House Commerce Privacy Working Group Seeks Input

In a February 2025 post to the FSF Blog, I reported on a press release from House Commerce Committee Chairman Brett Guthrie (R-KY) and Vice Chairman John Joyce, M.D. (R-PA) announcing the creation of a working group focused on federal comprehensive data privacy legislation. That working group is now asking interested parties to provide responses to a Request for Information (RFI).

Released on February 21, 2025, the RFI begins by acknowledging two points I have highlighted repeatedly in writings for the Free State Foundation, most recently in a December 2024 Perspectives from FSF Scholars.

One, that "the challenge of providing clear digital protections for Americans is compounded by the fast pace of technological advancement and the complex web of state and federal data privacy and security laws, which in some cases create conflicting legal requirements."

And two, that "Members of Congress have spent many years working toward federal comprehensive data privacy and security standards to bring consumer protections into the digital age while ensuring that the U.S. continues to lead in a globally competitive environment."

The information sought by the RFI is organized into the following six specific categories:

• Roles and Responsibilities: What types of entities collect, process, and sell personal information? What obligations should apply to each?

• Personal Information, Transparency, and Consumer Rights: What specific consumer protections should a privacy law include? What heightened safeguards should apply to sensitive personal information? How should covered entities provide disclosures to consumers?

• Existing Privacy Frameworks and Protections: What can be learned from the existing "patchwork" of state privacy laws? To what extent should a federal privacy law preempt state privacy laws?

• Data Security: How can federal lawmakers ensure the security of consumer data?

• Artificial Intelligence (AI): How might a federal privacy law account for existing state laws addressing AI, including those relating to automated decision-making?

• Accountability and Enforcement: What are the pros and cons of exclusive enforcement by the FTC and state Attorneys General? Should a federal privacy law include a safe harbor?

A seventh, catch-all, category encourages interested parties to submit "any additional information that may be relevant to the working group as it develops a comprehensive data privacy and security law."

Responses, due by April 7, 2025, should be emailed to PrivacyWorkingGroup@mail.house.gov.

House Commerce Leaders Create Privacy Working Group

On February 12, 2025, House Commerce Committee Chairman Brett Guthrie (R-KY) and Vice Chairman John Joyce, M.D. (R-PA) issued a press release announcing the formation of a comprehensive data privacy working group.

This marks the first notable federal legislative step forward on privacy since a full House Commerce Committee markup of the American Privacy Rights Act of 2024 (APRA), scheduled for June 27, 2024, was cancelled at the last minute. For more on the fate of the APRA, please see my year-end comprehensive recap of developments at both the federal and state levels, "2024 Data Privacy Legislative Review: Federal Lawmakers Fall Short As More State Laws Gain Teeth," a December 2024 Perspectives from FSF Scholars.

In the press release, Chairman Guthrie and Vice Chairman Joyce stated that:

We strongly believe that a national data privacy standard is necessary to protect Americans' rights online and maintain our country's global leadership in digital technologies, including artificial intelligence. That's why we are creating this working group, to bring members and stakeholders together to explore a framework for legislation that can get across the finish line…. The need for comprehensive data privacy is greater than ever, and we are hopeful that we can start building a strong coalition to address this important issue.

They also encouraged interested parties to engage with the working group by sending an email to PrivacyWorkingGroup@mail.house.gov.

Michigan Could Become State No. 21 to Pass a Data Privacy Law

In a Perspectives from FSF Scholars on privacy legislation in 2024 published just last week, I wrote that seven additional states adopted comprehensive data privacy statutes this year, bringing the total to twenty. But did I speak too soon? The very same day, Michigan Senator Rosemary Bayer (D) announced via press release that the Personal Data Privacy Act (Senate Bill 659) had passed the Senate.

Should Senate Bill 659 clear the House before the current legislative session ends on December 23, the Wolverine State could become the eighth state in 2024, and the twenty-first overall, to forge a unique data privacy path.

Senate Bill 659 would establish familiar consumer rights including: the right to know that personal data is being processed, the right to access that personal data, the right to correct inaccuracies, the right to delete, and the right to obtain a portable copy. Consumers also would be able to opt out of the sale of personal data, targeted advertising, and "[p]rofiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer."

As is the case with the Maryland Online Data Privacy Act of 2024, which I summarized in a February post to the Free State Foundation blog, Senate Bill 659 includes "data minimization" provisions that "limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a product or service requested by the consumer … consistent with the consumer's reasonable expectations" (emphases added) and place similarly subjective limits on the processing of personal data. Sensitive data may be collected and/or processed only where "strictly necessary."

Senate Bill 659 would not create a private right of action. Instead, the state attorney general would have exclusive enforcement authority. It would go into effect a year from the date of enactment.

Will AI Help or Hinder Federal Privacy Legislative Efforts?

Efforts to pass a federal data privacy law have dragged on for many years. During that time, unrelenting technological advancement simultaneously has produced new innovations that amplify calls for clear rules and complicated congressional conversations that might lead to such legislation. Artificial Intelligence (AI) is the latest such instigator/troublemaker.

Generative AI offerings – such as OpenAI's ChatGPT, Google's Gemini, and Meta AI – depend upon Large Language Models (LLMs) trained on massive amounts of data. The more data used to train the LLM, the better the results. Consequently, generative AI raises substantial questions relating to privacy. (By way of example, the image below was created with OpenAI's DALL-E using the prompt "create an image of generative AI and data privacy.")

