The US now has nine state privacy laws on the books.
Here’s a quick roll call for those who are keeping track: California, Virginia, Connecticut, Colorado, Utah, Iowa, Montana, Tennessee and Indiana all have privacy laws. On top of that, Washington state also just passed a specialized health data protection law in late April called the My Health, My Data Act.
Although there are areas of convergence between these laws, there’s also enough nuance to “keep all of the lawyers in this room employed,” quipped Daniel Goldberg, chair of the privacy and data security group at Frankfurt Kurnit Klein & Selz, speaking during a tech law summit in New York late last week.
That list is only going to get longer over the next few years.
“Every other state is eventually going to do this, unless the federal process starts to move,” said Jules Polonetsky, CEO of the Future of Privacy Forum.
State of play
The state privacy laws that have already passed fall into three rough buckets.
First, there’s the California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA). It takes its cue from GDPR, including the introduction of data minimization and retention principles that are common in Europe but newer to the US.
Then there are the laws that at least partially mimic the influential yet ill-fated Washington Privacy Act (WPA).
Although the WPA itself failed during three subsequent state legislative sessions between 2019 and 2021 due to disagreements over how the law would be enforced, its framework is the inspiration, at least in part, for every other successfully passed state privacy law.
WPA-style laws include, in descending order from most protective to least stringent: Connecticut, Colorado and Montana, which are the toughest, followed by Virginia, Indiana, Tennessee and, the most lenient, Utah and Iowa.
The third and final flavor of state privacy law is Washington’s My Health, My Data Act. It’s the first law in the US to create HIPAA-like requirements for companies to get unambiguous consent for any data related to health conditions, mental health, location information tied to health care services and reproductive health care.
The law has a private right of action, meaning individuals can sue for violations. It was passed in direct response to the Supreme Court’s Dobbs decision last year, which overturned the constitutional right to abortion.
In a state
The challenge for businesses and privacy professionals – well, there are many challenges, but one of the big ones – is that “these three regimes don’t line up completely,” Goldberg said.
Consider the Global Privacy Control (GPC), a universal browser-based mechanism that lets users opt out of their information being shared or sold across sites. It sends that signal to publishers, advertisers and third-party companies across the digital media supply chain.
Some state privacy laws, including in California, Connecticut, Colorado and Montana (which just passed in April) require that businesses respect the GPC. But other states, like Utah, don’t require businesses to respond to GPC signals.
To maintain sanity while also complying with all these different statutes (with more to come), businesses may end up embracing the strictest approach as their default.
“It’s going to be really hard to say that we’re going to treat Utah differently than Connecticut, for example,” Goldberg said. “I don’t think it’s realistic from an operational perspective.”
Cook(ies)
Embracing the strictest approach can sometimes lead to bizarre and unexpected encounters.
Recently, Polonetsky’s stove broke, so he and his wife went to the store to get a new one. While she spoke with a sales associate, Polonetsky played around with the smart stoves on display.
As he did, a California privacy notice popped up on the screen.
Even more odd than being hit with a cookie-tracking disclosure on an oven is the fact that Polonetsky was in Maryland where he lives, thousands of miles away from sunny California.
Clearly, the manufacturer of this oven was being overly risk averse, which created a jarring experience for the consumer (who in this case just so happened to be a noted privacy expert).
CCPA privacy policy and cookie policy on an oven.#PresidentsDay Shopping pic.twitter.com/x0K5v9qiDz
— Jules Polonetsky (@JulesPolonetsky) February 20, 2023
“Can you retarget on an oven? I guess, I don’t know what the vendor capacity is around that, but even if you could … popping everyone with notices doesn’t make sense,” Polonetsky said. “And it’s only going to get worse.”