As I noted in an April post to the FSF Blog, the Sooner State, with the enactment of the Oklahoma Consumer Data Privacy Act, became the first in nearly two years to enact a comprehensive data privacy statute. In the intervening months, three more states – Alabama, Louisiana, and Vermont – have followed suit, bringing the total to 24.
As the number of state-specific privacy regimes increases, so, too, do the complexity burdens for consumers seeking to understand their rights and the compliance questions for companies seeking to satisfy their regulatory obligations.
Alabama
Yellowhammer State Governor Kay Ivey signed the Alabama Personal Data Protection Act (APDPA) into law on April 16. It will take effect on May 1, 2027.
"Fun" differentiating fact: the APDPA has a lower applicability bar than most, covering companies that (1) control or process the personal information of just 25,000 Alabama residents, or (2) earn over 25 percent of their gross revenues from the sale of personal data, no matter how many Alabama residents that involves.
Louisiana
Pelican State Governor Jeff Landry signed the Louisiana Data Privacy Act (LDPA) on May 29. It will take effect on January 1, 2027.
"Fun" differentiating fact: the LDPA includes a temporary 30-day cure period that applies before the Attorney General may initiate an investigation; in other states, the cure period typically runs after the investigation but before the commencement of an enforcement action.
Vermont
Green Mountain State Governor Phil Scott signed the Vermont Data Privacy and Online Surveillance Act (VDPOSA) on June 16. It will take effect on January 1, 2028.
"Fun" differentiating fact: Vermont residents whose "personal data were processed for the purposes of profiling in furtherance of any automated decision" may "question the result of such profiling."
All three statutes assign enforcement authority to the state attorney general. The Louisiana and Vermont laws expressly exclude a private right of action while the Alabama law is silent on the topic.
* * *
A comprehensive federal regime could take the "fun" out of data privacy and put in its place a single, straightforward set of consumer rights and corporate responsibilities that apply nationwide.
Which brings us to the Securing and Ensuring Consumer Uniform Rights and Enforcement over Data Act (SECURE Data Act), legislation introduced by a group of House Republicans on April 21.
As noted by Free State Foundation Adjunct Senior Fellow Michael O'Rielly in "The House Builds a Sound Privacy Bill," a May Perspectives from FSF Scholars, The SECURE Data Act (1) embraces "strong federal preemption that recognizes the interstate nature of data collection and consumption" and (2) rejects a private right of action in favor of exclusive enforcement by the FTC and state attorneys general, thereby "prevent[ing] abusive class-action lawsuits by trial attorneys that have plagued many other sectors of our economy."
The House Energy and Commerce Committee's Subcommittee on Commerce, Manufacturing, and Trade held a hearing on the SECURE Data act on June 3. The Press Release included the following quote from Subcommittee Chairman Gus Bilirakis (R-FL): "Americans, regardless of political affiliation, share a fundamental expectation that their personal data be protected and secure…. The productive dialogue during today's hearing represents an important step toward creating a framework that puts constituents back in control of their personal information while holding bad actors accountable."
Posts