In her Opening Statement regarding a recent Senate Commerce, Science and Transportation Committee hearing titled "The Need to Protect Americans' Privacy and the AI Accelerant," Chair Maria Cantwell (D-WA) wrote that "[w]e are being surveilled … tracked online in the real world, through connected devices. And now, when you add AI, it is like putting fuel on a campfire in the middle of a windstorm." AI, she argued, "increases the need for passing legislation soon."

This heightened concern, however, to date has not generated legislative progress on data privacy. The American Privacy Rights Act of 2024, about which I wrote in "Congressional Leaders Return Privacy to the Front Burner," an April 2024 Perspectives from FSF Scholars, has yet to advance beyond a discussion draft. It was scheduled for markup by the House Energy and Commerce Committee on June 27, 2024, but that markup was cancelled at the last minute, a development I described in a post to the Free State Foundation's blog.

Prompting an unsettling sense of déjà vu, already one state has taken stalled congressional matters into its own hands. On May 17, 2024, Colorado Governor Jared Polis signed into law Senate Bill 24-205, "Concerning Consumer Protections in Interactions with Artificial Intelligence Systems."

Broadly speaking, Senate Bill 24-205, which goes into effect on February 1, 2026, requires that developers of "high-risk" AI systems "use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination."

We shall see if other states follow Colorado's lead – and, if so, whether another unwanted privacy-related "patchwork" emerges.

Federal Privacy Bill Hits Roadblock, State Activity Picks Up Speed

At the eleventh hour, the House Energy and Commerce Committee cancelled a markup scheduled for Thursday that included the American Privacy Rights Act of 2024 (APRA). At the state level, by contrast, Minnesota and Rhode Island recently enacted their own comprehensive data privacy laws, bringing the total to 20. And previously adopted statutes in three states – Oregon, Texas, and Florida – go into effect on July 1.

Having cleared the Innovation, Data, and Commerce Subcommittee late last month, the APRA was one of eleven bills on the agenda for yesterday's full committee markup. Chair Cathy McMorris Rodgers (R-WA) did not state a reason for the last-minute cancellation, but The Hill reported that House Republican leadership objected to the private right of action created by the discussion draft.

As it happens, in "Congressional Leaders Return Privacy to the Front Burner," an April Perspectives from FSF Scholars, I anticipated that "the APRA's problematic inclusion of a private right of action may – and should – prove once again to be a sticking point."

The already sizeable patchwork of state comprehensive data privacy laws, meanwhile, continues to grow. (So, too, do the associated compliance headaches for companies and confusion faced by consumers.) On May 24, 2024, North Star State Governor Tim Walz signed the Minnesota Consumer Data Privacy Act, a law similar – though not identical, of course – to those passed in New Hampshire and Maryland.

And on June 25, 2024, Ocean State Governor Dan McKee transmitted with no signature the Rhode Island Data Transparency and Privacy Protection Act, bringing the total of state comprehensive data privacy laws to 20. The Rhode Island statute is notable for its relatively large fines: up to $10,000 per violation, plus additional penalties for "intentional disclosures of personal data."

The Minnesota act will not go into effect until July 31, 2025, the Rhode Island law not until January 1, 2026. Laws in three other states, however, kick in on the first day of July: the Oregon Consumer Privacy Act, the Texas Data Privacy and Security Act, and – by my measure, at least – the Florida Digital Bill of Rights.

For additional details on these statutes, please see "More States Compound the Dreaded Privacy 'Patchwork' Problem," a July 2023 Free State Foundation Perspectives.

18 … and Up? Maryland Is the Latest State to Enact a Privacy Law

Last Thursday, Free State Governor Wes Moore signed into law the Maryland Online Data Privacy Act of 2024 (MODPA). With the stroke of his pen, Maryland became the eighteenth state to adopt a comprehensive data privacy statute – one with the most onerous "data-minimization" requirements we have seen thus far.

Forgive me if I sound like a broken record, but this most-recent addition to the already substantial set of state-specific data privacy laws further compounds the confusion experienced by consumers and the compliance challenges faced by companies, particularly small businesses.

Should it become federal law, the American Privacy Rights Act (APRA) discussion draft, about which I wrote in a recent Perspectives from FSF Scholars, would preempt this patchwork and establish a desperately needed nationwide data privacy regime.

For a general overview of the MODPA, please see my two previous posts to the Free State Foundation blog on the topic, which can be found here and here. For present purposes, I want to focus specifically on the MODPA's data-minimization language, which states that "controllers" must "[l]imit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains" (emphasis added).

The data-minimization model differs from the notice-and-consent approach – pursuant to which the bounds of permissible data collection are set forth in a company's privacy policy – that until recently served as the de facto standard nationwide. And Maryland's version is the most extreme data-minimization implementation to date.

Strict data-minimization requirements such as this, and the one spelled out in the APRA, could have unintended anti-consumer consequences. Limitations on the collection of personal data beyond what is "reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains" – or, in the case of the APRA, "beyond what is necessary, proportionate, or limited to provide or maintain a product or service requested by an individual" (emphases added) – are inherently subjective standards that create substantial uncertainty and risk for companies. And that uncertainty and risk could have a chilling effect.

