In the wake of the seemingly endless stream of data privacy scandals that surfaced over the past year, lawmakers have renewed the push for the nation’s first comprehensive, bipartisan data privacy law. However, at the start of the first hearings on the matter in the current Congress, legislators have encountered a major roadblock, namely, conflicting state regulations that attempt to cover consumer privacy issues.
State legislatures were spurred into action in 2018 as the number of data privacy breaches mounted. In June 2018, California became the first state to pass a consumer privacy law when then-Governor Jerry Brown signed the California Consumer Privacy Act (the “CCPA”) into law. The CCPA, the requirements from which do not go into effect until January 1, 2020, poses hurdles for business both inside and outside of California. The CCPA applies to for-profit entities that collect and process the “personal information” of California residents. While an entity must do business in California in order to be subject to the CCPA, physical presence in California is not a requirement. The definition of “personal information” is much broader than typically seen in U.S. privacy laws, and includes “information that identifies, relates to, describes[] [or] is capable of being associated with . . .a particular consumer or household.[1]” Other states[2] have expanded definitions relating to personal identifying information in privacy-related laws.
With Congress now addressing the first federal data privacy law in U.S. history, many on both sides of the aisle fear that a patchwork of state regulations may, at best, lead to confusion amongst businesses having to deal with conflicting regulations, and, at worst, may preclude smaller businesses from being able to comply. Preemption is a potential solution to this issue, and legislators have certainly not ruled out the possibility of preemption if the federal bill is able to adequately protect U.S. consumers. The fear amongst Democrats, however, is that Republican lawmakers seek to pass a federal privacy bill simply as a means to preempt the CCPA, a bill which many Republican lawmakers and industry group members oppose. Whether legislators will be able to come together for a bipartisan agreement sufficient to justify preemption remains to be seen.
[2] Delaware is an example of one such state. http://delcode.delaware.gov/title6/c012b/index.shtml.