both online and offline). With a more-recent amendment last year (SB 260), the law now also applies to certain "data brokers." The Nevada law does not give consumers the rights of access, portability and deletion that are the hallmarks of the CCPA and more comprehensive privacy legislation.

Yet, even in those states where consensus is elusive on comprehensive legislation, businesses should continue to monitor the legislative landscape. Even moderate proposals can profoundly affect a business' ability to share consumer data. This was certainly the case in Nevada. If nothing else, business leaders can take away two lessons from Nevada. First, privacy legislation is an iterative process, and state lawmakers will be comparing their respective progress in this area for years to come. Second, regardless of how "comprehensive" the proposal, state AGs will play a central role in enforcing these new laws.

In states without privacy statutes, AGs use consumer protection laws

State AGs are, in many ways, the experts in this area already. They have used their consumer protection statutes for years to conduct investigations and bring enforcement actions in response to data breaches and unfair or deceptive data collection and sharing practices, often on the premise that a company's action or inaction (for example, failing to implement reasonable safeguards) is a violation of the state's consumer protection law.

In some states, in fact, a variety of consumer protection claims are already available to the AG. In Nebraska, for example, it is unlawful for a business to knowingly make false or misleading statements in a privacy policy regarding the use of consumers' information, or to fail to implement reasonable safeguards to protect consumers' data.

Other AGs have brought and settled cases on the premise that the company gathered more information from consumers than reasonably necessary or expected by consumers. The 2013 settlement between Google and 38 AGs related to the company's Street View product, is a perfect example. In that case, the AGs alleged that Google's Street View vehicles improperly collected certain data from unsuspecting consumers and businesses when they traveled past unsecured wireless networks. The company agreed to certain changes to its business practices, in addition to supporting consumer education, as part of the settlement.

So, as state lawmakers look for progress in the realm of consumer privacy, businesses should familiarize themselves with the important role already played by state AGs — both in anticipation of the AGs' expanding authority in states like Colorado, Virginia and now Utah, and to truly appreciate the data collection and handling risks that already exist under most state consumer protection laws.