For example, companies may refrain from offering the "free" (that is, ad-supported) services that many consumers have come to rely on. The notice-and-consent model traditionally has allowed consumers to weigh the benefits of sharing personal information in exchange for these free services. The shift to a data-minimization approach could undermine that model, potentially leading to a reduction in the availability of complimentary online offerings.

The MODPA will go into effect on October 1, 2025, a year later than originally proposed.

Nebraska Is State 17 to Pass Privacy Law; House Holds Hearing on APRA

In a recent Perspectives from FSF Scholars summarizing the American Privacy Rights Act (APRA) Discussion Draft, I added New Hampshire (number fifteen) and Kentucky (number sixteen) to the Free State Foundation's running list of states that have passed a comprehensive data privacy statute. The Cornhusker State in the interim has joined their ranks, upping that total to seventeen. Meanwhile, at a House Commerce Committee hearing on the APRA, more than one representative indicated that they are "fired up" (subscription required) to turn that bill into preempting federal law.

New Jersey was the first state in 2024 (and the fourteenth overall) to enact privacy legislation, a development I noted in a January post to the FSF Blog. The New Hampshire Privacy Act followed in March, the Kentucky Consumer Data Protection Act in early April. (Two days later the Maryland Online Data Privacy Act of 2024, about which I blogged here and here, cleared both legislative houses. Should it be signed by Governor Wes Moore, it will bring the tally to eighteen. That is, assuming another state – Pennsylvania, perhaps? – doesn't beat it to the punch.)

And on April 12, Governor Jim Pillen enacted the Nebraska Data Privacy Act, a statute very similar in substance to the Texas Data Privacy and Security Act, a bill that I summarized in July 2023's aptly titled "More States Compound the Dreaded Privacy 'Patchwork' Problem."

Of course, one of the aspects of the APRA Discussion Draft that I praised in "Congressional Leaders Return Privacy to the Front Burner," the Perspectives referenced above, is its language preempting state comprehensive data privacy laws: "no State or political subdivision thereof may adopt, maintain, enforce, or continue in effect any law, regulation, rule, or requirement covered by the provisions of this Act or a rule, regulation, or requirement promulgated under this Act."

As such, passage of the APRA – by no means a foregone conclusion – would eliminate the chaos and compliance contradictions created by the expanding number of state laws.

At an April 17 hearing held by the House Commerce Committee's Subcommittee on Innovation, Data, and Commerce, APRA co-author and Committee Chair Cathy McMorris Rodgers (R-WA) acknowledged that "Congress has been trying to develop and pass comprehensive data privacy and security legislation for decades" and argued that "[w]ith the American Privacy Rights Act, we are at a unique moment in history where we finally have the opportunity to imagine the internet as a force for prosperity and good."

In response, Subcommittee Chair Gus Bilirakis (R-FL) reportedly stated that he is "fired up" – and Representative Frank Pallone (D-NJ) indicated that he is "fired up too."

Maryland House of Delegates, Senate Approve Data Privacy Bills

On Saturday – just ahead of yesterday's "crossover day" deadline – the Maryland House of Delegates voted 105-32 to approve HB-567, comprehensive data privacy legislation. The cross-filed Senate bill, SB-541, passed unanimously last Thursday.

Should the Maryland Online Data Privacy Act of 2024, which has been referred to conference, become law, it would represent the sixteenth contribution to the state-level "patchwork" of comprehensive data privacy laws that has emerged in the face of Congress's continuing failure to act.

For an overview of the law's specific provisions, please see "Free State Lawmakers Debate Data Privacy Legislation," a February 2024 post to the FSF Blog.

Free State Lawmakers Debate Data Privacy Legislation

Maryland soon could join the not-so-exclusive club for states that have forged divergent data privacy regulatory paths. Last month, New Jersey became the fourteenth state (and the first this year) to enact a comprehensive data privacy law, a development that I highlighted in a January 2024 post to the Free State Foundation's blog. Yet another bill awaits the signature of New Hampshire Governor Chris Sununu.

As I detailed most recently in "More States Compound the Dreaded Privacy 'Patchwork' Problem," a July 2023 Perspectives from FSF Scholars, the longstanding lack of a federal data privacy regime – specifically, one that preempts inconsistent state-specific approaches – has fostered an unworkable situation that creates compliance headaches for companies and confusion for consumers.

Hearings on the Maryland Online Data Privacy Act of 2024 (the Act) were held on February 13, 2024, by the House Economic Matters Committee (House Bill 567) and on February 14, 2024 by the Senate Finance Committee (Senate Bill 541).

The Act establishes a familiar set of consumer rights: to know that personal data is being collected; to access, correct, delete, and receive a copy of personal data; to obtain a list of the categories of third parties to which personal data is disclosed; to opt out of the processing of personal data for targeted advertising and automated profiling; and to opt out of its sale.

Perhaps most notably, the Act goes further than other state laws in limiting the personal data that companies may collect – that is, "data minimization" ("A controller shall … [l]imit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.")

On its face, the Act does not create a private right of action. As was the case with the New Jersey law reference above, however, the Act's draft language has prompted concerns that it "do[es] not explicitly provide for exclusive Attorney General enforcement" (emphasis added). Specifically, Section 14-4613, which defines a violation of the Act as "[a]n unfair, abusive, or deceptive trade practice … [s]ubject to the enforcement and penalty provisions contained in Title 13 of this article," also ambiguously asserts that it "does not prevent a consumer from pursuing any other remedy provided by law."

