Federal Privacy Legislation Needed Before a Patchwork of State Privacy Laws Inundate Businesses

The issue of consumer privacy, or the lack thereof, is one of the hot-button issues of the day.  Hardly a month goes by without mainstream media outlets reporting on the latest privacy related story.

From the collection of consumer data by tech giants like Facebook and Google to all the well-publicized data breaches, consumers are aware now more than ever that their personal information is vulnerable and needs to be protected.

With all of this attention, it should come as no surprise that lawmakers are stepping into the void of consumer privacy regulations and beginning to craft legislation to address this new reality. The problem is not the passage of these new laws, but rather who is passing them. 

Congress has, in large measure, failed to take any meaningful steps to pass federal legislation to protect consumer’s personal information and data.  This void has opened the door for individual states to pass their own privacy related laws.  However, the absence of comprehensive federal legislation in this area will likely lead to a patchwork of laws enacted by different states to address these issues in a piece-meal fashion.  This will likely lead to inconsistencies among the various state laws, confusion as to the scope and breadth of each and a complex, and expensive, web of regulations and standards for businesses to navigate through on a state-by-state basis.  There is perhaps no better example of this than the California Consumer Privacy Act (the “CCPA”), which goes into effect on January 1, 2020.

The CCPA, which is poised to become among the strongest consumer privacy laws in the United States when it goes into effect, is a prime example of the risks associated with state-by-state regulation.  The CCPA contains numerous provisions aimed to provide transparency and options to California residents regarding the collection and use of their personal information, including:

1. Providing consumers the right to ask a business to identify what personal information it has related to the consumer, the source of that information, the business purpose behind the collection, selling or sharing of this information and the identity of any third parties to which the information was sold or shared;
2. Providing consumers the right to request that a business delete any personal information it has regarding the consumer and “opt-out” from the future selling of the consumer’s personal data to third parties.
3. Prohibits a business from discriminating against a consumer for exercising his or her “opt-out” rights, which would include charging the “opt-out” consumer a different price or providing the consumer a different quality of goods or services.
4. Prohibiting the sale of the personal information of consumers under the age of sixteen unless the consumer (or presumably a parent or guardian) affirmatively “opts-in” to the sale of that information.
5. The creation of a private right of action for consumers in connection with certain unauthorized access and exfiltration, theft or disclosure (e.g. as a result of a data breach or hacking) of a consumer’s personal information.

Other states have started to follow California’s lead.  Washington, Oregon and North Carolina are among the states where new data privacy and security legislation has been proposed. But each state’s legislation, or proposed legislation, is a little different.  These differences could result in conflicting standards that business, particularly those that operate nationwide, would need to navigate. 

An example will more fully exemplify the potential pitfalls.  The CCPA provides a private right of action for consumers whose personal information is the subject of an unauthorized access, i.e. a data breach, “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”  See Cal. Civil Code § 1798.150.  The CCPA does not define what “reasonable security procedures and practices” are.  If similar laws are passed in other states, there is a very real chance that the courts in one state may view a set of procedures and practices reasonable while a court in another state may find these same standards to be unreasonable.  With varying standards as to the reasonableness and sufficiently of its data protection practices and procedures, businesses will be subject to different requirements depending on the particular state where any such action is brought.  The potential for conflicting standards is high and would not only expose businesses to uncertainty, but to potential liability which could be difficult, if not impossible, to estimate or quantify. 

  There is no doubt that protecting the personal information of consumers is important.  But so too are the interests of businesses big and small who transact business with consumers.  Subjecting these businesses to a patchwork of different, and potentially conflicting, privacy laws and standards does not serve anybody’s interests and only serves to make consumer privacy mechanisms more cumbersome and costly.  Congress needs to act quickly to enact a federal comprehensive privacy laws which set forth a uniform standard for compliance.