Written for the November issue of the King County Bar Association Bar Bulletin.

The current state of data privacy laws is constantly in motion. From new state laws, to proposed federal laws, and laws that will look to the future of technology. It can be difficult to keep up, here is a summary of where we are now and where we are going:

The State of the States

For the last few years there were really only two types of privacy alphabet soup you needed to know– the GDPR and the CCPA. The General Data Protection Regulation is widely considered as the European gold standard of privacy protection and the California Consumer Privacy Act was a first for the US when it comes to consumer privacy protections. However, come next year 4 states will be throwing in some new letters; Virginia, Colorado, Utah, and Connecticut have all enacted data privacy laws that will go into effect in 2023. 

The Virginia Consumer Data Protection Act will lead the year off with their act going into effect in January 2023. The Colorado Privacy Act as well as the Personal Data Privacy and Online Monitoring Act out of Connecticut are both set to go into effect July 1, 2023. Rounding out the year will be the Utah Consumer Privacy Act which goes into effect December 2023. All of these new laws have similarities to the CCPA and grant consumers several rights including the right to access their data, right to opt-out the sale of personal data, and the right to deletion. In addition to these 4 at least a dozen other states discussing their own potential data privacy laws.

On the California front the CCPA is being amended and the California Privacy Rights Act (CPRA) will go into effect on January 1, 2023.  The CPRA will now apply to B2B and Employee Data which was exempt under the CCPA; additionally consumers will have the right to correct their personal data.

With more and more states enacting privacy legislation one has to wonder if Washington will enact legislation. The good news is that is seems to be more of “when” instead of “if”. The Washington Privacy Act “WPA” (SB 5062) [1] and the Washington’s People’s Privacy Act “PPA” (HB 1433) were both introduced in 2021. The PPA, as the name suggests is more people centered and unlike the WPA gives Washingtonians a private right of action for enforcement.  In 2022, HB 1850, the Washington Foundational Data Privacy Act “WFDPA” was introduced and lands somewhere in between the WPA and PPA. With so many bills on the table eventually one of them will have to pass.

On the Federal Level

It is no secret that US is lagging behind several countries when it comes to a comprehensive national data privacy law.  You already know the GDPR but there is also Brazil ‘s Lei Geral de Proteção de Dados (LGPD), Bahrain’s Data Protection Law, and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).  

As the world moves toward comprehensive data privacy laws to protect their citizens, the hope is that the US will enact a Federal law sooner rather than later.  While the American Data Privacy and Protection Act “ADPPA” was introduced in June 2022 and a month later sailed through the House Energy & Commerce Committee with support from both Democrats and Republicans it will probably be quite a while before it makes it to the House and Senate. With the recess in August and the hotly contested midterms coming up it is unlikely that action on this will be seen before the legislative session ends on January 3, 2023. As proposed the ADPPA’s purpose would be “To provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.”[2]

While the idea of a federal privacy law sounds like something everyone should get behind it has its naysayers including Washington’s own Senator Maria Cantwell who does not feel the ADPPA is strong enough.[3] Cantwell had proposed her own bill in 2019, the Comprehensive Online Privacy Rights Act (COPRA)[4] which seems closer to the CCPA than the ADPPA. The compromise will lie somewhere between making compliance uncomplicated for businesses and not enacting a law that would preempt stronger state laws.

Data Privacy in a Post Roe United States

With the fall of Roe individuals have been looking at the privacy of their data in ways they never have before, from menstrual cycle tracking apps to how devices track locations. In response, the My Body, My Data Act of 2022,[5] sponsored by Rep. Sara Jacobs out of California would establish “protections, subject to certain limits, for personal reproductive or sexual health information. This includes information relating to past, present, or future surgeries or procedures, such as the termination of a pregnancy.” This would protect personal data collected by companies that are not currently covered (HIPAA).

Biometrics

While Washington is still struggling to get data privacy legislation passed, it is ahead of the game when it comes to a comprehensive Biometric Information Privacy Act “BIPA”, joining only Illinois and Texas. Though several states, including; Maine, Massachusetts, Missouri, and New York have introduced legislation for biometric data in 2022. Washington and Texas, unlike Illinois does not offer a private right of action and enforcement is done through the Attorney General. The Illinois law is considered to be the strictest in the nation and in recent years the state has become a hotbed for class action suits relating to violations of the BIPA.  Over the past two years Google, TikTok, Facebook, and Snapchat have all settled their suits for hundreds of millions of dollars. In September of this year a class action was filed in U.S. District Court for the Northern District of Illinois claiming that Walmart unlawfully collects, stores, and uses customers’ biometric data. If a company is found to have violated the Illinois law, eligible residents could receive up to $5,000 per violation.

Artificial Intelligence

The next frontier of data privacy seems to lie within AI. The CPRA, along with the laws of Colorado, Virginia, and Connecticut will address “automated decision making” (ADM) in various ways. Whether it is defining what “profiling”[6] means, allowing for consumers to opt-out, or regulating how data is collected or store it is clear ADM will be a part of forthcoming privacy laws. Since AI relies heavily on collecting and processing large quantities of data the way that data is collected, stored, and whether consent was freely given is of concern. It will be a delicate balance of figuring out how to regulate the AI while not hindering the technology.

Conclusion

With several states enacting data privacy legislation in the next year and twice as many proposing and debating similar types of legislation, the US is posed to have dozens of different laws until a comprehensive federal model can be enacted. Once that happens the US will join several nations in protecting their citizens’ personal information. It is predicted that by the end of 2024, 75% of the world’s population will have its personal data covered under modern privacy regulations.[7] The way companies’ can use consumer data will become highly regulated and individuals will have the right to decide how their data is used. 

[1] SB 5062 is a new version of SB 5376 that was introduced in 2019

[2] H.R.8152 – 117th Congress (2021-2022): American Data Privacy and Protection Act, H.R.8152, 117th Cong. (2022), http://www.congress.gov/.

[3] Cristiano Lima, Top Senate Democrat casts doubt on prospect of major data privacy bill, Washington Post, Updated June 22, 2022 at 5:53 p.m. EDT Published June 22, 2022 at 2:15 p.m. EDT,

[4] S.2968 – 116th Congress (2019-2020: Consumer Online Privacy Rights Act, S.2968 – 116th Congress (2019), http://www.congress.gov/.

[5] H.R.8111 – 117th Congress (2021-2022): My Body, My Data Act of 2022, H.R.8111, 117th Cong. (2022), http://www.congress.gov/.

[6] The UK GDPR defines profiling as follows:

‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Regulation (EU) 2016/679, General Data Protection Regulation, Article 4 (4).

[7] Press Release, Gartner, Gartner Identifies Top Five Trends in Privacy Through 2024

(May 31, 2022), https://www.gartner.com/en/newsroom/press-releases/2022-05-31-gartner-identifies-top-five-trends-in-privacy-through-2024.