News 05 Dec. 2024
Partner Dr. Alexandra G. Maier Recognized Again in Lexology Client Choice Award 2025, Mining Experts Category 2025
more
Event 23 Oct. 2024
Counsel Mohannad El Murtadi Suleiman to Speak at the 2nd Annual Africa Arbitration Day in New York
Event 18 Aug. 2023
Partner Borzu Sabahi Speaks at FDI Moot Shenzhen
News 25 Jul. 2023
Partner Eric Gilioli Ranked in Top 10 Influential Energy & Natural Resources Lawyers in Kazakhstan in Business Today
News 09 Apr. 2024
Curtis Announces New Partners and Counsels Across Offices in Spring 2024
Client Alert 28 Dec. 2023
U.S. to Impose Secondary Sanctions on Non-U.S. Banks For Financing Russia’s Defense Industry
News 28 Aug. 2024
Curtis Recognized for Excellence in Arbitration in Chambers Latin America Guide 2025
Event 22 Aug. 2023
Partner Dr. Claudia Frutos-Peterson to Speak at Arbitration and ADR Commission of the ICC Mexico
Publications 19 Dec. 2024
Curtis Partner, John Balouziyeh, Authors New Guide to Investing in the Kingdom of Saudi Arabia and the GCC
News 08 Oct. 2024
Curtis Boosts London Finance and Corporate Capability with Appointment of Partner Christopher Harrison
News 24 Aug. 2023
Curtis Attorneys Quoted in CoinDesk on FTX Founder Sam Bankman-Fried’s Strategy Ahead of His Criminal Trial
Client Alert 10 Jul. 2024
EU Adopts New Restrictive Measures Against Belarus
Client Alert 26 Jun. 2024
The EU Adopts its 14th Sanctions Package Against Russia
news
Curtis Secures Early Victory for Colombia, Highlighting Sovereign Defense Excellence
publications
Client Alert 08 Mar. 2023
Download the full alert with footnotes.
As of 2021, 137 out of 194 countries have instituted some sort of comprehensive legislation to secure the protection of data and privacy. However, in the United States, while Congress has enacted sectoral laws for specific industries, it has stopped short of enacting comprehensive federal data privacy legislation. Further, many of these sectoral laws are limited to notices on how user data is used and grant limited opportunities for consumers to opt out. In the absence of comprehensive federal law, a handful of states have now enacted, and many more have recently proposed, their own data privacy legislation. But there are discrepancies between state data privacy laws that create uncertainty for consumers as to their rights and place additional burden on companies required to comply with the regulations. For several years, Congress has attempted to enact comprehensive federal data privacy regulations without success. Recent efforts offer some hope that Congress will get this proposed legislation across the finish line.
As of 2023, five US states have enacted their own broad data privacy and security laws. California was the first to do so, enacting the California Consumer Privacy Act in June of 2018, and since amending it with the California Privacy Rights Act. Virginia, Colorado, Connecticut, and Utah have recently followed suit, and the newly enacted privacy regulations in these states have gone, or will go, into effect this year. Yet, as more states choose to create their own laws to protect their citizens’ privacy in the absence of comprehensive federal legislation, a comparison of these five state laws reveals a problem of inconsistency in the scope, protections, obligations, and enforcement mechanisms that the regulations provide.
For example, while three of the state laws include the receipt of non-monetary consideration in their definition of a “sale” of personal data, those enacted in Utah and Virginia limit “sale” only to situations where the data is exchanged for monetary consideration. Additionally, in regard to the limitations imposed on the processing of sensitive data, California and Utah allow consumers to opt-out of such processing, while the other three state laws require that consumers opt-in before their sensitive data can be processed. And in what has proven to be a very relevant distinction in recent attempts at passing comprehensive US federal data privacy legislation, California is the only state that currently provides for a private right of action that can be brought by consumers against companies that violate their data privacy rights.