Breaking from the approach embraced by other states, and thus further complicating compliance for companies, the Act does not provide businesses with an opportunity to cure alleged violations.

If enacted, the Act would go into effect on October 1, 2024.

New Jersey Passes 2024's First State Privacy Law

The privacy plot thickens: New Jersey just became the first state in 2024 – and (by my count) the fourteenth overall – to enact a comprehensive data privacy law. Bill S332, formally titled "An Act concerning online services, consumers, and personal data and supplementing Title 56 of the Revised Statutes" (the Act), was signed on Tuesday by Governor Phil Murphy.

At the federal level, sadly, there has been little news to report in well over a year. Consequently, each additional state that forges its own unique path further muddies the waters, creating more chaos for consumers and more compliance nightmares for companies.

The Act establishes a number of familiar consumer rights with respect to personal data: to confirm its collection and processing, to correct, to delete, to receive a portable copy, to opt out of its processing for targeted advertising as well as its sale, and to opt in to the processing of "sensitive data."

Not surprisingly, however, the Act includes several provisions that distinguish it from other state privacy statutes – and thereby unduly complicate nationwide compliance efforts. For one, it does not set a minimum-revenue threshold for covered companies. For another, its definition of "sensitive data" includes certain types of financial information.

The New Jersey Department of Law and Public Safety's Division of Consumer Affairs is tasked with adopting regulations implementing the Act. The New Jersey Attorney General has exclusive enforcement authority. For the first year and a half, companies will enjoy a 30-day cure period.

The Act does not create a private right of action, However, an eleventh-hour amendment deleting the phrase "under any other law" did prompt Governor Murphy to note in his Statement Upon Signing that:

I understand that concerns have been raised that removing that language thereby establishes a private right of action under other laws for violations of this bill. However, nothing in this bill expressly establishes such a private right of action, and the provision as amended states that the bill shall not be "construed as providing the basis for … a private right of action for violations of [the bill]."

The bulk of the Act will go into effect on January 15, 2025. The obligation to abide universal opt-out mechanisms (such as web browser-based privacy signals) will kick in six months later.

Maine May Join the State Privacy Law Club

Might the Pine Tree State in 2024 become the fourteenth state to pass a comprehensive data privacy law – and thereby further compound the problem of multiple, conflicting state statutes? It's possible. The Maine legislature's bicameral Judiciary Committee considered "An Act to Create the Data Privacy and Protection Act" (LD 1977) at a hearing two weeks ago.

LD 1977 is modeled on the American Data Privacy and Protection Act (ADPPA), a piece of federal legislation that easily cleared the House Commerce Committee back in August 2022 before losing forward momentum. That LD 1977 takes its lead from the ADPPA is somewhat ironic, as one of the primary motivating factors driving the ADPPA was the problem of a "patchwork" of state-specific laws, a problem that LD 1977 threatens to exacerbate.

To make matters worse, LD 1977 problematically diverges from the ADPPA by including an extremely broad private right of action. Specifically, Section 9620(2) states that:

A violation of this chapter or a rule adopted under this chapter with respect to the covered data of an individual constitutes an injury to that individual. The injured individual may bring a civil action against the party that commits the violation, except that an individual may not bring a civil action against a small business.

Possible remedies include actual damages or statutory damages starting at $5,000 per violation, whichever are greater; punitive damages; attorney's fees and costs; and injunctive and declaratory relief. A "small business" is a "covered entity" or "service provider" (but not a "data broker") that (1) generates less than $41 million in annual revenues, and (2) does not collect or process the personal data or more than 200,000 individuals.

Something else to consider: as I described in "Maine's ISP-Only Privacy Law Will Not Protect Consumers," an April 2020 Perspectives from FSF Scholars, Maine adopted a privacy law in June 2019 that singles out broadband Internet service providers (ISPs), requiring them – but not other participants in the broader online ecosystem, such as "edge providers" like Alphabet, Meta, and Amazon – to obtain "opt-in" consent from customers before using their personal information.

At an absolute minimum, any additional privacy legislation must acknowledge – and address – this disparate treatment of broadband ISPs.

Delaware Privacy Law Makes a Dozen – or a Baker's Dozen?

First State Governor John Carney signed the Delaware Personal Data Privacy Act (the DPDPA) into law on September 11, 2023.

For those keeping score, Delaware increases the number of states to have passed a comprehensive data privacy law either to twelve – "Delaware Becomes Twelfth State to Enact Comprehensive Privacy Law" – or thirteen – "The 'First State' Officially Becomes the Thirteenth State with a Comprehensive Data Privacy Law" – depending on how one defines "comprehensive."

And for those concerned with the confusion and cost caused by the growing patchwork of inconsistent state laws, the fact that commenters cannot agree even on what the current total is underscores the extent of the problem.

In "More States Compound the Dreaded Privacy 'Patchwork' Problem," a July 2023 Perspectives from FSF Scholars, I noted that the DPDPA cleared the Delaware legislature on June 30, 2023. I also made the case that:

[T]he … "patchwork" of laws has become so complicated that interested observers can no longer agree even on the precise number of comprehensive data privacy statutes that have been passed. That fact alone speaks volumes about how difficult it has become for both companies and consumers to make sense of the ever-evolving regulatory landscape – and how important it is for Congress to establish a uniform national data privacy framework that preempts state laws.

