New laws highlight state-level momentum for digital privacy rules

California’s new data protection agency is now fully operable, while Colorado and Connecticut are giving consumers more power over their data under laws that took effect recently.

The three states’ actions follow a slew of other state data privacy laws that have gone on the books lately.

States have been forced to take the lead on data privacy protection legislation in the absence of movement by Congress. The House Energy and Commerce Committee is now crafting a new version of its American Data and Privacy Protection Act (ADPPA) after last year’s version failed to advance to the House or Senate floor.

Industry has condemned the patchwork of state laws for creating costly compliance burdens and general confusion.

California

California continues to lead on all aspects of digital privacy, having passed the first state privacy bill in 2018. The law allows California residents to ask businesses to erase personal data, choose not to allow their personal data to be sold, request details about the information businesses have sold about them, and not be discriminated against for exercising these rights.

New amendments to the law are enforceable as of this month. State residents now have the right to limit the use and disclosure of sensitive personal information collected about them. Businesses also are required to alert consumers to their privacy practices. Notably, the bill applies to data brokers in addition to businesses.

Under the law, the California Privacy Protection Agency is now taking over rulemaking from the California attorney general, according to the Future of Privacy Forum, which calls the creation of an entity dedicated to enforcing the law “a major milestone for privacy in the US.”

Colorado

The law requires businesses to request opt-in permission from consumers before processing their sensitive data — differing from the opt-out mechanism consumers rely on in California. The law is the first in the U.S. to apply to nonprofit organizations in addition to commercial entities, according to an analysis by the Future of Privacy Forum. It includes what FPF calls “a strong consent standard to process personal data for incompatible secondary uses and to process sensitive data such as health information, race, ethnicity, and other sensitive categories.”

Connecticut

As with Colorado, the law gives residents the right to opt-in before businesses share their personal data and leaves enforcement up to the state attorney general. Privacy advocates praise the Connecticut law for going beyond other state laws by setting default protections for adolescents’ data, limiting the use of facial recognition technology, and bolstering consumer choice for how their data is handled. Connecticut’s law applies not only to businesses headquartered in the state but also to those processing a fixed amount of data about state residents. The Future of Privacy Forum praises the Connecticut law for these strong protections, hailing, for example, how it “goes beyond other state privacy laws by explicitly requiring companies to provide an easy-to-use mechanism allowing consumers to revoke consent for certain high-risk processing of personal data.”

The future

The Delaware General Assembly passed a sweeping privacy bill in a landslide vote on June 30. The bill now awaits the governor’s signature.

California also has more legislative activity in progress: Last month the state Assembly passed a separate digital privacy bill that would bar police from using “reverse warrants” that force tech companies to share multiple users’ internet search histories or phone locations in the hopes of tracking down a suspect. But the bill barely garnered support from the required two-thirds of the Assembly in the face of fierce opposition from law enforcement. The bill now awaits Senate action.

While praising states for taking the reins in the absence of federal legislation, privacy advocates continue to push Congress to act, citing the disparate nature of state laws providing uneven protections and the need for one robust national standard governing data privacy protections. The newly effective laws will be followed by nearly a dozen major state privacy laws slated to take effect in the next three years.