States Should Let Congress Take the Lead on Consumer Privacy Laws | Citizens Against Government Waste

States Should Let Congress Take the Lead on Consumer Privacy Laws

The WasteWatcher

Americans are becoming more concerned about the amount of their personal information held by banking institutions, e-commerce sites, internet service providers, online platforms, retailers, and many others, and how such information is being used for data analytics, online advertising, and targeted messaging without adequate transparency or consumer choice. 

Since at least 2016, when the FCC tried to implement online privacy regulations following the failed Open Internet Order and created confusion over how consumer privacy should be regulated, state legislatures have been enacting or considering consumer privacy protection laws to protect personal information.  While states should act in the interests of their residents when necessary, privacy is not one of those issues.  Instead of writing their own laws, the states should encourage Congress to pass a national data privacy framework that will enable innovation to continue without companies having to comply with a patchwork of laws for each state, and protect   state laws from being superseded by one constructed by the European Union or some other foreign entity. 

In 2020, 30 states considered consumer privacy laws, but most bills failed or were carried over to the next session, mostly due to legislative sessions ending.  Consumer privacy bills were enacted in California, Michigan, and Virginia. 

Two California bills were enacted to follow up on the California Consumer Privacy Act (CCPA), signed into law by Gov. Jerry Brown (D )on June 18, 2018. The bill, which was rushed through the legislature in a few days, imposes  burdensome requirements on how companies must store and provide access to consumers’ personal information, as well as harsh restrictions on the types of product and service options and discounts companies may offer to their customers.   

In 2020, Gov. Gavin Newsom (D) signed into law two bills that modified or made clarifications to the California Consumer Privacy Act.  AB 713 gives exceptions to the CCPA information that was “deidentified in accordance with specified federal law,” came from certain medical, health, or identifiable private information that is consistent with specified federal policy.  AB 1281 extends exemptions to information that is collected by a business about a person who is a job applicant, employee, owner, director, officer, medical staff member, or contractor and personal information that reflects a “written or verbal communication or a transaction between a business and a consumer.”

On November 4, 2020, California voters approved a ballot measure to adopt the California Privacy Rights Act (CPRA).  CPRA amends the CCPA to extend employee and business to business (B2B) exemptions for personal information; create a higher threshold for the definition of a business effective January 1, 2023; create a new definition for “sharing” personal information for “cross-context behavioral advertising.”  It also includes the right to op-out and a requirement to include a “Do Not Sell or Share My Personal Information” link.   

On June 16, 2020 Michigan Gov. Gretchen Whitmer (D) signed Senate Bill 172.  The bill modified the law for insurers when providing policy policies to customers.   Michigan also had a ballot initiative that would amend the state’s constitution to require a search warrant in order to access an individual’s electronic data and communications, as well as prohibit unreasonable searches and seizures of people’s private electronic data and communications.  This measure was approved on November 3, 2020.

In Virginia,  Senate Bill 101 was signed by Gov. Ralph Northam (D) on March 31, 2020.  The bill enables a merchant to scan an identification card in order to verify the authenticity and identity of an individual in order for a service to be performed. 

Other states have enacted or will be reviewing laws that would protect personal information, including online privacy for children, websites, and monitoring employee e-mail communications.  These laws would affect any business operating or selling to customers in each state, impinging on interstate commerce.  Without the adoption of a consistent national privacy protection regime that preempts state and local laws, more states will enact their own rules, some of which could be as strict as California’s, which raises costs and complicates compliance for businesses and individuals. 

States need to encourage Congress to pass a national data privacy framework that will enable innovation so no one has to be concerned with separate data privacy laws for each state.

Sign Up For Email Updates


Optional Member Code