For what it's worth, I am one of those keeping score – and I do include the Florida Digital Bill of Rights (FDBR) for a running total of thirteen. While many provisions of the FDBR apply only to companies with at least $1 billion in annual gross revenues, its requirements regarding the handling of "sensitive personal data" apply to all for-profit businesses. As such, "it undeniably represents yet another item on the growing list of data privacy statutes with which businesses must grapple."

Montana Makes Nine: Another State Passes a Data Privacy Law

On May 19, 2023, Governor Greg Gianforte signed into law the Montana Consumer Data Privacy Act (MCDPA). With that, the number of states to adopt comprehensive data privacy statutes expanded to nine. And the regulatory headache that consumers and companies alike must endure grew by an equal measure.

In other ways similar to legislation passed in Virginia and Connecticut, the MCDPA forges its own unique path with regard to applicability. Perhaps as a reflection of Big Sky Country's relatively low population level, the MCDPA covers a wider range of businesses: those that possess the personal information of just 50,000 (rather than the more common 100,000) residents. Consequently, some smaller businesses that were exempt under other state statutes may now be on the hook for costly compliance programs.

The MCDPA establishes a familiar set of consumer rights: to know, to access, to correct, to delete, and to port collected personal data. In addition, consumers (1) can opt out of targeted advertising, data sales, and "profiling in furtherance of solely automated decisions that produce legal or similarly significant effects," and (2) must opt-in before a business can make use of "sensitive" personal data.

Businesses must abide by "privacy by design" principles, which include purpose-specific constraints on data usage and an obligation to adopt reasonable security measures. They also must conduct data protection assessments before engaging in a number of activities that "present[] a heightened risk of harm to a consumer." And starting in January 2025, they must recognize browser-based universal opt-out mechanisms.

Notably, the MCDPA will go into effect before laws recently adopted in Iowa (January 1, 2025) and Indiana (July 1, 2026): on October 1, 2024.

Meanwhile, it appears likely that Texas will be next: the Texas Data Privacy and Security Act has reached Governor Greg Abbott's desk.

Tennessee Is State Number Eight to Pass a Privacy Law

On May 11, 2023, Governor Bill Lee signed the Tennessee Information Protection Act ("TIPA"). The Volunteer State is the third to adopt a comprehensive data privacy statute in 2023 (after Indiana and Iowa) and the eighth overall (joining the Golden State's California Consumer Privacy Act and California Privacy Rights Act and similar-yet-unique laws passed in Virginia, Colorado, Connecticut, and Utah).

As I cautioned in a March 2021 Perspectives from FSF Scholars, multiple, inconsistent state laws inevitably will lead to "[c]ounterproductive consumer confusion, along with unreasonably burdensome and unjustifiably costly compliance obligations." At that time, just two states – California and Virginia – had enacted legislation. Today, with that total rapidly approaching double digits, such concerns exponentially are greater.

Consumer rights established by the TIPA include the right to know that a covered entity is processing personal information; to access, correct, delete, and obtain a copy of that data; and to opt out of the sale of personal information. In addition, a covered entity must disclose, upon request, categorical information regarding personal information that was sold, and obtain a consumer's consent before processing "sensitive data."

Covered entities ("controllers") that share personal information with third parties ("processors") must include certain provisions in their contracts to protect these consumer privacy rights. Controllers also must conduct data protection assessments under certain circumstances (for example, if they engage in targeted advertising, process "sensitive data," or sell personal information).

The TIPA does not create a private right of action. The Attorney General is responsible for enforcing its provisions. Covered entities have 60 days to cure an alleged violation.

Perhaps most notably, the TIPA requires that covered entities "create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled 'A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.'"

The TIPA becomes effective on July 1, 2024.

Seven States and Counting: Indiana Passes Privacy Law

Activity at the state level continues to complicate further the overall privacy landscape. On May 1st, Indiana Governor Eric Holcomb signed into law Senate Bill 5 (S.B. 5), the Indiana Consumer Data Privacy Act (ICDPA). Indiana is the second state to pass a comprehensive data privacy law in 2023 (Iowa was the first, as I noted in a recent post to the Free State Foundation blog) and the seventh overall (after California, not once but twice, Virginia, Colorado, Connecticut, Utah, and the aforementioned Iowa).

Meanwhile, Montana and Tennessee could follow quickly: bills in both states have made it to their respective governor's desks.

Uniquely, and apparently to provide an opportunity to learn how similar (but by no means identical) statutes in other states fare, the ICDPA will not go into effect until July 1, 2026. (Currently, only the laws enacted in California and Virginia are in force. The big day in Colorado and Connecticut is July 1st of this year, in Utah it is December 31st, and in Iowa it is January 1, 2025.)

Based largely (though, again, not entirely) on the Virginia Consumer Data Protection Act, the ICDPA creates several consumer rights: to know, to access, to correct, to delete, and to port data, as well as the ability to opt out of its processing/sale.

And it requires businesses, among other things, to provide a privacy notice and other disclosures, to obtain affirmative consent before processing "sensitive personal data," to conduct data protection impact assessments, and to enter binding contracts with third-party data processors to ensure that they, too, respect consumer privacy rights.

The ICDPA will be enforced exclusively by the Indiana attorney general. (It does not establish a private right of action.) In addition, it provides businesses with a 30-day cure period.

At the federal level, the House Committee on Energy & Commerce's Innovation, Data, and Commerce Subcommittee held a hearing on April 27th titled "Addressing America's Data Privacy Shortfalls: How a National Standard Fills Gaps to Protect Americans' Personal Information." It was the sixth Committee hearing on the topic of privacy thus far this legislative session.

