2020 Update: Data Privacy Laws in the United States
After the European Union passed the General Data Protection Regulation (“GDPR”) in 2016, the world watched to see whether the United States would adopt a similar data privacy law at the federal level. While U.S. lawmakers, the tech industry, and consumer advocates have been working towards a federal data privacy bill, Congress has yet to pass, or even seriously consider, such legislation. However, a federal law may finally be on the horizon – two data privacy bills have been introduced in the Senate, and a bi-partisan bill is currently being developed by a House committee. In honor of Data Privacy Day, celebrated internationally on January 28, we explore the current status of data privacy laws in the United States.
In the absence of a comprehensive federal law, numerous states across the U.S. have passed their own data privacy legislation, including, perhaps most notably, California. The California Consumer Privacy Act of 2018 (“CCPA”) became effective on January 1, 2020, creating new obligations for covered businesses regarding privacy notices and the handling of California consumers’ personal information. The CCPA only protects Californians’ personal information but may apply to companies that do business in California even if they are not physically located in the state. Businesses continue to scramble to understand and comply with the CCPA, which is only one of many state and industry-specific laws forming the current patchwork of data privacy laws in the U.S.
However, a federal solution may be on the horizon. In November 2019, two data privacy bills were introduced in the Senate – the Consumer Online Privacy Rights Act (COPRA) and the United States Consumer Data Privacy Act (CDPA). The bills share many similarities, including enforcement by the Federal Trade Commission, and would provide individuals with new rights regarding their personal information. However, COPRA (introduced by Sen. Maria Cantwell, D-Wash.) and the CDPA (introduced by Sen. Roger Wicker, R-Miss.) vary on some important points, leading many to wonder whether either bill could make it through Congress. For example, COPRA would preempt only state laws that expressly conflict with the Act, leaving state laws that provide additional protection to consumers intact, whereas the CDPA would preempt all state laws regarding data privacy (except for data breach notification provisions), including the CCPA. COPRA would also allow for an individual private right of action, similar to the CCPA, while the CDPA would not.
Additionally, the House Energy & Commerce Committee recently released an initial draft of a bi-partisan data privacy bill. Bi-partisan support will be critical for Congress to enact a federal data privacy law, but the initial House bill does little to reconcile the differences between the two introduced Senate bills. Further, while this federal legislation is pending, numerous states are actively considering data privacy bills themselves. Specifically, multiple states are in the process of considering data privacy legislation mirroring the CCPA. In other states, such as Virginia (where the Virginia Privacy Act was introduced earlier this month), representatives have pulled provisions from the CCPA as well as the GDPR to create a more tailored bill for their state legislature to consider. With many states in their legislative sessions and various federal bills pending, 2020 is already shaping up to be an exciting year for data privacy in the United States.