By Cathy Lee
Consumer privacy has been on the minds of companies, regulators, and consumers in the wake of high-profile privacy missteps by major Internet companies and sweeping new privacy rules in Europe. While the U.S. approaches consumer privacy law on a sector-by-sector basis, states are using the momentum around the consumer privacy debate to pass their own varying — and sometimes conflicting — laws. Supporters of state action on consumer privacy claim that giving states the power to experiment with different privacy protections will enhance consumer welfare through increasingly stringent obligations for companies. But this state-by-state approach will ultimately create a convoluted patchwork of laws that only the biggest companies with the most resources can navigate.
California was the first state to pass a comprehensive privacy law granting consumers more control over their personal data with the California Consumer Privacy Act (CCPA). Starting in 2020, any company that collects California consumers’ data will need to comply with the law’s new requirements and burdens in order to avoid penalties from the California Attorney General as well as potential lawsuits by private litigants.
Still, states remain divided on whether to follow California’s example of crafting a comprehensive privacy bill or to approach privacy on a sector-by-sector basis. Twelve states so far have followed California’s example and formally introduced comprehensive privacy bills within the last two years.
Several of these twelve bills closely mirror the CCPA but are not exact copies, potentially creating a jungle of state-by-state laws that will be costly to navigate. Even when the bills create substantively similar protections in pursuit of the same goal, small variances exist. One example of this is the consumer rights granted in the bills. Four state bills — California, Washington (SB 5376), New York (SB S5642), and Massachusetts (S 120) — contain five similar rights:
- the right to access collected information;
- the right to access information shared with third parties;
- the right to deletion;
- the right to portability; and
- the right to opt-out.
But California and Massachusetts also contain a right to non-discrimination, and the New York and Washington bills would create the right to rectification, the right to restriction, and the right to not have data processed by automatic decision making. These different rights will require a company to employ different technical measures, creating a financial burden.
Even the slight inconsistencies in shared consumer rights impose another financial burden on a company because the company may have to employ a different mechanism to comply with each “shared” right. For example, all four bills contain the “right to portability” — where users can have their data held by one company transmitted to another company. The CCPA and Massachusetts’ bill require that the consumer, himself, transmit his data, whereas New York and Washington would require that the company transmit the consumer’s data directly. A consumer having the ability to transmit, versus a company transmitting directly, potentially creates a huge cost difference. Companies tend to use more sophisticated software to read and process their data, which a consumer likely does not have. Having users transfer their own data may require a company to utilize a different technical approach to make the data accessible to a consumer.
Another example of an inconsistency between shared rights is the “right to delete.” The CCPA and Massachusetts grant consumers the right to request that a company delete any personal information that the business has collected. On the other hand, Washington only allows a consumer to request that a business delete personal information that the business maintains in identifiable form. Again, though the difference between any and identifiable does not seem great, identifiable explicitly excludes all aggregated and de-identified data, significantly reducing the amount of data to be deleted, thereby lessening the burden and likelihood of violation for a company.
Another key difference between the state bills concerns consumer requests. The bills differ in what types of requests a consumer can submit, as well as the amount of time a company has to respond to a consumer’s request.
The CCPA and Rhode Island bill (S0234), for example, separate consumer requests into those that can be submitted to a company that collects information and a business that sells or discloses information, while Massachusetts, New York, and Washington do not create any such distinctions. The CCPA and Rhode Island bill contain identical provisions. However, Massachusetts, New York, and Washington — though they share a number of provisions with the CCPA — include unique consumer requests. Massachusetts allows a consumer to request the names of third parties to whom the business disclosed the consumer’s personal information. The CCPA and Rhode Island focus on the categories of personal information sold to third parties. New York includes a consumer request to confirm whether data is being sold to data brokers, which is not found in any of these other bills. Washington allows a consumer to restrict the processing of personal data maintained in identifiable form. And both New York and Washington allow a consumer to submit a request to correct inaccurate information.
Additionally, the amount of time a company has to respond to a consumer request varies from bill to bill. For example, the CCPA, Massachusetts, and Rhode Island (S0234) require a company to respond to within 45 days, while New York and Washington give businesses 30 days to respond.
Outside of the varying structure of the bills, which would require companies to build data infrastructures specific to each state so they can respond efficiently to user requests, the bills treat data differently. For startups, the best way to avoid any penalty for noncompliance is maintaining good data hygiene practices by aggregating and de-identifying the data they collect and use. A number of the bills keep companies from being subjected to many of the data requirements if they properly aggregate and anonymize the data they collect from consumers. New York and Washington grant this protection by stating that de-identified data is not included in the protected category of data, whereas Massachusetts excludes both aggregated and de-identified data from this category. On the other hand, while the CCPA attempts to to incentivize similar practices, the law’s language provides less clarity: de-identified and aggregated data are not subject to certain requirements, but are not excluded from the category of protected data. Because of this uncertainty, startups will be uncertain as to whether their aggregation and de-identification practices will provide such a protection.
Since the debate over consumer privacy legislation ramped up in the U.S., Congress has grappled with whether it should pass a federal privacy law and, if so, how to craft such a law. One major point of contention is whether federal law should override each state’s laws. However, as seen above, if a federal law does not override state laws, it would create a complicated maze of state-by-state privacy rules that appear to grant the same rights. In reality, however, these bills would contain slight differences that a company must follow, ultimately being extremely costly to navigate and heightening the potential for violations.