ipopba - stock.adobe.com

States act on privacy laws as Congress considers new bill

The American Privacy Rights Act introduced this week aims to establish a national privacy standard that would preempt state privacy laws.

U.S. lawmakers are pushing once again to advance a federal data privacy law, while states gear up to enforce their own data privacy laws.

Sen. Maria Cantwell (D-Wash.) and Rep. Cathy McMorris Rodgers (R-Wash.) introduced the bipartisan American Privacy Rights Act (APRA) on Sunday, a draft bill to establish national data privacy rights and protections for U.S. citizens and eliminate the patchwork of existing state privacy laws. The U.S. government has seen other comprehensive privacy legislation proposed, but none has advanced into law, leaving multiple states to pass individual data privacy laws.

The proposed APRA would set one national privacy standard above all state laws. To protect U.S. citizens, it would minimize data that companies could collect and keep, allow individuals to opt out of targeted advertising, and give rights to sue bad actors for violating privacy. The bill also targets algorithms, allowing individuals to opt out of a company's use of algorithms for housing, employment, credit, insurance and education decisions.

The APRA also proposes mandating strong data security standards, authorizing the Federal Trade Commission, along with states and consumers, to enforce against privacy violations, according to a news release.

"This landmark legislation gives Americans the right to control where their information goes and who can sell it," Rodgers said in the release. "It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people's behaviors for profit without their knowledge and consent."

While the proposed APRA aims to standardize privacy laws nationally, its broad private right of action could be its costliest feature, said Ashley Johnson, senior policy manager at the Information Technology and Innovation Foundation, in a statement. Still, Johnson urged Congress to pass a federal privacy law before even more states add to the patchwork of legislation.

Indeed, as Congress lags on passing a federal data privacy law, state privacy enforcers are moving ahead with their own laws holding companies accountable for protecting individuals' right to privacy.

A glimpse at state privacy laws' enforcement

Connecticut's privacy law took effect in July 2023, and preparing to enforce the law was a heavy lift, said Michele Lucan, deputy associate attorney general in the Connecticut Office of the Attorney General. Lucan spoke on a panel with other state privacy law enforcers during the International Association of Privacy Professionals (IAPP) Global Privacy Summit 2024.

Lucan said preparing for privacy law enforcement involved educating businesses to help them understand their obligations and informing citizens of their rights.

"Even before our law took effect, this was an everyday process for us," she said.

Similar to Connecticut, Colorado's data privacy law went into effect in July 2023, and the state has taken a soft enforcement approach by sending letters to companies with a large presence in Colorado, regardless of the amount of data they process, said Jill Szewczyk, assistant attorney general for data privacy and cybersecurity in the Colorado Office of the Attorney General. Szewczyk spoke at the IAPP summit.

While the law might not apply to those companies, Szewczyk said it was important to let them know that the law was in effect and that they needed to make sure they were in compliance.

Colorado is also in what's called a "cure period," meaning that if the state finds a violation that is deemed curable, the company has 60 days to fix it once it has been notified of the issue. Connecticut is in a similar mode of sending cure notices to companies.

"We've been pleasantly surprised by how willing companies have been to work with us," Szewczyk said.

Just because we've built on the other privacy laws, it doesn't mean they're exactly the same.
Kristen HiltonSenior assistant attorney general for consumer privacy and data security, Oregon Department of Justice

In Oregon, the state's privacy law doesn't go into effect until July 2024, meaning that the enforcement division is focused on education and providing information to consumers and businesses about the law and what it means for them, said Kristen Hilton, senior assistant attorney general for consumer privacy and data security in the Oregon Department of Justice. Hilton spoke at the IAPP summit.

Hilton said it's especially important for businesses to note key differences in Oregon's privacy law compared with other states.

"Just because we've built on the other privacy laws, it doesn't mean they're exactly the same," she said. "Read carefully, because there are important nuances and distinctions in language based on how our legislative drafters work."

Indeed, state privacy enforcers are paying attention to other states' laws and assessing where there could be alignment, where there are differences and what could be done better about their own laws, Connecticut's Lucan said.

"What all the states are doing now is paying attention to bills raised in other states, laws that are being passed, to figure out what's the delta," she said. "We're paying attention to those and we are advising our office about changes we could advocate for to strengthen our law down the line."

California privacy law enforcer zeroes in on dark patterns

California's state privacy law, the California Consumer Privacy Act (CCPA), was the first state privacy law passed in the U.S. The California Privacy Rights Act amended the original CCPA, and enforcement went into effect last year.

Some of the areas CCPA law enforcers are focused on are investigations into ensuring consumers can opt out of certain data requests, and looking at businesses that sell or share personal information without that proper notice or opt-out, said Michael Macko, deputy director of enforcement at the California Privacy Protection Agency. Macko spoke at the IAPP summit.

Macko said the agency is also looking at businesses that use dark patterns to prevent consumers from asserting their rights. Dark patterns are interfaces used in websites and apps designed to trick or manipulate users into making certain decisions, which could compromise their privacy rights.

"I would avoid dismissing dark patterns as some sort of buzzword," he said.

Makenzie Holland is a senior news writer covering big tech and federal regulation. Prior to joining TechTarget Editorial, she was a general reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.

Next Steps

FTC, DOJ take aim at dark patterns with Adobe lawsuit

Dig Deeper on Risk management and governance