In a joint statement, Committee Chair Cathy McMorris Rodgers (R – WA) and Subcommittee Chair Gus Bilirakis (R – FL) wrote that "[t]he Energy and Commerce Committee is building momentum this Congress towards enacting comprehensive national privacy and data security legislation."

Fittingly, in his opening statement, Subcommittee Chair Bilirakis acknowledged that the data privacy picture "only gets more complicated as fifty different states move towards their own data privacy laws, meaning an increasingly complicated and confusing landscape for consumers and for business."

Iowa Is State No. 6 to Pass a Privacy Statute

On March 28, Iowa Governor Kim Reynolds signed Senate File (SF) 262, "an Act relating to consumer data protection, providing civil penalties, and including effective date provisions." Following in the footsteps of California (here and here), Virginia, Colorado, Utah, and Connecticut, Iowa has become the sixth state to pass its own unique take on a comprehensive data privacy law.

With Congress still unable to agree upon the details of a national privacy framework, this most recent addition to the steadily expanding list of inconsistent state statutes further exacerbates compliance headaches for companies and adds to consumer confusion.

Laws in California and Virginia already are in effect. The start date for those in Colorado and Connecticut is July 1, 2023. Utah's statute becomes valid at the end of this year. And Iowa's SF 262 kicks in on January 1, 2025.

In other state-level privacy news, both California and Colorado recently finalized rulemaking proceedings arising from their respective comprehensive data privacy statutes:

• On March 29, the California Office of Administrative Law approved the initial set of rules implementing the California Privacy Rights Act, also known as Proposition 24. Adopted by the California Privacy Protection Agency (CPPA), the first-of-its-kind state agency specifically dedicated to privacy, the rules became effective immediately. By statute, however, California's Office of Attorney General cannot initiate enforcement efforts until July 1. (Once officially processed, those rules, which substantively are unchanged from the drafts voted on by the CPPA in February, will be available here.)
• On March 15, the Colorado Attorney General's Office announced that it had filed with the Colorado Secretary of State's Office final versions of its rules implementing the Colorado Privacy Act. Like the statute itself, those rules will go into effect on July 1.

At the federal level, meanwhile, the American Data Privacy and Protection Act, the first bill of its kind to make it out of congressional committee, remains in limbo. However, there have been two House Commerce Committee hearings on the topic of privacy thus far in 2023.

The first, entitled "Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy," was held by the Innovation, Data, and Commerce Subcommittee on March 1.

The second, a full Committee hearing entitled "TikTok: How Congress Can Safeguard American Data Privacy and Protect Children from Online Harms," took place on March 23.

In a media appearance shortly thereafter, Chair Cathy McMorris Rodgers (R-WA) stated that the testimony of TikTok CEO Shou Chew puts "more urgency on us passing a national data privacy law to protect [America] from the next technological tool or weapon that China may put together'" and that "[w]e need a national data privacy standard … and that's what Ranking Member Pallone and I have worked on and we're going to introduce this Congress because we need to take action."

Privacy Recap: Regulatory Developments in California, Colorado

As the promising-but-flawed American Data Privacy and Protection Act awaits a House floor vote and the revised deadline for comments on the FTC's highly problematic privacy Advance Notice of Proposed Rulemaking looms, state activity continues to fill the federal void.

In California, the only state where a comprehensive data privacy law has gone into effect, enforcement is underway – while, simultaneously, efforts to adopt rules implementing the Golden State's second privacy statute near the finish line. And in Colorado, the rulemaking process relating to its privacy law is just getting started.

In August, California Attorney General Rob Bonta announced a $1.2 million settlement with Sephora, Inc. regarding several alleged violations of the California Consumer Privacy Act (CCPA), which became valid law at the beginning of 2020.

According to the complaint, Sephora "did not tell consumers that it sold their personal information," "did not provide consumers with an easy-to find 'Do Not Sell My Personal Information' link," and did not configure its website "to detect or process any global privacy control signals, such as the 'Global Privacy Control' (GPC)."

As explained in the GPC website FAQs, the GPC "is a proposed specification designed to allow Internet users to notify businesses of their privacy preferences, such as whether or not they want their personal information to be sold or shared. It consists of a setting or extension in the user's browser or mobile device and acts as a mechanism that websites can use to indicate they support the specification."

Under the CCPA, the enabling of a universal opt-out mechanism such as the GPC has the same legal effect as clicking on a "Do Not Sell My Personal Information" link.

While the Sephora settlement is the first of its kind, it is by no means the only enforcement action undertaken by the California Attorney General's office. As noted in the Press Release, "[s]ince July 1, 2020, the Attorney General has issued notices to a wide array of businesses alleging noncompliance with the CCPA. Notices to cure have been issued to major corporations in the tech, healthcare, retail, fitness, data brokerage, and telecom industries, among others."

In addition, and as I detailed in "California Voters Approve the California Privacy Rights Act: A Detailed Analysis of Its Requirements and Impact," a November 2020 Perspectives from FSF Scholars, the Consumer Privacy Rights Act of 2020 (CPRA), which builds upon and modifies the CCPA, created the California Privacy Protection Agency (CPPA), the nation's first (and, at present, only) state agency dedicated to consumer privacy.

