Skip to Main Content

June 30, 2021
By: Rita W. Garry

A big push is underway in 27 states to enact consumer data protection laws. Ten states have tabled these legislative attempts. Virginia and California enacted comprehensive consumer privacy laws. Colorado also passed such a law which is on the governor’s desk awaiting signature.

State consumer data protection laws vary greatly, but all share elements of European Union law which went into effect in 2018 and California law which became effective in 2020. The focus of these laws is on the personal information millions of U.S. consumers share daily with millions of businesses. Those businesses collect, use, process, and share that information mostly without restriction or accountability.

These new laws also grant to consumers certain rights to control their personal information by giving consumers rights of access, correction, deletion, and, sometimes, rights to opt-out of data sharing or additional processing outside of the context of the transaction.

The implementation of these rights requires businesses to discover the type of data they process, gauge their rights and capabilities with respect to the data, determine how to protect their customers’ personal data, discover the internal data protection standards and protocols they have in place, and assess their organizational and compliance risks regarding their data use, protection, and security.

In the U.S., two big stumbling blocks to passing a comprehensive federal consumer data privacy protection law are (1) the inclusion of a consumer “private right of action” to sue businesses that violate their data protection rights, and (2) the preemptive effect a federal consumer protection law would have on some or all of state consumer data protection laws. Many big tech companies and privacy professionals strongly support a federal approach to personal information protection as opposed to the complexities of a 50-state patchwork of varying laws, while others such as Facebook, Microsoft, Apple, Amazon, and Google, have spent significant money lobbying against the consumer private right of action.

Consumer personal information drives the ever-growing U.S. digital economy. There are daily, even hourly, illustrations of poor data management practices among businesses. The current state of both federal and state legislators understanding (or lack thereof) of the importance of comprehensive, functional, and effective consumer privacy protections is unsatisfactory. Consumers’ privacy protections should not be dependent on random geography, and redress for unauthorized access or use should not depend on consumers having to wade through company privacy policies and various state laws to protect themselves. Basic privacy concepts such as notice, choice, access, and accountability underpin consumers’ rights to control against privacy intrusions, such as identity theft, property loss and personalized advertising.