Privacy

Businesses Should Prepare for More State-Specific Privacy Laws, Attorneys Say

“The privacy landscape in the U.S. is likely to become more complicated before it gets any easier.”

Published

1 year ago

January 13, 2023

Em McPhie

Photos of Joan Stewart, Kathleen Scott and Duane Pozza courtesy of Wiley

WASHINGTON, January 13, 2023 — In the absence of overarching federal legislation, several states are passing or considering their own privacy laws, creating an increasingly disparate legal landscape that may be difficult for national companies to navigate.

“I think the privacy landscape in the U.S. is likely to become more complicated before it gets any easier,” said Joan Stewart, an attorney specializing in privacy, data governance and regulatory compliance, at a webcast hosted by Wiley on Thursday.

New privacy laws in California and Virginia took effect on Jan. 1, and Colorado and Connecticut have privacy laws set to become effective in July. Utah’s privacy law will go into effect at the end of December.

“We expect to see additional states actively considering both omnibus and targeted privacy laws this year,” Stewart said. “So we encourage businesses to focus now on creating universal privacy programs that can adapt to these new laws in the future.”

Although the various state laws have plenty of overlap, there are also several significant outliers, said Kathleen Scott, a privacy and cybersecurity attorney.

States take different approaches to imposing privacy

For example, the new California Privacy Rights Act — which amends and strengthens California’s existing digital privacy law, already considered the strongest in the country — requires that businesses use specific words to describe the categories of personally identifying information being collected.

“These words are unique to California; they come from the statute, and they don’t always make perfect sense outside of that context,” Scott said.

Another area of difference is the consumer’s right to appeal privacy-related decisions. Virginia, Colorado and Connecticut require businesses to offer a process through which they explain to consumers why a specific request was denied.

While implementing a universal standard make compliance easier for businesses, Scott noted that “processing appeals can be pretty resource intensive, so there may be important reasons not to extend those outlier requirements more broadly to other states.”

Generally speaking, the state privacy laws apply to for-profit businesses and make an exception for nonprofits. However, Colorado’s law applies to for-profit and nonprofit entities that meet certain thresholds, and the Virginia and Connecticut laws carve out select nonprofits as exempt instead of having a blanket exemption.

Other state-to-state differences include specific notices, link requirements and opt-in versus opt-out policies. Even key definitions, such as what qualifies as “sensitive data,” vary from state to state.

Two of the state privacy laws taking effect in 2023 authorize the development of new rules, making it likely that additional expectations are on the horizon.

California will not begin civil and administrative enforcement of the CPRA until July. In the meantime, the state’s new privacy agency is charged with developing rules for its implementation, including specific directives for required notices, automated decision-making and other issues.

“The California rulemaking has been particularly complicated… and the outcome is going to have significant impacts on business practices,” said Duane Pozza, an attorney specializing in privacy, emerging technology and financial practices.

The state’s attorney general is arguing that existing rules require a global opt-out mechanism, but the new law establishes this as optional, Pozza explained. The currently proposed rules would again require a global opt-out.

Colorado’s attorney general is undertaking a similar rulemaking process, revising a previously released draft of the rules in preparation for a February hearing.

Several additional states are expected to propose broad or targeted privacy laws during the coming legislative cycle, according to data published Thursday by the Computer and Communications Industry Association. In addition to comprehensive consumer data privacy legislation, several measures address the collection of biometric information and children’s online safety, the CCIA found.

Up Next

Metaverse Technologies Could Present Unprecedented Risk to Children’s Digital Privacy

Don't Miss

CES 2023: Federal Privacy Standard Needed for Consumer Protection

Em McPhie

Reporter Em McPhie studied communication design and writing at Washington University in St. Louis, where she was a managing editor for the student newspaper. In addition to agency and freelance marketing experience, she has reported extensively on Section 230, big tech, and rural broadband access. She is a founding board member of Code Open Sesame, an organization that teaches computer programming skills to underprivileged children.

Click to comment

Broadband's Impact

CES 2024: Industry Wants Federal Data Privacy Law

The current patchwork of state laws makes compliance difficult, said representatives from T-Mobile and Meta.

Published

3 days ago

January 12, 2024

Jake Neenan

Photo of the panel by Jake Neenan

LAS VEGAS, January 12, 2024 – Industry stakeholders called for federal data privacy legislation at CES on Thursday.

“I think oftentimes companies can be in the position of opposing additional regulation at the federal level,” said Melanie Tiano, director of federal regulatory affairs at T-Mobile. “But this is probably one of those areas where that’s not the case, in part because of the flurry of activity going on at the state level, which makes compliance in the U.S. marketplace extraordinarily confusing and difficult.”

The New Jersey legislature cleared one such bill on Monday. If that’s signed into law by the state’s governor, it would bring the number up to 13. Federal efforts, notably the American Data Privacy and Protection Act, have stalled in recent years.