Once established, the CPPA assumed privacy-related rulemaking responsibilities from the office of the Attorney General. On May 27, 2022, the CPPA released draft CPRA regulations. Publication of a Notice of Proposed Rulemaking on July 8, 2022, formally started the process. The comment period closed on August 23, 2022.

On October 17, 2022, the CPPA released a modified draft of the CPRA regulations, as well as an explanation of the modified text. The CPPA Board will discuss, and potentially adopt some or all of the proposed rules, at virtual meetings this Friday and Saturday.

Per the CPPA's website, "[t]he proposed regulations (1) update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA; (2) operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and (3) reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand."

Colorado was the third state out of five so far – the others are California, Virginia, Utah, and Connecticut – to adopt a comprehensive data privacy statute. I summarized the major provisions of the Colorado Privacy Act (CPA) in an April 2021 post to the Free State Foundation's blog.

The CPA, which is scheduled to go into effect on July 1, 2023, authorizes the Colorado Attorney General to craft rules generally "for the purpose of carrying out" the CPA as well as a specific rule regarding "the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer's affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data."

On October 10, 2022, Colorado Attorney General Phil Weiser's office published a Notice of Proposed Rulemaking (NPRM). Comments are due on or before February 1, 2023 – but earlier deadlines apply if they are to "inform the stakeholder meetings" scheduled for November 10, 15, and 17, or are to be considered at the rulemaking hearing on February 1, 2023.

Specific topics addressed in the NPRM include: the substantive requirements for privacy notices, the scope of the consumer rights established by the CPA and the processes by which those rights are exercised, specifications for universal opt-out mechanisms, the duties of businesses ("controllers") that collect personal information, and the method by which consent is obtained ("including the prohibition against obtaining agreement through the use of Dark Patterns").

FTC Initiates Privacy Rulemaking Despite Congressional Momentum: Republican Commissioners Issue Strong Dissents

At a virtual news conference last Thursday, the FTC announced the adoption of an Advance Notice of Proposed Rulemaking (ANPR) on "commercial surveillance" (that is, the use of personal information) and "lax" data security practices.

Over forceful objections from the two Republican Commissioners, and in the face of significant congressional progress on a bipartisan, bicameral federal comprehensive data privacy bill, this action by the majority initiates a "Magnuson-Moss" rulemaking pursuant to Section 18 of the FTC Act.

The ANPR:

[I]nvites comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies (1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.

It poses a total of 95 wide-reaching questions, grouped into the following broad categories:

• The extent to which personal data practices and security measures harm consumers, particularly children and teenagers;
• The appropriate way to balance costs and benefits; and
• Whether the FTC should regulate prevalent data privacy and security practices.

In just one troubling example of the ANPR's explicit bias against the prevailing notice-and-consent paradigm – a point of view that Commissioner Noah Phillips in his dissent characterizes as "a rather dystopic view of modern commerce" – question 74 asks under "which circumstances, if any, is consumer consent likely to be effective" and question 77 seeks input on "[h]ow demonstrable or substantial must consumer consent be if it is to remain a useful way of evaluating whether a commercial surveillance practice is unfair or deceptive" (emphases added).

In her Dissenting Statement, Commissioner Christine Wilson objected to the ANPR primarily on the basis of the risk it poses to the continued progress of the American Data Privacy and Protection Act (ADPPA). As I noted two weeks ago in a Perspectives from FSF Scholars, an amended version of the ADPPA on July 20, 2022, cleared the House Commerce Committee on a 53-1 vote.

Emphasizing her unwavering preference for congressional, rather than agency, action, Commissioner Wilson made plain that "[t]he momentum of ADPPA plays a significant role in [her] 'no' vote" – and that she is "gravely concerned that opponents of the bill will use the [ANPR] as an excuse to derail the ADPPA."

Commissioner Wilson did acknowledge that, at an earlier point in time, she "became willing to consider whether the Commission should undertake a Section 18 rulemaking to address privacy and data security."

However, for a litany of reasons – including "changes to the Section 18 Rules of Practice that decrease opportunities for public input and vest significant authority for the rulemaking proceedings solely with the Chair" and "Chair Khan's public statements [that] give [Commissioner Wilson] no basis to believe that she will seek to ensure that proposed rule provisions fit within the Congressionally circumscribed jurisdiction of the FTC" – the Commissioner has had an abrupt change of heart.

I documented this evolution in a series of posts to the Free State Foundation's blog.

In his Dissenting Statement, Commissioner Phillips reiterated a similarly longstanding conviction that Congress, rather than the FTC, "is where national privacy law should be enacted." In that vein, he wrote that he is "heartened to see Congress considering just such a law today" and hopes that "this Commission process does nothing to upset that consideration."

Taking issue with the ANPR's foundational terminology, Commissioner Phillips labeled the phrase "commercial surveillance" an "academic pejorative," one that is "defined so broadly (and with such foreboding) that it captures any collection or use of consumer data" – and one that "trades a serious attempt to understand business practices it would regulate for the chance to liken untold companies large and small to J. Edgar Hoover's COINTELPRO."

