One year in, GDPR-like legislation is crawling through state governments. Year two shows no indication regulations will be up and running.
States are beginning their data privacy legislation journeys and while California has forged a path, it's one less traveled. Fewer than 20 states have a data privacy bill in the works, with many breathing their last breaths in committee, dying before making it to the governors' desks.
"GDPR wasn't informing the debate. GDPR informed the attitude of the companies that understood they had to deal with privacy," said California Senator Robert Hertzberg, D, in an interview with CIO Dive. Hertzberg helped pass the California Consumer Privacy Act (CCPA) last year.
Companies have created an imbalance between themselves and consumers. The extreme examples of data collection and unsolicited use of it include Google's search engine and Facebook's social platform, fueled by consumers offering data in exchange for services.
This often is less of a business transaction and more of bait and switch.
Bartering personally identifiable information for a free service is "not a fair bargain for exchange anymore," said Hertzberg. "I'm a pretty moderate person but it's at the point where we do need to intervene."
Lawmakers recognize they have to act because data privacy, at its core, is focused on consumer protection. However, there is substantial disagreement about how far data privacy legislation should go, so much so lawmakers are "on the verge of doing nothing," said Texas Representative Giovanni Capriglione, R, in an interview with CIO. Capriglione championed the Texas Privacy Protection Act (TPPA), though it's yet to pass.
At this point, Hertzberg and Capriglione have little expectation for a federal data privacy law, putting pressure on state governments to step up.
"I don't think there's any reason to wait for the federal government," said Capriglione.
Which states are in the game
The United States is far behind the EU in creating a holistic federal data privacy law and state legislation is moving at a crawl.
Lawmakers are always "hesitant to do anything without perfect legislation," said Mitchell Noordyke, Westin fellow for the International Association of Privacy Professionals (IAPP), in an interview with CIO Dive.
The avenue for a law to get passed is to have "enough parties in one state being comfortable with merely good legislation, not perfect legislation," said Noordyke.
There are 14 states with either passed, pending or dead data privacy laws, refined by preferences and political parties.
Proposed state data privacy legislation
| State | Legislation |
|---|---|
| California | California Consumer Protection Act |
| Connecticut | RB 1108 |
| Hawaii | SB 418 |
| Illinois | HB 3358 |
| Maryland | SB 613 |
| Massachusetts | SD 341/S 120 |
| Nevada | SB 220 |
| New Jersey | S2834 |
| New Mexico | Consumer Information Privacy Act |
| New York | Right to Know Act of 2019 |
| North Dakota | HB 1485 |
| Rhode Island | Consumer Privacy Protection Act |
| Texas | Texas Consumer Privacy Act |
| Texas Privacy Protection Act | |
| Washington | Washington Privacy Act |
SOURCE: International Association of Privacy Professionals
Texas has two pieces of legislation — one resembling GDPR and the other CCPA — which was not done intentionally. It will be interesting to see which bill's language performs better in committee, said Noordyke.
The GDPR-like Texas Privacy Protection Act (TPPA) was filed in March and instead of regulating "personal information," as the other Texas bill does, the TPPA regulates "personal identifying information" or the "category of information relating to an identified or identifiable individual."
After several rounds of legislation, the TPPA was modified, focusing more on breach notification requirements and became "effectively a commission, it's going to be an interim effort by bringing in a bunch of industry clearance," said Capriglione.
Texas is an emerging tech hub, contributing nearly $142 billion to the state's economy.
For a long time, the idea of data privacy and tech regulation, made people "think of Silicon Valley, or maybe they think about Boston area and D.C.," said Capriglione, "but if you're from Texas you'll see we're a growing high-tech leader."
Despite the nonpartisan approach Capriglione is taking with data privacy, both bills face an uneasy future.
Every state with pending legislation has less than a 50% chance at passing its data privacy bills into law, said Noordyke. Both Texas bills are "all but dead at this point."
Washington's bill "looked near certain" to pass and even "flew through the Senate" but failed, according to Noordyke. Illinois has been proactive about privacy and security legislation for more than a decade "so they at least have a track record of getting something done."
An effective law has to be pro-consumer, pro-business, and pro-individual to appeal to both sides of the political aisle. Most proposed data privacy bills have yet to satisfy all parties.
Companies are lobbying for a federal law rather than complying with a patchwork of state laws. But as more regulations crop up, it's easier for companies to establish GDPR or CCPA-like privacy standards as data becomes more of a liability.
Lawmakers agree that a federal privacy law is unlikely in the near future, despite the rise in interest. The Federal Trade Commission (FTC) is seeking greater policing authority while the country waits for a federal privacy law.
The political climate is forcing data privacy to be more of a state issue. "I would be shocked if they passed two budgets in a row in the federal government," said Capriglione.
What a company wants
Data privacy laws boil down to consumers' desire to keep their data from being stolen, traded, sold or released without their consent. Critics argue that data privacy laws, like the CCPA, are overly burdensome to businesses, calling for a limited scope of the law. "Legislators are going to be sensitive to anything that may harm (businesses)," consumers and companies, said Noordyke.
Washington state is home to technology juggernauts Amazon and Microsoft. Disrupting the companies' business practices could have a direct impact on the state's economy. Amazon's Seattle headquarters provides the city more than 40,000 jobs and about $3.7 billion in capital investments.
While privacy is a top of mind issue for government officials, they're also sensitive to the way a data privacy law could impact smaller businesses ability to compete or pay the financial burden a law would inevitably create. Larger businesses can absorb the financial requirements of a law, but it could stifle their ability to innovate.
Some view the protection of data as a matter of civil rights. "It's not a political question at all, it's just more a question of a human right," said Capriglione.
Washington's now-defunct proposed legislation had a permissive provision for facial recognition technology. The American Civil Liberties Union (ACLU) and other human rights organizations raised concern about bias in the technology as well as its uses.
The ACLU claimed Washington's bill wasn't a true consumer protection law. "The first problem is that it was written by the technology companies themselves," said Shankar Narayan, technology and liberty project director with the ACLU, during an interview on Kiro Radio.
The bill, in Narayan's view, was filled with loopholes so companies could override consumer data consent.
Microsoft was a supporter of the bill, "We think that's the only way to avoid a race to the bottom where just all standards are lost," said Microsoft president Brad Smith, speaking at Seattle University in March, reports GeekWire.
In Microsoft's eyes, Washington's proposed privacy bill would be best for the federal government to model.
The legacy tech company recently hailed the CCPA as a "good starting point," though a federal law should go further, wrote Microsoft corporate VP and deputy general counsel Julie Brill, in a blog post Monday. "One way to achieve this is by requiring assessments that weigh the benefits of data processing against potential privacy risks to those whose data is processed."
In essence, Brill argues tech companies should carry the burden of data privacy responsibility, instead of leaving the consumer to navigate opting-out.
However, data privacy laws impact Microsoft's bottom line far less than the companies that identify as tech companies. At the end of the day Microsoft sells technology products and services, not a platform empowered by personalized advertisements.
"At Microsoft we believe it's their customers, their employees and their data, so we never use their customer data for any Microsoft business purpose," Shelley Bransten, corporate VP of Global Retail and Consumer Goods at Microsoft, told CIO Dive in an email last year.
Still, Microsoft fits in the technology arena, paired next to companies like Google, Amazon and Facebook, which are protecting their interests when it comes to data privacy legislation.