“We will continue to be seriously committed to getting legislation done in a bipartisan way. That’s not always easy right now, but we’re continuing to work on that” said Tim Kurth, chief counsel for the House Innovation, Data and Commerce Subcommittee.

Simone Hall Wood, privacy and public policy manager at Meta, said “privacy regulation should not inhibit beneficial uses of data.” The company has argued it has a legitimate interest in data use practices that the European Union has found to be out of compliance with its data privacy law, the GDPR.

Industry groups, including the Consumer Technology Association, which runs the CES conference, have advocated for a light-touch privacy law in the United States, in contrast with the more comprehensive European standard.

Kurth had similar thoughts Thursday, saying the GDPR “really hurt startups and really hurt innovations.”

Still, Woods said establishing a uniform standard is something the law does well.

“It sets certainty across the marketplace for what privacy protections look like for consumers. And so that aspect of it is positive,” she said.

Broadband's Impact

CES 2024: Biden Administration Announces Deal with EU on Cyber Trust Mark

The White House is looking to get the mark on products “by next year.”

Published

4 days ago

January 11, 2024

Jake Neenan

Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger at CES.

LAS VEGAS, January 11, 2024 – The United States has entered an agreement with the European Union on a “joint roadmap” for standardized cybersecurity labels, a Biden Administration official announced at CES on Thursday.

“We want companies to know when they test their product once to meet the cybersecurity standards, they can sell anywhere,” said Anne Neuberger, the White House’s deputy national security advisor for cyber and emerging technologies. “They can sell in Paris, Texas, or Paris, France.”

Neuberger said the White House is aiming to get its U.S. Cyber Trust Mark, a voluntary certification for internet of things devices, on consumer products by the end of the year. The effort to mark products like routers, baby monitors, and thermostats as safe from hacking was first announced in October 2022.

The Federal Communications Commission voted in August to seek comment on how to implement various parts of the program, including how to develop and ensure compliance with its cybersecurity standards.

What exactly those standards will be is not yet decided, but the Commission has said it will base the program on criteria developed by the National Institute of Standards and Technology. Those include encrypting both stored and communicated data and the ability to receive software updates.

The measure is not on the FCC’s tentative January meeting agenda, but Neuberger said the agency is “working toward next steps.”

Robocall

CES 2024: FCC and AT&T Say Collaboration is Key in Combatting Spam

The Commission has been aggressive on spam this year, and AT&T has been working to improve filters on its networks.

Published

5 days ago

January 10, 2024

Jake Neenan

Photo of the panel by Jake Neenan

LAS VEGAS, January 10, 2024 – Members of the telecom industry and the Federal Communications Commission emphasized the need for industry and government entities to collaborate in combating scam calls and texts at CES on Tuesday.

“Collaboration is key here,” said Amanda Potter, assistant vice president and senior legal counsel for AT&T.

Current measures

Alejandro Roark, chief of the FCC’s Consumer and Government Affairs Bureau, noted Federal Trade Commission data showing American consumers reported losing $790 million to scam calls and another $396 million to scam texts in 2022.

The Commission took action on preventing both in 2023, expanding its STIR/SHAKEN regime – a set of measures to confirm caller identities – to all providers who handle call traffic, moving to block call traffic from non compliant providers, and issuing multiple fines in the hundreds of millions. Almost every state has entered an agreement with the agency to collaborate on robocall investigations.

In addition, the FCC adopted its first robotext rules and moved to tighten those rules in December, closing the “lead generator loophole” by requiring affirmative consent for companies to send consumers marketing messages. Comments are being accepted on a proposal to institute a text authentication scheme.

For AT&T’s part, Potter said the company has instituted network filters to block messages that are likely to be illegal.

“We’re not going to claim success by any means, but when we have these robust network defenses, that does a lot,” she said, citing a total of 1 billion blocked texts on the company’s networks in July 2023.

AT&T also worked with manufacturers on features allowing consumers to report text as junk when deleting messages, which Potter said has provided extra data to tune spam filters.

What’s next

“We start from a standpoint of maximum flexibility when it comes to messaging,” Potter said, in contrast to voice calls, which are more tightly regulated and required FCC intervention for providers to block.

“I’m concerned about that being taken away, or perhaps regulation being something of a distraction,” she said.

Roark agreed on flexibility being superior to regulation, although the Commission is moving forward with its proceeding on more expansive text authentication rules. The proposed rules include requiring more providers on the traffic chain to block texts from numbers flagged as scammers by the FCC and requiring measurers to verify the identity of texters, similar to the STIR/SHAKEN system for caller authentication.

The FCC is also taking comments on how AI factors into robocalls and robotexts, both how it’s used to perpetrate them and how the Commission might use AI tools to combat them.

At a House oversight hearing in November, FCC Chairwoman Jessica Rosenworcel asked Congress for the authority to collect the fines the Commission imposes – a job currently left to the DOJ – and access to more financial information to help the agency’s robocall prevention efforts.