Happy Friday! I hope your holiday plans are finalized for next week, and I hope they include some time outside with family and friends. As a displaced Midwesterner living in Portsmouth near IAPP headquarters, I am looking forward to my first Fourth of July in New England and planning a drive up the Maine coast.
Heading into the heat of summer and the midpoint of the year, it’s a good time to take stock of the domestic privacy landscape. The first half of the year can be summed up with one word: legislation. Look in any direction, and a legislature has either enacted it (California, Nevada, Maine), proposed it (throw a dart at a map of the U.S. and you have a 30% chance of hitting a state with a proposed or passed bill), or is engaged in early deliberations and brainstorming about legislation (ask the IAPP’s resident-D.C. journalist Angelique Carson how many privacy bingos she has hit attending federal hearings on the topic). Not only has the humidity picked up, but so has the chatter about privacy-focused legislation.
In my role as a Westin fellow, I have been closely tracking the development of privacy legislation in two areas: the California Consumer Privacy Act and proposed state-comprehensive-privacy bills. For those unfamiliar, the IAPP maintains a chart comparing proposed state-level comprehensive privacy bills. The original expectation was that the chart would only need to be updated periodically. After the California Legislature’s hand was forced by the threat of a ballot initiative last year, I expected states to take some time to consider their role in regulating privacy and that subsequently proposed legislation from other states would start as a slow drip. Suffice it to say that has not been the case.
During the first six months of the year, while state legislatures were in session, more than one dozen states proposed comprehensive bills, and nearly every week, I received an email suggesting a new bill to add to the chart. Some of the bills were copycats of the CCPA (e.g., Connecticut and Massachusetts); others sought incremental improvements to existing laws (e.g., Louisiana and Nevada). Some mimicked the GDPR (e.g., Texas), and another set took inspiration from various sources and offered an alternative to the CCPA/GDPR dichotomy (e.g., Washington, Minnesota, New York and Illinois).
At the same time other states are taking the first steps toward regulating privacy, the California Legislature is considering a number of amendments to the CCPA, and privacy professionals are grappling with the details of the law. The IAPP has published a variety of articles recently describing how organizations should be preparing for compliance and offering thought pieces from leading professionals highlighting provisions ripe for varied interpretation in the law. Activity around the CCPA and interest in material to help understand its implications are high.
State-level efforts exist in parallel with speculation about the possibility of federal action on privacy. Senators and representatives from a broad array of states have weighed in — either on the need for a federal law or with a proposal for what that law should look like. Large technology companies have also thrown their support behind a federal law.
None of this is new information for those following the developments of the legislative environment on privacy, but these are the three elements I am interested to watch progress over the course of the year and into 2020: States are motivated to find solutions in the face of federal inaction, California has a consequential law on the books that will take effect at the turn of the calendar, and the federal government recognizes that it likely has a role to play. How each element influences the other will be a fascinating interaction to observe over the next 6 to 18 months.
If you want to comment on this post, you need to login.