What’s Happening in Relation to Privacy in the United States?
Paul Lanois from the law firm Fieldfisher notes that 2023 was a big year in terms of US state privacy laws, as no less than five such laws entered into effect.
In 2023, the California Consumer Protection Act as amended by the California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Ac, the Connecticut Data Privacy Act and the Utah Consumer Privacy Act all came into force.
In the absence of comprehensive federal privacy legislation, more state legislatures have been considering introducing a state privacy law that will regulate the handling of personal information relating to state residents, as well as provide state residents with privacy rights (such as the right of access, right of correction, right of deletion, right to opt out of targeted advertising or the sale of their personal information) that are gradually becoming standard rights.
Some of the key highlights of the new comprehensive privacy laws shaping 2024 are as follows.
- Florida’s Digital Bill of Rights has a limited jurisdictional scope: it primarily applies to businesses with an annual global revenue exceeding USD1 billion. In addition to providing for consumer privacy rights that have now become a standard in the recent US state privacy laws (eg, the right to confirm that their personal data is being processed; right of access/obtaining a copy of their personal data, right of correction, right of deletion and right to opt out of the sharing of their data for targeted advertising purposes), the Florida Digital Bill of Rights grants consumers the right to opt out of the collection of their personal information through voice or facial recognition features. Finally, for providers of an online service, product, game, or feature likely to be predominantly accessed by individuals under the age of 18, the bill prohibits processing personal information that “may result in substantial harm or privacy risk to children”, limits profiling of individuals under the age of 18 unless certain conditions are met, and restricts the collection, selling, sharing, using, and retaining personal information and precise geolocation data of individuals under the age of 18.
- Oregon’s Consumer Privacy Act does not have a threshold based on an entity’s annual revenue. This law applies to organisations which conduct business in Oregon or which provide products or services to Oregon residents and that during a calendar year control or process the personal information of at least 100,000 Oregon residents or control or process the personal information of 25,000 Oregon residents and derive more than 25% of their gross revenue from selling personal information.
- Texas’ Data Privacy and Security Act does not have any threshold based on annual revenue thresholds or volume of data processed to determine applicability, contrary to most other US state privacy laws. However, the Texas’ Data Privacy and Security Act provides an exemption for small businesses, as defined by the US Small Business Administration, unless they sell sensitive data, in which case they must obtain consumer consent in advance. Texas’ Data Privacy and Security Act will require covered businesses to recognise universal opt-out mechanisms for the sale of personal data and targeted advertising in 2025.
- Montana’s Consumer Data Privacy Act is similar to Oregon’s Consumer Privacy Act as it also does not have a revenue threshold. The law applies to businesses that conduct business in the state or produce products or services targeted to state residents and control or process the personal data of at least 50,000 Montana residents or control or process the personal information of 25,000 Montana residents and derive more than 25% of their gross revenue from selling personal data.
While the above may seem a lot, it is not an exhaustive list of all US laws covering privacy: for example, the state of Washington introduced the My Health My Data Act, which significantly expands privacy protections for personal health data, requiring organisations to follow requirements about how and when they may collect and share personal health data. Other states, such as Delaware, Iowa, New Hampshire, Nebraska, New Jersey, Tennessee (and more) will have their own state privacy law enter into effect in 2025.
"It is increasingly important for organisations to monitor privacy developments and continue working on compliance."
Of course, any discussion on US privacy laws would not be complete without looking at what is happening at the federal level. On 7 April 2024, Congress introduced the draft American Privacy Rights Act of 2024 (APRA). If enacted, it would be the first comprehensive data privacy law at the federal level in the United States and would create a uniform personal data privacy and security legal standard, alleviating compliance challenges arising from the current privacy patchwork due to the myriad of state privacy laws across the US. Generally, the APRA is modelled primarily after its predecessor, the American Data Privacy and Protection Act, which was the strongest attempt to introduce a comprehensive federal privacy law.
Among other things, APRA proposes a stricter data minimisation requirement that applies to both covered entities and service providers and would create a right to opt out of the transfer of covered data and targeted advertising, as well as a right to opt out of covered algorithms and AI decisions. While there is a lot of interest in a comprehensive federal privacy bill, APRA is already facing mounting opposition: for example, the Executive Director of the California Privacy Protection Agency (CPPA), Ashkan Soltani, released a statement against APRA due to its pre-emption provisions that would limit states’ ability to adopt new consumer privacy protections in the future.
In short, due to the increasing legislative focus on data privacy and security, it is increasingly important for organisations to monitor privacy developments and continue working on compliance – even if APRA does not pass this year, it will likely inspire future legislative efforts.
Fieldfisher
