The current state of US state data privacy laws
A slew of US states have taken it upon themselves to enact or propose their own data privacy laws. Last week, proposals in Washington and Oklahoma were killed. But a Florida bill has a shot. If passed, it will join laws from Virginia and California that are shaping how businesses across the world deal with consumers’ personal information. Here’s what it all means for marketers.
Following in the footsteps of the EU, which passed the far-reaching General Data Protection Regulation (GDPR) in 2016, California in 2018 signed into law the United States’ most robust state-level privacy legislation in history – the California Consumer Privacy Act (CCPA). Since then, just one other US state has successfully passed its own comprehensive bill: Virginia.
Today’s businesses must navigate the fragmented landscape of data privacy laws on their own
More than 25 other US states have introduced comprehensive data privacy bills. However, just a small handful of these – bills from Oklahoma, Washington, New Hampshire and Florida – recently entered the cross-chamber or cross-committee stage, meaning they were debated in their respective state legislatures and came within reasonable range of being signed into effect. All but the Florida bill eventually died. Others, including proposals from New York, Connecticut, Arizona, Illinois and Minnesota, face a steep uphill battle to being signed into law.
The latest marketing news and insights straight to your inbox.
Get the best of The Drum by choosing from a series of great email briefings, whether that’s daily news, weekly recaps or deep dives into media or creativity.Sign up
With existing legislation and so many proposed bills in motion, it can be difficult to parse it all and understand how various bills might affect a company’s right to collect, store and sell consumer data. Here’s a basic breakdown – and what it means for marketers.
California: challenges for ad targeting
CCPA, which went into effect in 2020, applies to any business that meets at least one of three criteria: generates over $25 million in annual gross revenue; handles records for at least 50,000 California consumers; or generates over 50% of its annual revenue from the sale of consumer data.
Under CCPA, consumer rights include access to their personal data that a business has collected, deletion of any or all of that data as well as a choice to opt out of the sale of their information.
CCPA will soon receive an upgrade with the California Privacy Rights Act (CPRA), which will go into effect in 2023. The CPRA increases the threshold for handling records from 50,000 to 100,000, and, more notably, the bill includes definitions for ‘sensitive personal data’ (such as social security numbers, driver’s license numbers and racial/ethnic information) and limits the use of such data.
Furthermore, CPRA includes a right to correction of data and a right to opt out of sharing personal data. According to Marci Rozen, data security attorney and legal director at DC-based firm ZwillGen, “A lot of adtech companies came up with creative ways to circumvent the CCPA’s opt-out-of-sale right. [CPRA’s] opt-out-of-sharing right is defined in a way that makes it really targeted to something called cross-contextual advertising.”
Essentially, CPRA eliminates loopholes in the law that previously allowed advertisers to use consumer data for targeted advertising purposes based on their activity across sites and apps, despite consumers’ decision to opt out of data selling.
Virginia: a little more gray area for marketers
The Virginia Consumer Data Protection Act (VCDPA) applies to any business that handles the records of at least 100,000 Virginia consumers or handles the records of at least 25,000 Virginia consumers and can attribute over 50% of its gross revenue from the sale of consumer data.
And while VCDPA defines personal data in similar terms to CCPA/CPRA, it “has a much broader exception for uses of personal data to fulfill a contract between the individual and the company in question,” Rozen says.
The consumer rights outlined in VCDPA look similar to those in CPRA: consumers have a right to access, correction, deletion and can opt out of targeted advertising as well as the sale of their personal data.
However, according to Rozen, the law has “somewhat of a broader exception for uses of data” – a provision that businesses could use to argue that certain types of data sharing is not a sale and therefore not something from which consumers can opt out. The Virginia law leaves more wiggle room for marketers to use consumer data for operational purposes.
Why law failed in Washington and Oklahoma – and why Florida has a chance
While more than half of US states have introduced some type of data privacy bill, many of these address only narrow aims or provide specific provisions. Just a handful are truly formulated as comprehensive, CPRA-type bills. Even fewer have gained legs in their respective state legislatures. Two of the most notable – and most recent – are those from Washington and Oklahoma, both of which failed to pass in both their respective state Houses and Senates. A bill from Florida, however, may have a shot.
Interestingly, the proposed bills from both Washington and Oklahoma received pushback from groups on both the right and the left. Many on the right advocate for deregulated markets and believe that businesses should have more bandwidth when it comes to the collection, use and sale of consumer data. On the left, some groups felt that consumer protections did not go far enough.
