As lawmakers across the U.S. are proposing and passing comprehensive data privacy bills in lieu of a federal law, Colorado Attorney General Phil Weiser said, “The states are where the action is at.”

Weiser joined State Sen. Reuven Carlyle, D-Wash., and California Department of Justice Supervising Deputy Attorney General Stacey Schesser, CIPP/US, for the “State of the States: A Look at 2021 U.S. State Privacy Legislation” panel as part of the IAPP Global Privacy Summit Online 2021, discussing the legislative trajectory in the U.S., key issues, like enforcement, and what lies ahead.

It was about a decade ago when the Obama administration, which Weiser worked under, was preparing to introduce a consumer privacy bill of rights to protect consumers at the federal level. Today, “it seems we are no sooner to seeing that passed,” he said.

“We’re seeing laboratories of democracy at their best. Different states are trying different ideas,” Weiser said.

Key among them is Washington state, where the proposed Washington Privacy Act failed for a third time last month. Carlyle said during the panel he will be bringing the proposal back for a fourth attempt, noting he is proud that elements of the WPA are showing up across the country as states consider their own proposals.

“We can test and learn and modify the edges in legislation all over the country, but I’m very proud of that three-year exercise,” Carlyle said. “If Congress decided to pass a bill tomorrow, it would take them four years to figure out what to have for lunch. So, state action really does matter.”

As states across the country look at creating and implementing legislation, Schesser said it is a reality she has been living for almost three years. California was the first state to pass comprehensive consumer privacy legislation with the California Consumer Privacy Act in 2018 and her office was authorized to enforce the law July 1, 2020.

“There was an initial wave of letters that went out on the first day. Since then, there’s been a constant wave of letters that we are continuing to issue notices to companies who have not been in compliance with the CCPA,” Schesser said. “Nobody knows anything of what we have done because all of our investigations are confidential.”

The CCPA includes a 30-day cure period, she said, which has resulted in “substantial compliance.” Schesser said she was initially “dubious” about the right to cure provision but has found “it has really provided businesses a way for getting clarity for how to come into compliance.”

“We have had constructive conversations with companies. Overall, we see that many companies genuinely want to comply with the law which is also what our goal is. We want both consumers to be protected and companies to comply with the law,” she said.

While it appears to be working in California, a right to cure provision was the “breaking point” for the proposed WPA in the 2021 legislative cycle, Carlyle said, citing a “fierce, religious, ideological opposition to allowing a company to have the opportunity to fix a problem prior to heading to courthouse steps.”

Carlyle said he believed a right to cure provision was a “central part of getting a high-quality outcome,” but that and a limited private right of action could not overcome “fierce” opponents.

“At the end of the day, we have no rights today and so the question is what is an incremental, positive, constructive step forward? And it’s the ultimate representation of perfect is the enemy of the good,” he said. “We want enforcement, of course, at the individual and systemic level, but we know that a patchwork of 50 is really challenging for industry and/or business.”

Colorado is working on a law that “tries to take from California and Washington to protect consumers and to create both that certainty and environment where consumers know their data will not be used in a way that is other than they would be comfortable or consent with,” Weiser said.

He spoke of the importance of a regulatory authority, like what exists in the California Privacy Protection Agency. The challenge of enforcement is a tricky one, he said, as while a private right of action raises potential risks for over enforcement, sole attorney general enforcement requires resources agencies may not have.

“There’s a lot that goes into this. I’m not sure where and how we would say this is the optimal balance,” Weiser said. “It is an important conversation.”

Carlyle said he feels strongly enforcement should be at the state level through attorneys general with sufficient resources. In his approach, Carlyle said he looks for “systemic patterns of abuse.”

“Do browsers collect data and not tell people with transparency where that data is flowing? Does the ability of those individual applications to track data from a mobile application cross the line? All of those systemic, structural issues from an enforcement point of view are more important at the state level,” he said. “If you have an enforcement mechanism at the state level, yes, of course, we need resources. But do we want individual lawsuits, individual lawyers, individual class-action suits?”

Moving forward, the panelists agreed it is unlikely there will be legislative movement at the federal level anytime soon, though they remain hopeful. In the meantime, states are driving that hope.

“Consumers today have absolutely no rights, and I don’t think we should lose sight of that, that this is the ultimate opportunity,” Carlyle said. “Data is the commodity of our lives today. It’s core to our civic life, our individual liberties, our freedoms and every aspect of civic society, and we’ve got to move forward in a more thoughtful way and a more holistic way together.”

Photo by Nico Smit on Unsplash