Shagun Nayar
Cyber Security Professional
Independent Consultant
U.S. States Are Taking Consumer Privacy Matters into Their Own Hands
Posted: May 22, 2023Current Landscape
The seamless integration of smart technologies and increased use of digital services have undoubtedly made American lives more convenient, enabling citizens to perform multiple tasks in real-time with minimal effort. However, this convenience has come at the cost of personal information being at a much higher risk of exploitation, sale, hacking and even weaponization. Companies collect, store, process, share and sell personal information—often without explicit consent—yet largely evade accountability for their data collection, processing, storage and sharing practices. Compounding these data privacy concerns is the absence of a federal law that comprehensively covers and sufficiently safeguards consumer privacy rights. As a result, consumers are often left unaware of how companies use their personal information. This concerning landscape requires immediate attention, as consumers must be better equipped to protect themselves and safeguard their digital identities.
Encouragingly, U.S. states’ adoption of consumer privacy legislation is at an all-time high. Leading the charge, California enacted the California Consumer Privacy Act (effective Jan. 1, 2020) and the California Privacy Rights Act (fully effective Jan. 1, 2023). Virginia followed suit with the Virginia Consumer Data Protection Act (effective Jan. 1, 2023). Connecticut and Colorado enacted legislation next, with the Connecticut Personal Data Privacy and Online Monitoring Act and the Colorado Privacy Act (both effective July 1, 2023). Additionally, Utah enacted the Utah Consumer Privacy Act (effective Dec. 31, 2023), Iowa enacted the Iowa Consumer Data Protection Act (effective Jan. 1, 2025) and Indiana enacted the Indiana Consumer Data Protection Act (effective Jan. 1, 2026). There are also more than a dozen active bills making their way through various legislative stages across the majority of U.S. states.
Although these laws vary in their specifics, they share key provisions that provide a useful starting point for understanding the development of consumer privacy laws in the country. Consumers have the right of access, correction, deletion and portability, as well as the right to opt-out of the sale of their data to third parties. Simultaneously, businesses are required to be transparent about their use of consumer data, obtain consent (including the consent of the parent or guardian of a minor), conduct formal risk assessments and treat consumers equally irrespective of whether they exercise certain consumer privacy rights.
While this rise in consumer privacy legislation adoption extends rights and protections to more Americans, it is not a cure-all for the multifaceted challenges surrounding consumer privacy in the United States.
Three-Layered Problem
The current approach to consumer privacy adoption in the United States is complex and multilayered, creating three main areas of concern. These include variations in state laws; federal laws that target specific data, people and circumstances; and unique state laws related to digital privacy.
Layer I: The primary issue stems from the complexity of the current landscape, characterized by numerous state laws, each with its own set of rights, obligations, eligibility criteria and scope of application. For instance, the California Consumer Privacy Act grants California residents the “right of action” to take legal action against businesses for certain data breaches or unauthorized access to their personal information. However, this provision is absent from the consumer privacy laws of the other six states mentioned above.
Layer II: The second layer of complexity pertains to federal laws that target specific types of consumer data, specific populations and specific circumstances. Take, for example, the Health Insurance Portability and Accountability Act, which regulates consumers’ protected health information (PHI) but only applies to covered entities, thereby excluding PHI from non-covered entities. Similarly, the Children’s Online Privacy Protection Rule, which requires commercial website and online service operators to obtain verifiable parental consent before collecting personal information from children, solely focuses on children 13 and under, overlooking the age group of 13 to 18 year olds.
Layer III: Further complicating matters, various states have enacted unique laws pertaining to digital privacy. For instance, Minnesota and Nevada have privacy protection laws for personal information held by internet service providers, whereas several states, including Arizona, California, Delaware and Missouri, have e-reader privacy laws. As another example, New York has the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which requires businesses to implement reasonable data security measures and imposes notification requirements in case of a data breach.
Way Forward or Maintaining Status Quo?
The current patchwork of consumer privacy laws in the United States presents a daunting challenge in achieving robust and cohesive protection for consumer privacy on a national level. This fragmented landscape creates confusion for businesses as they navigate the intricate legal terrain, necessitating the creation of multiple compliance and reporting programs to adhere to specific state and federal privacy laws. At the same time, consumers themselves face uncertainty and frustration as they seek clear guidance on their rights and the extent of their protection.
Furthermore, with comprehensive federal legislation, such as the American Data Privacy and Protection Act, likely to continue to face challenges, consumer privacy evolution and adoption in the United States are positioned to be left in the hands of numerous, divergent state laws.
Therefore, it presently seems that the United States is poised to maintain the status quo rather than moving forward like the European Union with its comprehensive General Data Protection Regulation law. This approach has the potential to negatively impact the country’s investment climate, given the increased costs and efforts associated with tailoring products, services, and policies to conform to each state’s specific laws. In light of the stated negative impacts on businesses and consumers, it is imperative to recognize the pressing need of implementing a comprehensive consumer privacy law at the national level. In conclusion, while the growing adoption of consumer privacy legislation by states is a positive step, it falls short of propelling the United States in the desired direction.