State Legislative Sessions Underscore the Need for a National Privacy Framework | Citizens Against Government Waste

State Legislative Sessions Underscore the Need for a National Privacy Framework

The WasteWatcher

During their 2022 legislative sessions, lawmakers in 35 states considered data privacy bills.  Only two of them, SB 227 in Utah and SB 6 in Connecticut, were signed into law, adding to a growing patchwork of such laws in the states.  According to the National Council of State Legislatures, nearly 200 data privacy bills were introduced in 2022 state sessions, 75 of which were comprehensive.  The varied requirements of the state bills reiterate the need for Congress to enact a national data privacy framework. 

While the Connecticut and Utah bills had some provisions common to legislation in other states, they still had their differences.  California has the most restrictive and onerous law, and Virginia has far fewer burdensome requirements, while Colorado falls in between.  For small businesses, these varied requirements are making it especially costly and difficult to comply. 

A January 24, 2022, Information Technology and Innovation Foundation report found that the implementation of 50 different privacy laws could cost $1 trillion more over 10 years than a national standard adopted by Congress.  The highest compliance costs come from states like California, where the law includes a private right to action (one of several reasons why Florida’s HB 9 failed). Companies are being forced to pass on these costs to consumers, who certainly do not need to pay more for anything else as inflation hits the highest level in 40 years. 

Some of the failed data privacy bills from the 2022 legislative sessions show how mass confusion would result if more states had adopted their own legislation.  The New Hampshire legislature considered HB 1413, which would have applied only to broadband providers.  In Hawaii, lawmakers considered SB 2051, which broadly covered all data brokers.  If these bills had been signed into law, businesses would be left scrambling to determine which states had laws that pertained to them.

On top of the complexities of which entities comply in which state, the protected rights varied from state to state in the failed bills.  In  Oklahoma, HB 2969 would have protected the rights of consumers to access their data, correct their data, delete data, and added a right to portability.  In Ohio,  HB 376 included each of these protections except a right to correction.  The Ohio bill provided residents of the Buckeye state with the right to opt out of the collection and sale of their data, but HB 2969 did not provide the same protection.  Businesses operating in both states would have to tailor their practices to avoid falling short of the difference requirements.

The announcement on June 3, 2022, of the bipartisan, bicameral American Data Privacy and Protection Act (ADPPA) discussion draft proposal demonstrates that members of Congress may be finally willing to roll up their sleeves and get to work resolving the confusion that the various state laws present to businesses and consumers.  While many other data privacy bills have been introduced since the beginning of the 117th Congress, this discussion draft has drawn more attention than the others because it was proposed by House Energy and Commerce Committee Chairman Frank Pallone, Jr. (D-N.J.) and Ranking Member Cathy McMorris Rodgers (R-Wash.) and Senate Committee on Commerce, Science, and Transportation Ranking Member Roger Wicker (R-Miss.).

The draft covers all data collectors, provides consumer choice in how their private information is collected and maintained, and includes a section on data security, all of which are positive provisions of the proposal.  But it also includes several exceptions to the preemption of various state laws, opens the door for frivolous lawsuits by including a private right of action, and could make it more difficult for companies offering discounts to individuals using their services online.  If Congress cannot resolve these issues, states will continue to engage in a race to the bottom in which the most extreme law becomes the law of the land. 

With the adoption of two additional data privacy bills in Connecticut and Utah, the patchwork of such comprehensive data privacy laws expanded in 2022 from three to five.  Congress should address the problems in the ADPPA discussion draft and provide certainty to businesses and consumers by providing an effective and efficient national data privacy framework through the adoption of a bill that allows for consumer choice and control, flexibility, and data minimization and contextuality.  The only alternative is a complex, costly, and impenetrable web of state-specific statutes.