State

Without federal action on data privacy, states forge ahead on their own

A patchwork of internet privacy regulations is emerging as more states consider personal data protections demanded by the public.

By Benjamin Freed

March 28, 2019

Getty Images

With the odds of the federal government passing a data protection law dim, more state governments around the country are considering their own measures aimed at protecting their residents’ internet privacy. But such a decentralized push for internet users’ rights will result in a soup of regulations that vary from state to state, a data-privacy researcher told StateScoop.

Andrea Little-Limbago, the chief social scientist at Virtru, a Washington, D.C.-based encryption company, said Wednesday states are forging ahead on their own data-protection legislation anyway as the public becomes increasingly vocal about internet privacy.

“Obviously, you can’t ignore the states because federal legislation isn’t going to happen this year,” she said. “The states are filling in because the public is demanding it.”

And though it wasn’t until last year that Alabama and South Dakota became the last two states to enact basic data-breach notification laws, many of the state-level measures passed recently or under consideration now would implement much greater authority over how businesses handle consumers’ personal information online.

A “data-broker” law that took effect in Vermont last month requires companies that buy or sell customer data to register with the state and offers Vermonters the option to remove their information from the marketplace. Massachusetts lawmakers are currently deliberating a bill that would include information collected by biometric devices under the commonwealth’s existing breach-notification statute. Other bills around the country seek to protect financial data, geolocation data and other emerging forms of information that could disclose a person’s identity.

Little-Limbago said there are more than 90 separate pieces of legislation currently under discussion in statehouses that would either enhance existing breach-notification laws or implement new protections, with more likely on the way.

“I would be surprised if we didn’t see at least a dozen, if not more, at least start to be introduced,” she said. “That’s a lot, and each one’s a bit different.”

Holding companies responsible

One of the most recent bills was introduced March 21 by Washington, D.C., Attorney General Karl Racine. The bill would amend the District’s 2007 data breach law — which currently covers residents’ Social Security numbers, driver’s licenses and credit- and debit-card numbers — to protect passport numbers, military identifications, health and biometric data and genetic profiles. It would also require companies conducting online business with D.C. residents to implement tougher security safeguards and offer identity-theft protection to customers in the event of a breach.

“We think the states have an important active role to play to protect consumers, and that companies are held responsible,” said Ben Wiseman, the consumer protection director in Racine’s office. “[The bill] allows the office to inform consumers and conduct appropriate outreach. We want to work collaboratively with business to make sure consumers are protected.”

Still, the D.C. bill would also give Racine’s office greater prosecutorial authority in the event a company exposes its customers’ personal data. Racine sued Facebook last December over the political consulting firm Cambridge Analytica’s ability to access the profiles of more than 70 million U.S. users during the 2016 presidential election, including 340,000 District residents. Facebook is seeking the case’s dismissal.

While Wiseman declined to discuss the Facebook suit, he did say that even under the new bill, “we do not view every data breach as conduct that requires enforcement.”

The best way forward

But the expanding patchwork of internet privacy measures throughout the states will make it trickier for companies to comply, Little-Limbago said. That trend, though, is nudging industry in favor of some level of overarching federal legislation that might eventually pre-empt state regulations, she added.

“These big tech companies are now more in favor of federal law now than they were a year ago, and they’ve admitted self-regulation is not the best way forward,” Little-Limbago said.

Until that happens, however, states will continue on their own, she said, with California leading the way as the state barrels toward 2020, when the sweeping Consumer Privacy Act it enacted last year takes effect. While tech-industry lobbyists in Sacramento are trying to tweak it before then, legislatures in other states like Massachusetts, New Mexico and Washington, among others, are modeling their proposals after the California law.

“It does help a bit for us smaller states to follow the lead,” New Mexico Deputy Attorney General Tania Maestas said in January.

And while inconsistencies across state lines will create compliance headaches, Little-Limbago said states taking the initiative to implement new consumer data protections is essential as long as the federal government sits back.

“The intent is good. It’s helping individuals’ rights,” she said. “It has the accountability built in, which is really important. The question is whether California is the floor or the ceiling.”