Sen. Maria Cantwell (D-Wash.) and Rep. Cathy McMorris Rodgers (R-Wash.) released a discussion draft of the bipartisan American Privacy Rights Act in early April, giving hope to supporters of a single, nationwide standard for consumer privacy rights.
“A breakthrough [for] online privacy” is how Wired put it April 7.
“This is two decades in the making,” McMorris Rodgers, pictured above, said in announcing the bill.
The bill is the latest push to set a federal standard to resolve a growing patchwork of state laws. Since 2020, 15 states — California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia — have enacted comprehensive privacy laws, according to the International Association of Privacy Professionals. This week, Maryland took one step closer to joining their ranks when the state legislature passed two companion privacy bills, widely described as having some of the toughest restrictions in the country.
In addition to its general preemption of existing state privacy laws, the proposal includes a private right of action, which allows individuals to file lawsuits to enforce a range of APRA provisions. Under the proposal, companies cannot enforce mandatory arbitration clauses in cases where they’ve caused “substantial privacy harm.”
Other notable provisions include restricting the data that companies can collect, keep and use about individuals; requiring companies to conduct annual algorithm reviews to ensure they don’t put individuals at risk of harm; requiring companies to tell individuals when their data has been passed onto foreign adversaries; and holding executives responsible for ensuring compliance. Small businesses that don’t sell personal customer information would be exempt.
The bill is expected to resolve what’s been the primary data privacy compliance challenge companies face: the different types of conduct state laws restrict.
California, which passed the country’s first — and strictest — comprehensive consumer privacy law, in 2018, allows companies to process sensitive personal information on an opt-out basis. Other states, including Virginia, Colorado and Connecticut, require an opt-in by consumers, says Gary Kibel, a partner at Davis+Gilbert.
“Even if we had one state law that was the strictest one in the country, then it’d be fine,” Kibel said. “Everyone could say, ‘All right, I’ll just follow that one state law and that takes care of everything.’ But that’s not the case … and it’s making compliance for businesses an incredible burden.”
Navigating the state laws has been “exceedingly difficult for small to medium-sized businesses,” said Christina Gagnier, a partner at Jeffer Mangels Butler & Mitchell. This is especially the case for companies that are additionally required to comply with industry-specific privacy laws, like finance and insurance, Gagnier said.
The state laws “have different thresholds of whether or not companies have to comply. They have different timelines for responding to consumers,” said Gagnier. “Maybe, at first glance, that seems that’s not that big of a deal. But small to medium-sized businesses generally don’t have fully fleshed-out compliance teams who are able to balance all of this.”
Cobun Zweifel-Keegan, managing director at the International Association of Privacy Professionals, said the headache of bridging the various state laws has been partly mitigated by their similarities — they “largely share a lot of the same DNA,” she says. But that could stop being the case, given the degree of novel provisions that have been included in recently proposed state laws.
Aggressive restrictions on data collection in the proposed Maryland bill, for example, is very different from most existing state laws. It focuses on “data minimization,” which only allows “collecting things for specific purposes,” he said.
As more divergences like that are introduced, the more incentive there will be to establish a uniform federal standard that preempts the state approaches, he said.
The APRA as proposed would not completely preempt the idiosyncrasies of the state laws. It preserves, for instance, the right of states to enforce their own rules on data privacy for employees and students — a decision that reflects the desire of federal lawmakers to allow for local innovation as needed, Zweifel-Keegan said.
Compliance challenges
Although the benefits of a more uniform, nationwide privacy standard are clear, an argument could also be made that such a standard — even one that allows for limited idiosyncrasies at the state level — does not immediately resolve one compliance challenge that many companies face, privacy specialists say.
Gagnier said many of the state privacy laws “paint a broad brushstroke of what businesses are” without distinguishing between large, small and mid-sized companies. The distinction is important, Gagnier said, because businesses of different sizes are not equally equipped to meet the same compliance burdens. “That problem is not resolved by a federal law,” she said. “A one size fits all approach doesn't work for all businesses.”
APRA comes nearly two years after its predecessor, the American Data Privacy and Protection Act, was introduced in the House of Representatives. That bill never saw a House floor vote, partly due to criticisms about how the proposed federal privacy law would interact with state rules.
Although experts say the APRA could potentially see a similar fate — or at least be amended from its current state — companies across the country should start the process of complying with existing state laws now, if they haven’t done the work already.
“A lot of companies are playing what I think is a dangerous legal risk game of, ‘Well, I don't operate in that state, so I'm just not going to comply with that state’s law,’” Gagnier said. In addition to the 15 states that have enacted comprehensive data privacy laws, however, are other states that enforce targeted privacy laws that could be triggered by a company’s business activity, Gagnier said. Compliance is also smart from a business standpoint, she added, as it becomes increasingly expected by consumers as well as other companies standing at the other end of a transaction.
“I would start thinking about the human resources and financial resources that a business needs to comply, because this isn't going anywhere,” Gagnier said, adding that even if APRA does not see traction, states are continuing to pass their own privacy laws. “It's gonna fall on your lap at some point.”
