State Data Privacy Laws Proliferate as Calls for Federal Guidelines Grow
Virginia is the latest American state to enact a data privacy law, joining states like California, Nevada, and Maine that have passed their own laws. But the passage of Virginia’s Consumer Data Protection Act (CDPA) caused consternation among business supporters, who argue that a federal data law is needed more than ever to prevent compliance costs from skyrocketing for companies.
With his signature last week, Virginia Governor Ralph Northam approved the CDPA, which greatly expands the privacy protections available to residents of the commonwealth and their data. Like the California Consumer Privacy Act (CCPA), Virginia’s law (which goes into full effect on January 1, 2023) requires organizations to receive consent from consumers before collecting their data, among other requirements.
By all accounts, the Virginia CDPA is a “reasonable and thoughtful piece of legislation,” says Dan Jaffe, the group EVP of government relations for the Association of National Advertisers. “But I don’t care how well thought-out a particular state’s law is if it’s inconsistent with laws elsewhere.”
According to Jaffe, the Virginia law differs from the California law in several areas, including this big one: “Under CCPA, sensitive data can be used as long as it’s not discriminatory,” Jaffe tells Datanami. “But you have the ability to opt out in Virginia. You don’t have that choice [in California].”
Jaffe has been watching as multiple state legislatures have entertained and debated various data privacy laws. He closely monitored Hawaii’s latest offering, SB 1009, which also differed from CCPA in significant ways. Jaffe breathed a sigh of relief on behalf of ANA members when the proposal was deferred on February 16.
“It was a very broad bill that required opt-in for sales or any other Internet activity,” Jaffe says of Hawaii’s SB 1009. “It would have led to a bombardment of opt-in requests even for mundane or benign activities.”
At last count, Jaffe was tracking 20 data privacy proposals in 16 states, not counting the ones that have already passed. As new state proposals pop up, Jaffe researches them and issues an opinion about them on behalf of the 20,000 brands that ANA represents. It’s like a game of legal whack-a-mole.
“The most significant thing about all of them–virtually all of them, anyway–is they’re inconsistent, which is going to create an extraordinarily difficult marketplace for anybody,” Jaffe says. “I don’t care how big you are and how many IT experts and lawyers you have. For smaller midsize groups, it may very well be a backbreaking situation as privacy issues affect so many aspects of the selling effort.”
Balancing the interests of consumers and businesses is a complicated matter, to be sure. It is generally accepted that consumers have certain rights to their own data and that it’s reasonable to place some limits on how for-profit businesses and other organizations can collect and use personally identifiable information (PII). At the same time, reasonable people agree that American businesses should able to conduct commerce without excessively onerous regulations.
The devil, as always, is in the details. In the absence of federal action, states have taken it upon themselves to implement privacy laws. The result is a mish-mash of laws that differ from one state to another. That makes no sense to folks like Jaffe, who look at the board from a national level.
“Privacy should not depend on geography,” Jaffe says. “Right now, if you go from California to Nevada, you have different privacy rules. If you go from Nevada to neighboring state, you may not have any privacy rules. Does this make any sense? I think the answer is no.”
Jaffe and the ANA want the U.S. Congress to take up the matter and implement a single, overarching national data privacy law that supersedes state laws. Specifically, they back one proposal that’s going by the name of the Privacy for America (P4A) coalition. Jaffe says he is hopeful that the House of Representatives and the Senate will give the matter its attention.
“We’re almost certain [that] because of the substantial growth in privacy in the states, that there will certainly be a real examination of this issue, probably in the second quarter of this year, once they get through all this other stuff,” he says. “We do think there’s a better chance for serious exemption of privacy issues than have been the case up to now. Whether that will be enough to get it across the finish line, I don’t think anybody can say yet. But I do think we will get a much greater hearing as to the need for this type of activity.”
That sentiment was echoed by Traci Gusher, the principal of AI for Big 4 accounting firm KPMG. Gusher authored a report that was released yesterday that found AI deployments accelerated across the country under COVID-19, but that business leaders were growing wary of the absence of AI regulation and the lack of ethical standards.
Regulation of AI and regulation of data privacy are separate but related issues. Gusher acknowledged it would be best to move forward with a national data privacy law first, but that some components of an AI regulation could be implemented separately from a data law.
“Especially with more and more states coming out with [regulations], I think we’ll get to a federal standard that is the minimum of what states can abide by, and then we’ll see some states that extend above and beyond,” Gusher tells Datanami.
The appetite for data privacy and AI regulation is growing among businesses, which is a significant event. Business leaders recognize how important data and AI are to their organizations’ future, and they want to do more with both. But at the same time, they are wary of the reputational risks involved with inadvertently hurting their customers, and so they are requesting guidance in the form of regulation.
“I do think the regulation is coming,” Gusher says. “Congress is becoming more and more aware and educated. It’s only a matter of time that we’ll see it. It certainly will happen during the Biden administration.”