Increasing oversight of tech companies, particularly in the realm of consumer privacy, has been a rare example of bipartisan agreement. Despite data privacy being a growing concern for consumers, however, there has been relatively little federal policymaking. To counteract this lack of action, some states have stepped in to fill this void—and have enacted policies that could have large impacts on how businesses operate. The rapid rate at which these laws are being enacted – eleven have been enacted– indicates states are taking an increasingly protective view of consumers’ data privacy. Businesses need to be prepared to comply with these new mandates, or risk costly enforcement measures.
California led the way, adopting a broad consumer data privacy act in 2018. The California Consumer Privacy Act (CCPA) is applicable to for profit businesses that have annual revenues over $25 million or buy, sell, or share personal information of 100,000 or more California residents, households or devices or derive 50% or more of their annual revenue from selling California residents’ personal information. The CCPA requires businesses to disclose what personal information they have about California residents and what they do with that personal information. The CCPA also gives California residents certain rights, including the right to know, the right to delete, the right to opt-out of selling or sharing their personal information and the right to limit the use and disclosure of certain sensitive personal information. California’s legislation has served as a model, with eleven additional states passing similar consumer data privacy laws, including seven in this year alone.
While California’s legislation served as a model, and the broad strokes of the other states’ statutes are quite similar, there are key differences from state-to-state. States have different thresholds, for example, as to which companies (both in revenue and number of users whose data is collected) must comply with the law. They also differ in what specific rights are afforded to consumers; for example, many states have narrowly defined the types of data covered by their respective data privacy laws. Compliance schemes are also different – California has an entire privacy agency, the California Privacy Protection Agency, that promulgates rules under the CCPA, while most other states have vested enforcement with their state attorney general. California’s law further differs in that it allows for a private right of action while other statutes typically vest enforcement solely with the attorney general. Additionally, some states (most notably Utah) have taken even more aggressive steps to specifically protect the use of children’s data and allow parents to limit access to social media platforms.
Although enforcement of the new laws is naturally limited by their recent enactment, examples from California might be instructive as to what kinds of enforcement actions companies might face in other jurisdictions. The CCPA allows for fines of up to $2,500 for every unintentional violation and $7,500 for every intentional violation, and settlements often include stipulations by targeted businesses to bring their practices into compliance. The violations are assessed per user, so fines can rapidly add up to significant sums. In enforcement cases that the California Office of the Attorney General lists as examples, all of the targeted businesses were compelled to update their procedures, privacy policies, or notify consumers, or some combination thereof. Some settlements involved substantial fines, including at least one stipulated judgment exceeding $1 million. The Colorado, Connecticut, and Virginia laws have similar, per user fines, and empowers their state attorneys general to enforce compliance, so companies could face similarly steep aggregate fines and stipulated judgements in those jurisdictions.
While only four jurisdictions – California, Colorado, Connecticut, and Virginia – currently have consumer data privacy laws in effect, at least five more states’ (Utah, Florida, Oregon, Texas, and Montana) consumer data laws will come into effect by the end of 2024. The privacy laws in Colorado, Connecticut, and Virginia have only just taken effect, so it will be interesting to monitor how state attorneys general in those states use the new privacy laws to bring enforcement actions. Similar to California, actions from those states could prove instructive as to how other states with similarly new laws might enforce their own laws. Businesses who operate in these states and gain access to consumer data – and which thus might face obligations under these laws – need to be prepared in advance in order to ensure compliance.
Determining that a company falls under the ambit of one or more of the state laws is just the first step, and does not dictate the exact steps a company might need to make in order to adequately protect consumers’ private data. Because states have different consumer data protections, and most still have none at all, companies will have to weigh whether it is more advantageous to adjust their practices only in states with such laws, and in those cases, whether to conform to the specific requirements of the state, or whether it is simply more practical to have a universal approach to protecting consumer data that encompasses the requirements applicable in any state in which the companies operate, even if that approach is not required in many jurisdictions.
Given policy trends, companies would be well-advised to do more than just the bare minimum currently required by state and federal law. Further policymaking in this field – including even more consumer protections – seems likely at both the state and federal level. Getting ahead of the consumer data protection curve could help companies respond as more jurisdictions pass data privacy protection laws. Companies that do not comply with the new requirements, even inadvertently, could face actions from state attorneys general and significant fines. To that end, company leadership should consult with internal and outside counsel to ensure businesses are compliant with current laws as well as prepared for what may come next.