Expanding upon this concern, Commissioner Phillips makes the following additional points:

• The ANPR "provides no notice whatsoever of the scope and parameters of what rule or rules might follow" – thereby "undermining the public input and congressional notification processes" required by Section 18.
• It exceeds the FTC's congressionally delegated Section 5 authority over "unfair or deceptive acts or practices" and "signal[s] the majority's view that the scope of the rules passed by the unelected commissioners of an independent agency should be on par with statutes passed by elected legislators." Referencing (1) "personalized" or "targeted" advertising, and (2) consent, which he refers to as "one of the traditional bedrocks of privacy policy," he argues that the ANPR portends regulating "common business practices we have never before even asserted are illegal."
• Overstepping the limits of the FTC's jurisdiction, "[i]t seeks to recast the agency as a civil rights enforcer, contemplating policing algorithms for disparate impact without a statutory command."
• It "shortchanges data security, one area ripe for FTC rulemaking."

Critically, Commissioner Phillips highlights how the ANPR in practice could result in consumer harm: "Reducing the ability of companies to use data about consumers, which today facilitates the provision of free services, may result in higher prices – an effect that policymakers would be remiss not to consider in our current inflationary environment."

On September 8, 2022, the FTC will host a virtual public forum on the ANPR.

Comments on the ANPR will be due 60 days after its publication in the Federal Register.

#FSFConf14 Speakers on Need for Federal Privacy Law

At the Free State Foundation's recent Fourteenth Annual Policy Conference, FTC Commissioners Christine Wilson and Noah Phillips voiced their support for a federal data privacy regime. And on May 23, 2022, another speaker at #FSFConf14, USTelecom President & CEO Jonathan Spalter, authored a blog post urging the Biden Administration and Congress to work together "on this essential national priority."

In the meantime, Connecticut has compounded the confusion and chaos wrought by multiple, inconsistent state-level comprehensive data privacy statutes. On May 10, 2022, Governor Ned Lamont signed into law "An Act Concerning Personal Data Privacy and Online Monitoring." Connecticut is the fifth state to date – following California (twice), Virginia, Colorado, and Utah – to fill the federal void.

Nevertheless – and forgive me if I sound like a broken record – recent reporting suggests that federal lawmakers may be making progress behind the scenes toward a workable consensus on data privacy.

During #FSFConf14's "The View from the FTC," a Fireside Chat hosted by Maureen Ohlhausen, former FTC Acting Chairman and Commissioner (a video of which is available here), Commissioner Wilson echoed that optimistic sentiment (direct link here). Describing herself as one who "tend[s] to be a Pollyanna," she stated that "I'm actually hopeful, more hopeful than I have been, because I hear there's a concerted push to get federal privacy legislation across the finish line soon."

Commissioner Wilson also reiterated her position that federal privacy legislation is necessary:

I have been advocating for federal privacy legislation almost from the day that I was sworn in as a Commissioner. And I do think it's important, I think there is a market failure that needs to be addressed. I think consumers have very little understanding of the data that's collected from them and how that data is collected, used, and sold.

I also think that businesses need guardrails, they need to understand the rules of the road. And right now we have states with conflicting opinions about what those guardrails should be, and we have a developing international regime also with conflicting ideas. And so, businesses need clarity and certainty in order to know how to comply with the law, but also to invest and to grow. 

Responding to a related query regarding what the FTC can do in the interim to "to fill the gap," Commissioner Wilson noted the agency's authority under Section 5 of the FTC Act to address "unfair and deceptive acts or practices in or affecting commerce" and subject-matter-specific jurisdiction pursuant to other statutes, such as the Children's Online Privacy Protection Act (COPPA). She also highlighted a "body of consents that provide very good rules of the road."

Later in the Fireside Chat (direct link here), Commissioner Phillips, responding to a question from an audience member regarding smartphone apps, acknowledged the existence, with respect to personal data, of an "information asymmetry" – a concept familiar to those who attended Commissioner Wilson's keynote address during FSF's Twelfth Annual Policy Conference in 2020.

Given that "[c]onsumers may not understand fully what they're engaging in," Commissioner Phillips indicated his support for a "nutrition label" solution:

[O]ne of the things I've always felt would be very useful is to look more carefully at things like labels. And understand, you know, what are ways that we can get good information out to people? We do this in a lot of other areas, right?

And you think about food, right? It's maybe not efficient for me every day to, you know, if I'm at the grocery store, examine each label. But if I care, and if I want to, and the cost to you, the producer of Honey Nut Cheerios, is fairly low, that can be a really beneficial rule. A rule that is good for competition. A rule that allows consumers to shop across products, including for those features. 

So let's take what are you doing with your data, right? And Apple has a version of this, in iOS 14, they have these "nutrition labels," they call them. But it's a way of taking complex subject matter and boiling it down in terms that allow people to sort of shop across products and compare. And perhaps even to create markets around features where markets may not naturally arise.

Relatedly, USTelecom's Mr. Spalter, who participated in Free State Foundation President Randolph May's #FSFConf14 "The 'Hottest Topics' in Communications and Internet Policy" Fireside Chat (a video of which is available here), earlier this week published a blog post titled "Global Privacy Leadership Begins Here at Home."

After acknowledging the Biden Administration's "efforts toward harmonizing strong consumer privacy protections around the world" via the Global Cross-Border Privacy Rules Declaration, Mr. Spalter made the salient point that "for the U.S. to truly lead this worldwide endeavor, our nation must first lead by example here at home."

He therefore "urge[d] the Administration and Congress to work together, with a sense of urgency and purpose, to [adopt national privacy legislation] in the current legislative session." Specifically, a bill that "deliver[s] consistent online privacy protections that apply uniformly across the country and to all companies in the internet ecosystem."