- Law firms
August 22, 2022 - In our previous article in this series, published on April 1, we focused on the emergence of state privacy laws and emphasized the important role that state attorneys general (AGs) play in privacy enforcement — even in those states without comprehensive privacy legislation. In this article we will consider Congress' prospects for passing federal privacy legislation, including the recently introduced American Data Privacy and Protection Act (ADPPA), and the critical part state AGs will play in the search for a solution at the federal level. "What is the future for privacy legislation and how should business leaders prepare?"
Introduced in late June 2022, the ADPPA made headlines for having been introduced with bipartisan support in Congress, unlike most federal privacy legislation to date. Not surprisingly, given their prior support for the concept of a federal privacy law, AGs were quick to weigh in.
On July 19, for example, California AG Rob Bonta and nine other AGs sent a joint letter to congressional leaders expressing their support for the ADPPA. But that support came with a catch. According to the AGs, any new federal privacy law, including the ADPPA, must be a "floor, not a ceiling, for critical privacy rights," and must not preempt existing state privacy laws. In other words, if they want the AGs' support, any federal bill must allow the states to pass future, and potentially more expansive, privacy legislation.
So how will Congress respond? That remains to be seen. But it seems safe to say, if history is any indication, that federal privacy legislation will never pass without the AGs' support on the appropriate scope of preemption.
Connecticut joins the fray
In the meantime, as states continue to pass their own comprehensive state privacy laws, the challenges for businesses are growing. The Connecticut General Assembly, for example, passed the Connecticut Data Privacy Act (DPA) in late April, becoming the fifth state in the nation to enact a comprehensive consumer privacy law.
The DPA becomes effective July 1, 2023, and not surprisingly, bears a striking resemblance to privacy legislation passed in both Colorado and Virginia, including a provision giving exclusive enforcement authority to the Connecticut AG. When state legislatures reconvene later this year and in early 2023, there is no reason to believe the momentum for passing state privacy legislation will be diminished.
Dobbs has pushed privacy even more into the spotlight
If anything, an increasingly divided electorate seems to be finally paying attention to this issue — and their state AGs are responding in kind. Since the U.S. Supreme Court's decision in Dobbs v. Jackson Women's Health Organization, for example, privacy in the context of women's choices with respect to reproductive health care has become the subject of intense discussion by both businesses and consumers alike.
In response, we have seen state AGs, including the Michigan and California AGs, placing prominent reminders on their website and issuing press releases to alert consumers and businesses as to when and how technology companies may collect and share private health data or location information.
To be clear: Dobbs didn't change the privacy equation for state AGs who care about these issues; rather, it gave AGs another opportunity to articulate why privacy matters to their constituents. In the wake of Dobbs, those arguments may be even more difficult for Congress to ignore.
California Privacy Protection Agency Board adds its voice to the AG chorus
Accordingly, as more states pass, and ultimately move to enforce, comprehensive state privacy laws, or otherwise create new privacy rights to protect their residents following the Dobbs decision, the arguments outlined in AG Bonta's letter only get more persuasive.
As the AGs made clear in their letter, their opposition to preemption is resolute, and giving the AGs concurrent enforcement authority will never be a solution. Rather, the objection centers on preserving the states' ability to legislate quickly and appropriately in the face of changing business practices and consumer expectations.
The AGs are not alone in voicing their opposition to preemption. On July 28, the California Privacy Protection Agency Board, too, weighed in, voting unanimously to oppose the ADPPA due to concerns that, as drafted, the legislation would preempt the California Consumer Privacy Act.
So, while the AGs may support federal privacy legislation because it benefits consumers and even certain businesses, few AGs will concede that preemption of existing, or future, state privacy legislation is appropriate. State AGs have been enforcing their data privacy expectations vis-a-vis their consumer protection statutes for decades — and even those states without comprehensive state privacy laws will continue to use those consumer protection laws for privacy enforcement long after the debate over federal privacy legislation is resolved.
Businesses need to watch for clues to understand how AGs will enforce privacy laws
In the meantime, businesses should be paying close attention to all state AG activity in this space, including activity that occurs outside the states of California, Virginia, Colorado, Utah and Connecticut. This activity can provide valuable insight regarding how a state AG will wield existing consumer protection authority to advance his or her privacy objectives, and even how the AG will interpret and apply a comprehensive privacy law that has not yet taken effect.
For example, even if a press release relates to a data breach, and not a state's comprehensive privacy law, the corresponding complaint or resulting settlement document may provide clues for businesses looking for guidance on what a state AG in California, Virginia, Colorado, Utah or Connecticut deems "reasonable" under their new state privacy law(s).
The recent data breach settlement with Wawa, Inc., for instance, involving the compromise of approximately 34 million payment cards, included Virginia. Businesses subject to Virginia's Consumer Data Protection Act, especially controllers required to "establish, implement, and maintain reasonable administrative, technical, and physical data security practices…," should review this settlement carefully.
As outlined in the AG's press release, the settlement requires Wawa to adopt a variety of measures including, but not limited to, file integrity monitoring, penetration testing, and vendor account management. The other AGs joining the settlement include Delaware, Florida, Maryland, New Jersey, Pennsylvania, and the District of Columbia. Therefore, businesses operating in these other jurisdictions should also be paying close attention.
If those businesses make consumer-facing representations about data security or consumer privacy, regardless of whether they eventually experience a data breach, state AGs can, and will, allege that failure to maintain reasonable security practices is a violation of their respective consumer protection laws.
Indeed, AGs have been demonstrating both their attention to, and bipartisanship on, these issues long before the ADPPA was introduced. If (or when) the ADPPA gains significant momentum in Congress, businesses should expect to see additional AG collaboration to ensure that any legislation acknowledges existing privacy protections at the state level, while providing a floor (and not a ceiling) for consumers across the country.