In Washington, this year was the third in a row that a version of the Washington Privacy Act was debated in the state legislature. Over the past three years, both the state House and Senate indicated support for the bill, but the two houses have failed to reconcile differing opinions about the exact contents of the bill.
Last year, the American Civil Liberties Union (ACLU) – a left-leaning nonprofit organization – helped shoot the bill down, criticizing a lack of protections for consumers to sue over violations and arguing that the bill was too focused on protecting businesses. The bill proposed many of the same consumer rights as its counterparts, including the right to access, deletion and correction. It also would have required companies to issue privacy notices and implement certain security standards. However, the most recent iteration of the bill died earlier this month.
The Oklahoma Computer Data Privacy Act shared many of the tenets of CPRA and VCDPA. However, it diverged in a major way: it proposed a consent-based, opt-in model – resonant of emerging data privacy policies announced by tech giants Google and Apple in recent months – as opposed to an opt-out model for collecting, using or selling consumers’ personal information. Though the bill passed by a landslide in the House, it died in the Senate in the same week as the Washington bill died. Had it been passed, it would have put a greater onus on marketers to incentivize opt-in rates by offering consumers new value-adds.
Florida is the latest state to gain traction on a comprehensive bill. It recently passed in the House but may face opposition in the Senate. The proposed Florida Privacy Protection Act shares many of the tenets of CPRA, and while the chances of its passing remain high, its future is still uncertain. A Florida Senate committee recently made some amendments to lessen the compliance burden on businesses; even so, many businesses in the state are opposed to the bill, as they rely heavily on the collection, use and sale of consumer data.
So what does it all mean?
As the landscape becomes increasingly complex – and ever more fragmented – businesses will have to navigate the patchwork quilt on their own. There is no simple guide to navigation. It’s up to individual businesses to do their due diligence to understand which laws they are subject to and to comply accordingly. Each existing and proposed law includes different provisions for businesses and may apply to businesses in different ways depending on its language (for example, ‘doing business’ in a given state v ‘targeting consumers’ in a given state).
And as the discussion surrounding consumer privacy grows louder in the world of technology and marketing – with the death of the third-party cookie on the horizon and tech platforms increasingly adopting their own consent-based privacy frameworks – the legislative fires blazing across the US are only being stoked. “Right now we’re headed towards at least a few more states passing comprehensive or targeted privacy laws,” says Rozen. Businesses are holding their breath.
Alongside consumers’ rights, it’s the ability of small businesses to operate that is among the chief concerns when it comes to comprehensive data laws. “How does a small company find its audience? How does a small company exist online?” says Dave Grimaldi, executive VP at the Interactive Advertising Bureau (IAB).
“The business owner of a plus-sized bridal company I know in DC used Facebook’s ad tools and found an audience to target. More importantly, they found her. Now she’s thriving. She did it all through targeting advertising. If there are provisions in bills that say you can’t use data that way, her company doesn’t exist, and nor do other seven-person companies that provide amazing products that people seek out.”
Grimaldi insists that the solution is federal-level reform. “The ‘mic drop’ moment on all of this is that American privacy law is being set by [the EU] and by one American state: California,” says Grimaldi. “Congress exists to prevent stuff like this, while honoring states’ rights. This is an issue of national prominence and national concern that could use a complete overhaul.”
And while Grimaldi admits it’s challenging to elevate the issue of privacy reform on Congress’ long list of priorities, the IAB and other interest groups are applying resources, engaging the public and educating policymakers in the hopes of creating momentum. “We’re pushing hard in Congress to pass national privacy reform, to create even rules of the road across all 50 states, because this emerging patchwork of disparate state privacy bills is going to lead to a compliance nightmare,” Grimaldi says.
And while she and other legal experts are unsure about the reality of potential comprehensive federal-level data privacy legislation (Rozen jokes that “people in the firm take bets on that”), she thinks things may be coming to a head. “[If new state-level laws are passed] Congress is going to have to reckon with whether they can take up comprehensive privacy legislation this year to try to make things a little easier on industry.”
Regardless of how things shape up, it will almost certainly become more challenging for marketers to capture, store, leverage and sell consumers’ first-party data – all the while, it’s becoming more important for them to gain this data in order to conduct business. While it’s unclear whether future laws will adopt opt-out or opt-in frameworks, marketers need to invest real effort and capital into effective ways to offer utility and value in exchange for consumer data. And they need to do so transparently in order to garner and maintain consumer trust.