Thursday, July 15, 2021

Exhibit C(O) in the Case for a Federal Data Privacy Law: The Colorado Privacy Act

Colorado became the third state to enact comprehensive data privacy legislation when, on July 8, 2021, Governor Jared Polis signed the Colorado Privacy Act (CPA). With the passage of each new state law the rights of consumers become more uncertain, the compliance challenges for businesses become more complicated, and the urgent need for a preemptive federal statute becomes even more pronounced.

California was the first state to occupy the void created by congressional inaction, Virginia the second.

In fact, two comprehensive data privacy proposals have become law in California: (1) the state legislature in 2018 passed the California Consumer Privacy Act (CCPA), which I described in "California's Heavy-Handed Approach to Protecting Consumer Privacy: Exhibit A in the Case for Federal Preemption," an October 2019 Perspectives from FSF Scholars, and (2) voters in last year's election approved the California Privacy Rights Act, which I discussed in a November 2020 Perspectives.

The Virginia Consumer Data Protection Act (VCDPA), meanwhile, became law in March 2021. I summarized its provisions in a February 2021 post to the FSF Blog.

Prior to the VCDPA's passage (it goes into effect on January 1, 2023), the CCPA as a practical matter assumed the role of a national privacy standard, as many businesses determined that it is easier to comply with the CCPA's requirements throughout the country than to try to separate out, and treat differently, California residents. But once Virginia Governor Ralph Northam signed the VCDPA, which is similar but by no means identical to the CCPA, the compliance headache for businesses expanded exponentially.

As I explained in March 2021's "Inconsistent State Data Privacy Laws Increase Confusion and Costs," as more states embark on their own, unique paths, businesses are forced to choose between two problematic options: (1) developing and implementing multiple state-specific compliance regimes, an endeavor fraught with risk given that, as a technical matter, Internet traffic knows no borders, or (2) aggregating the most onerous obligations set forth in the growing number of state laws and abiding by that evolving "worst of" collection nationwide.

The passage of the CPA, which I detailed in an April 2021 FSF Blog post and which goes into effect on July 1, 2023, further exacerbates that situation.

The remedy, of course, is a federal data privacy regime that preempts state laws.

In that regard, I note that President Biden's July 9, 2021, "Executive Order on Promoting Competition in the American Economy" urges the FTC to consider adopting rules addressing unfair data collection:

To address persistent and recurrent practices that inhibit competition, the Chair of the FTC, in the Chair's discretion, is also encouraged to consider working with the rest of the Commission to exercise the FTC's statutory rulemaking authority, as appropriate and consistent with applicable law, in areas such as … unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy.

FTC Commissioner Christine Wilson (R), who spoke about data privacy at both the 2021 and 2020 (video) Free State Foundation Annual Telecom Policy Conferences, last month indicated that, given the failure of Congress to act and the proliferation of inconsistent state laws, she has "reluctantly come to consider whether we should begin a privacy rulemaking proceeding at the Federal Trade Commission."

Federal legislation, however, is the preferred path forward. More to the point, what is needed is a comprehensive data privacy statute that preempts state laws, treats all businesses with access to personal information the same, provides consumers with adequate disclosures and allows them to "opt out" of the use of their non-sensitive data, empowers the FTC with exclusive enforcement authority, and rejects a private right of action.

Unfortunately, press reports indicate that congressional activity on privacy once again has "stalled." Might the silver lining to the CPA's passage be the additional pressure needed to reignite those efforts?

Time will tell.