The Patchwork of State Privacy Laws: Will Congress Act? And the States?

Privacy laws will be the topic of our next Mailers Hub webinar, at 1 pm ET on July 9. Our speakers will discuss the latest developments and answer your questions.  To register, go to Registration is FREE for all – share this link with any of those you feel can benefit from attending.

Any article on the landscape of privacy law in the United States would likely be outdated by the time it went to press, as hardly a week passes without another state legislature passing another consumer privacy bill.

However, proposed federal legislation has begun working its way through Congress, the proverbial 800-pound gorilla that could crush some or all of the crop of state legislation.  Here is a preview of that federal legislation, in its most recent iteration, along with an update on some unique requirements from recently passed privacy laws at the state level.

Recently, the American Privacy Rights Act (APRA) has been appearing to gain steam as it moves through Congress.  In April, Senate Commerce Committee Chair Maria Cantwell (WA) and House Energy and Commerce Committee Chair Cathy McMorris Rodgers (WA 5th) released the draft text of the APRA.  The bill is a grab-bag of privacy law requirements that have been proposed or adopted at the state level.

One notable (and perhaps welcome) aspect of the APRA is that it would likely preempt comparable state consumer privacy laws – subject to the substantial caveats discussed below.

Many of the requirements under the APRA will be familiar to those who have delved into the obligations set forth under the existing state counterparts: publicly available privacy policies, consumer privacy rights, designation of a privacy officer, and advance notice/opt-out ability for selling/sharing/processing data.  Similar to many of the state laws, the specific privacy rights made available to consumers include the right to access, the right to correct, the right to delete, the right to portability, and the right to opt out of targeted advertising.  Further, the APRA prohibits the transfer of sensitive data to third parties without express consent from the consumer (and requires a clear and conspicuous way for the consumer to withdraw consent).

Other requirements under the APRA would be fairly new, including mandates for large data holders relating to retention of privacy policies for ten or more years.

Most unwelcome for those fearing an active plaintiffs’ bar, however, is the provision in the APRA that would allow consumers a private right of action against entities that violate their privacy rights – permitting such consumers to pursue damages, injunctive or other declaratory relief, and attorneys’ fees/costs in individual or class action lawsuits. Along with this private right of action, consumers also retain their ability to bring suit under the Illinois Biometric Information Privacy Act and Genetic Information Act as well as the California Privacy Rights Act.

Relevant to the private right of action are the cure periods: in instances where a lawsuit seeks injunctive relief or actual damages, the entity being sued is entitled to a 30-day cure period.

However, this cure period does not apply when the lawsuit involves “substantial” privacy harms – harms that include: financial harms of not less than $10,000 or physical/mental harms to an individual that involve either treatment by a bona fide healthcare provider or physical injury, highly offensive intrusion into the privacy expectations of a reasonable individual, or discrimination on the basis of race, color, religion, national origin, sex, or disability.

Whether or not the APRA will successfully work its way through Congress and in what form it might ultimately be enacted is far from certain – and it seems to be facing some headwinds in the current Congress at the moment.

We do know, however, that given the bipartisan support that the APRA has earned, there is cross-party interest in comprehensive federal privacy legislation, which could eliminate or reduce the patchwork of differing requirements imposed by an increasing number of states.  The right federal bill – and the APRA is not currently it – would provide welcome relief to businesses of all sizes.

More and more states have passed their own privacy laws – with two of the more recent being Nebraska and Minnesota.  Many of these new laws follow the same patterns as the earlier laws – similar rights, similar privacy policy requirements, and similar obligations on controllers and those processing data for them.

Nebraska, however, is noteworthy for patterning itself on the Texas model of including any entity that is not a “small business,” rather than the Connecticut model that has thus far carried the day, and which only applies to businesses once they’ve reached a certain size or level of traffic.

Vermont recently attempted to pass a very strong privacy law, providing for a private right of action (California is the only other state with a private right of action, albeit in limited circumstances) – however, the Governor of Vermont vetoed the bill, so California still stands alone on this front.

Minnesota stands out for different reasons.  First, as in Oregon but nowhere else, Minnesota grants consumers the right to obtain a list of third parties to whom their data has been disclosed. Second, the Minnesota law provides a consumer with the right to question the results of a controller’s profiling – but only in the context of profiling done in furtherance of decisions that produce legal or similarly significant effects concerning the consumer (i.e., decisions that result in the provision/denial of financial or lending services, housing, insurance, education enrollment/opportunities, criminal justice, employment opportunities, health care services, or access to essential goods/services).

Lastly, controllers are required to document and maintain a description of the policies and procedures adopted to become compliant (and maintain compliance) with the Minnesota law.

As such, the Minnesota law is a good example of how, though many privacy laws are similar, each has its own wrinkles that create new obligations for businesses – one of the more troublesome parts of the current patchwork quilt approach to consumer privacy regulations.

In sum, the collage of state privacy laws, each with its own nuances, can create confusion for those to whom the laws apply.  There is some hope of federal action in the near future – which we hope would preempt the state laws and create a single standard nationwide. Unless and until that comes to pass, however, businesses should exercise caution to ensure they review each new law as it comes and comply with the variety of requirements set forth.

We look forward to discussing these issues and answering your questions at our July 9 webinar.

This article was produced exclusively for Mailers Hub by Stacy O. Stitham, David Swetnam-Burland, and Adam Mooney of Brann & Isaacson.

Brann & Isaacson is a boutique law firm that represents large and small online and multichannel companies, printers, commercial mail producers, and IT service providers located across the country.  The firm advises companies of all sizes, including many in the Internet Retailer’s Top 500 Guide.  The firm is the Mailers Hub recommended legal counsel for mail producers on legal issues, including tax, privacy, consumer protection, intellectual property, vendor contracts, and employment matters. The points of contact at Brann & Isaacson are (click for email): Martin I. Eisenstein, David Swetnam-Burland, Stacy O. Stitham, and Jamie Szal

Download the Mailers Hub Services BrochureLearn more about the solutions we have for you.

If you're on this page, it's likely because you have challenges to find solutions for or a question to answer. Fortunately, you've come to the right place. Click below to download our 2023 Services brochure to learn just how much we have to offer. Leave your name and email if you'd like us to stay in touch. 

The brochure is a PDF that will open in a new browser window. Download, read, share, and let us know if you have questions.

Related posts