By B.N. Frank
“Surveillance Capitalism” is big business and not only for tech companies. Even utility providers collect data on consumers via “smart” utility meters (electric, gas, and water)! As more Americans express concerns about their privacy – more state lawmakers are taking action to protect constituents.
From GovTech:
Many States Have Data Privacy Laws. Where Is the Federal Law?
In the absence of nationwide policy, 13 states have enacted their own data privacy laws. Several others have taken a different approach with a mix of basic and substantive protections. Congress may take the issue this session.
Gopal Ratnam, CQ-Roll Call
(TNS) — States that have enacted data privacy laws and those pursuing them are migrating into disparate camps in their approaches to privacy protections, setting up a clash if Congress enacts federal legislation.
In the absence of nationwide policy, 13 states have enacted their own laws. California, the first state in the nation to pass a comprehensive law, formed a camp of its own with its 2020 measure that allows consumers to directly sue tech and online companies over data breaches involving personal information such as names, social security numbers and email addresses.
Twelve other states have taken a different approach, modeled on a bill first proposed in Washington state in 2019 but that has so far not been passed in that state. Data privacy laws now in effect in Colorado, Connecticut, Delaware, Indiana, Iowa, Florida, Montana, Oregon, Texas, Tennessee, Utah and Virginia don’t allow individuals to sue tech companies for data breaches, and instead offer consumers a mix of basic and substantive protections.
California and the other states are similar in that each allows its attorney general to bring lawsuits against companies for violations.
Privacy advocates who are lobbying for action in other states, however, are pushing in another direction: a bipartisan congressional proposal that was approved in the House Energy and Commerce Committee in 2022 but failed to get broader support in Congress. That proposal would seek to minimize data collection.
Activist Post is Google-Free — We Need Your Support
Contribute Just $1 Per Month at Patreon or SubscribeStar
Members of Congress from both parties, including Sen. Maria Cantwell, D-Wash., chair of the Senate Commerce Committee, and Rep. Cathy McMorris Rodgers, R-Wash., chair of the House Energy and Commerce Committee, have pledged to pursue federal data privacy legislation in the current session.
They are under pressure to act because of the rapid onset of artificial intelligence systems that use large volumes of data, threatening to worsen privacy protections for Americans. But with the November election fast approaching, Congress has little time left to reach consensus and pass a law that has eluded it for years.
DATA ‘MINIMIZATION’
Legislatures in seven other states are considering dozens of privacy bills in 2024.
Mozilla, a nonprofit foundation and maker of the Firefox web browser, wrote to lawmakers in Massachusetts and Maine on Jan. 11 asking them to consider proposals modeled on the stalled federal legislation instead of the Washington state model.
The letter’s author, Noam Kantor, a senior public policy analyst at the nonprofit, said in an interview that Mozilla wants tougher standards for a key element of privacy known as data minimization that was included in the federal proposal but not in many state ones.
Data minimization asks companies to collect only the data necessary to provide a service or sell a product.
Laws in states such as Connecticut act like they call for data minimization, but they’re “actually not really putting any constraints on the kind of use and abuse of data we see in the marketplace,” Kantor said. “And that worries us because data minimization to Mozilla is a really important factor of privacy law.”
The Connecticut law says companies and other entities “must limit collection of personal data to what is adequate, relevant and reasonably necessary for the disclosed purposes for which the data is processed.”
The federal proposal from 2022 says that any entity covered by the legislation “may not collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate.” But it also goes on to list more than a dozen “permissible purposes” for which data may be collected, a prescriptive clause that some of the other laws lack.
Washington state Sen. Joe Nguyen, who chairs the chamber’s Environment, Energy, and Technology Committee, was an author of the 2019 data privacy proposal in that state. He said in an interview that many legislatures and state regulatory agencies lack the wherewithal to enact technology legislation that is specific and prescriptive.
The data minimization requirement in the Washington proposal was a “constant [under] the philosophy that you should minimize the data that you’re using from consumers as best as possible,” he said.
The proposal, sponsored by former Washington state Sen. Reuven Carlyle, was left open-ended to avoid a situation in which technology “becomes moot and then you have to pass another law to fix it,” said Nguyen, a Microsoft executive before entering politics.
That’s a big problem for part-time state legislatures with minimal staff that may not be adept enough to rapidly amend laws, Nguyen said. Additionally, some states lack the expertise and resources to develop legislation from scratch and must borrow proposals from elsewhere.
So why has Washington failed to enact data privacy legislation? Nguyen said the five unsuccessful attempts are attributable to consumer advocates pushing to include a private right of action similar to California’s provision.
The authors of the Washington proposal chose to lay power of enforcement with the attorney general because “when you’re talking tech companies with trillions of dollars, people will sue you just to sue you and hope for a settlement,” Nguyen said.
Yet Washington’s model, which adapted many parts of the European Union’s privacy law known as General Data Protection Regulation, “has had a lot of influence,” said Kate Goodloe, managing director at BSA Software Alliance, a trade group that represents more than 40 firms including Cisco Systems Inc., Oracle Corp. and Microsoft Corp.
“That approach creates a new set of privacy rights for individuals and set of obligations on businesses, including both consumer-facing businesses and business-to-business data processors,” she said in an interview. Privacy laws in Virginia, Connecticut and Colorado use the same structure “but add more substantive protections for consumers.”
Other states use it as an anchor but have removed some protections.
In the meantime, Washington state still lacks a law.
Nguyen said he won’t reintroduce the measure this year. “You only can fit so much stuff in at any given time, and knowing that this policy is very tough, and it’s failed multiple times, I don’t want to spend my time working on a policy that I know is going to be controversial when there are other things that I need to do.”
©2024 CQ-Roll Call, Inc., Distributed by Tribune Content Agency, LLC.
Activist Post reports regularly about privacy invasive business practices. For more information, visit our archives.
Become a Patron!
Or support us at SubscribeStar
Donate cryptocurrency HERE
Subscribe to Activist Post for truth, peace, and freedom news. Follow us on SoMee, Telegram, HIVE, Minds, MeWe, Twitter – X, Gab, and What Really Happened.
Provide, Protect and Profit from what’s coming! Get a free issue of Counter Markets today.
Be the first to comment on "13 States Have Data Privacy Laws. Is Yours One of Them?"