The discrepancies in state laws pose problems for US consumers and businesses alike. As a result of this patchwork of expanding state laws, it is difficult for consumers to know how their personal data is being processed, who is processing it, and what rights they may have related to the collection and processing of their personal data. On the other hand, businesses do not have clear guidelines within which to operate regarding data collection, and must ensure that they are complying with all obligations created by each of the five varying state privacy laws.
The American Data Privacy and Protection Act (ADPPA) is “the first bipartisan, bicameral national comprehensive privacy and data security proposal with support from leaders on the House Energy and Commerce Committee and the Senate Commerce, Science, and Transportation Committee.” It was introduced in the House on June 21, 2022, and subsequently passed out of Committee by a 53-2 vote.
However, the bipartisan measure ran into opposition from key leaders, especially from those states that have already enacted their own data privacy legislation, because the proposed federal standard is less stringent in some regards, but would still preempt the more stringent state laws.
In a February 24, 2023 Hearing Memo from the Committee Majority to the Members of the Subcommittee on Innovation, Data, and Commerce, the Committee Majority identified six distinct issues on which testimony was heard in a March 1, 2023 hearing entitled “Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy.” The listed issues focused on the interplay between proposed federal legislation and currently enacted state laws, among other considerations.
Specifically, the issues raised in the Hearing Memo encompassed (1) the impact of the emerging patchwork of state data privacy laws on businesses that operate in the digital economy; (2) whether a federal standard should preempt state laws that would not be covered within such a standard; (3) the difference between a company using first party data or transferring such data to a third party for advertising; (4) why safe harbors are important for complying with federal law; (5) what aspects of other countries’ similar laws are too restrictive; and (6) why Congress should enact comprehensive federal legislation, rather than addressing the same concerns through rulemakings, or a continued state-by-state approach.
In his opening remarks, Innovation, Data, and Commerce Subcommittee Chair Gus Bilirakis emphasized Americans’ need for more transparency over how their information is collected, processed, and transferred, and also stressed the need to ensure a responsible government approach to enforcing clear rules with which businesses will be obligated to comply. He explained that companies, especially those that are small businesses, “shouldn’t be subject to random or punitive letters in the mail notifying them that certain practices could be unfair or deceptive,” and urged that Congress’s focus for the ADPPA going forward should be “achieving the right balance for the FTC to enforce a national privacy and data security law to protect Americans of all ages, while at the same time ensure that businesses that follow the rules aren’t subject to government overreach and frivolous litigation.”
Ultimately, while progress is being made through bipartisan effort on addressing the current concerns surrounding the ADPPA, it is unclear if or when federal privacy legislation will actually be enacted. This means that companies doing business in the United States must keep close tabs on states’ progress in enacting their own legislation, and ensure that they are keeping in compliance with those that apply to them. Just in 2023, the number of state laws that must be monitored has increased five-fold. And with the uncertainty surrounding enactment of the ADPPA or any comprehensive federal privacy legislation, ensuring compliance with state laws is certain to become more onerous as more states make strong pushes to enact their own data privacy laws. Numerous states including New York and New Jersey have proposed their own state privacy bills in the past year. As more and more such state laws are enacted in the absence of agreement on federal legislation, the burden and effort of ensuring compliance for companies is only certain to increase in the near future.
Attorney advertising. The material contained in this Client Alert is only a general review of the subjects covered and does not constitute legal advice. No legal or business decision should be based on its contents.
Data Protection and Privacy Law
Jonathan J. Walsh
Partner
New York
+1 212 696 6000
client alert
Does U.S. Sanctions Law Prohibit Providing a Speech Platform to Sanctioned Persons?
The EU issues new FAQs clarifying the Best Efforts Obligation on EU Operators
Mohannad El Murtadi Suleiman Publishes an Article on Interim Measures in the American Review of International Arbitration (ARIA)
We use cookies on our website to enhance your browsing experience, match your interests and assess our website performance. We do not share information with any third-party for marketing purposes. Please view our privacy policy to learn more about the use of cookies on our website. By continuing to browse our website, you consent to our use of cookies.