Menu Close

Separate State Actions on Data Privacy Underscores the Need for Unified Congressional Action

IDAC Blog Logo

By Alex Psilakis

With no action coming from Congress, several states have taken steps to address data privacy protections for consumers. Recently, Connecticut passed a new data privacy law earlier this month that gives consumers the “right to access,” which allows consumers to know if a business is using their personal data and have access to the data that businesses keep on them. It also grants consumers the “right to delete,” or erase data provided by or obtained about them. Additionally, it provides consumers the “right to opt out,” or decline the targeted advertising or the sale of personal data.

While Connecticut’s law does take some steps in the right direction, it does have limits. The law only protects Connecticut residents, not those acting in a commercial or employment context in Connecticut. The policy also exempts multiple types of entities, including state and local governments, nonprofits, and higher education institutions. And the law lacks a private right of action, which would allow consumers to take legal action if they experience damages from a businesses’ violation of the law. Instead, only the Connecticut Attorney General may bring legal action against a business under the law.

Connecticut is far from the only state moving while Congress waits. Instead, it is one of a handful that have acted, contributing to the patchwork of state privacy laws present around the U.S. California passed the nation’s first data privacy law, the California Consumer Privacy Act, back in 2018. Since then, Colorado, Utah, and Virginia have passed their own data privacy laws. 

Connecticut’s data privacy law is similar to those in place elsewhere but it does differ in some respects. For instance, Connecticut’s law requires that if a business knows – or willfully disregards – the fact that a consumer is between the ages of 13 and 16, then the business must receive consent to process the user’s personal data for targeted advertising or the sale of data. California possesses a similar provision but Virginia and Colorado do not. Alongside this, though Connecticut does not allow for a private right of action, but California does. California’s law notes that if a business experiences a data breach and a consumer’s first name, last name, and social security number are stolen in non-encrypted and non-redacted form, then they can sue the business. 

Many data privacy advocates also worry that some of the state data privacy laws passed are too business-focused and are inadequate to protect consumers. A collection of tech and financial companies, known as the State Privacy and Security Coalition (SPSC), helped shape what would eventually become the law in Utah and Virginia. In Virginia specifically, SPSC member Amazon drafted the first version of the state’s data privacy law. The coalition also celebrated the passage of Utah’s law. Additional SPSC members include AT&T, Google, and Visa. Outside of Utah and Virginia, SPSC has proven active in states like Washington and Kentucky. 

To address the differences between state laws, and ensure that consumers possess maximum data privacy protections, Congress must pass comprehensive data privacy reform. Congress must pass a bill that incorporates protections like a right to access, right to delete, and right to opt out. Congress must also support a private right of action. Even though businesses view this policy as more controversial, it provides consumers the crucial ability to take legal action, receive compensation, and hold businesses accountable. Ultimately, by passing a strong federal law, Congress may not only bolster the data protections of Americans, but clear up confusion between the patchwork of differing state laws.