As 2020 draws closer, many states are poised to consider their own consumer privacy laws.
While the most anticipated privacy development of 2020 is, of course, the enactment of the California Consumer Privacy Act (CCPA), similarly proposed laws — many of which have been dubbed "CCPA copycats" — will be debated in legislatures across the country next year.
Bills in Massachusetts, Minnesota, Pennsylvania, New Jersey and New York, among others, are pending and will be debated in the coming months.
Yet, while the legislatures are now flush with bills, the degree to which these debates will bring greater regulation is anybody's guess. Several laws that had been expected to pass this year — namely New York and Washington state — saw negotiations collapse, speaking to the difficulty of seeing a diversity of shareholders reach consensus on the complex issues at play.
Those issues include the fraught interplay between commerce and consumer protections. Many bills modeling themselves heavily after the CCPA focus on giving data transparency and ownership to consumers, greatly expand the definition of "consumer information," and escalate the risk of litigation for companies that stepped outside those bounds.
These issues proved too much for some privacy bills — some of which stalled or outright failed early on in this year's legislative sessions, including in states like Arizona, Florida, Kentucky, Mississippi and Montana, among others.
At the same time, a handful of other states are taking a slower, more cautious approach, forming task forces to study how to further expand or update current privacy laws. These include Connecticut, Hawaii and Louisiana, where groups are studying data breaches and brokerage, Internet privacy and existing regulatory frameworks.
Yet as states have looked to self-regulate, the tech lobby is still pushing vigorously for a federal privacy law. Critics characterize this as an attempt to “preempt” stronger regulation at the state level, but companies argue that a consistent, across-the-board approach is the only sane approach for businesses and consumers.
A recent New York Times op-ed penned by Michael Beckerman, CEO of the Internet Association — which represents tech giants like Google, Facebook and Amazon — laid out some of the business community's concerns; chief among them, that a network of differing laws creates an overly complex landscape for most companies to navigate.
"Nevada and California share a border and billions in economic activity, and both states have recently updated their own data privacy laws. Yet they fail to agree on basic elements of those laws," Beckerman states. "Companies looking to operate on both sides of that border must navigate two separate laws that regulate the sale of data, but do so in two very different ways."
Still, those looking for a comprehensive national privacy bill should potentially be careful what they wish for — since federal regulations have the potential to be much more far-reaching and draconian than anything previously authored at the state level.
Case in point: Oregon, where U.S. Sen. Ron Wyden recently raised eyebrows when he introduced a federal bill that would create heretofore unheard-of punishments for misbehaving tech companies — including jail time for CEOs. The "Mind Your Own Business" bill would give the nation's premiere privacy watchdog, the Federal Trade Commission, broad discretion to fine companies and go after business leaders, if wrongdoing occurs.
However, Wyden's bill is much more targeted and punitive than the kind of "comprehensive" federal bills that were introduced during 2019 — many of which sought a far more lenient approach to tech companies.
Whichever way you slice it, more regulation means a more complicated landscape for business to navigate. That much is clear from already extant privacy laws like the Biometric Information Privacy Act (BIPA), which has recently begun to show its teeth with large-scale lawsuits against tech giants.