Quiltwork: Existing State Privacy Legislation and Federal Intervention

by | Jun 26, 2020 | Legislation

Written by: Michael Walsh

There were forty bills proposed for state privacy legislation between 2018 and June 2020 (up from 27 bills in February 2020).[1] Of those, only fourteen bills died in committee or were postponed.[2] Nevertheless, the introduction of such bills indicate that States are becoming increasingly concerned about consumer privacy protection, and these bills still have a chance of being reintroduced and enacted. Six of those bills were instead replaced with a dedicated task force to monitor and enforce nationwide consumer privacy concerns. Excluding the bills that either died in committee or were replaced with dedicated task forces, twenty bills remain to be considered for passage.

Consumer Rights

The majority of these bills focus on consumers’ rights, including many of the following fundamental provisions: (1) Right of Access; (2) Right of Deletion; (3) Right to opt out; (4) Private Right of Action; (5) Right to Fair Notice; and (6) Right to Nondiscriminatory Access.

  • Right of Access (15 of 20 bills include this provision)

The consumer may submit a request to a business or data collector (data controller), to receive a file, which notes the categories or “specific pieces” of personal data that the data controller has collected from said consumer. A consumer should be able to submit a request for access to his or her personal information through more than one means (written or electronic). These requests should be timely fulfilled and returned to the consumer in a common file format.

  • Right of Deletion (14 of 20 bills include this provision)

The consumer may submit a request to a data controller to delete any or all personal data that the data controller has collected from said consumer.

  • Right to Opt Out (17 of 20 bills include this provision)

The consumer may affirmatively opt out of the sale of his or her personal information to third parties.

  • Private Right of Action (9 of 20 bills include this provision)

The consumer may seek civil damages from the data controller for violations of a consumer data privacy statute.

  • Right to Fair Notice (15 of 20 bills include this provision)

A data controller shall provide to the consumer reasonable notice of the collection of said consumer’s personal information.

  • Right to Nondiscriminatory Access (13 of 20 bills include this provision)

A consumer shall not be discriminated against or have impaired access to services merely for exercising his or her privacy rights under a consumer data privacy statute.

Is a Quilt Better than a Blanket?

The current privacy landscape in the U.S. can be described as a patchwork. About one half of the states have introduced some type of consumer privacy law.[3] So, should we just enact federal privacy legislation? The Electronic Frontier Foundation, a digital rights advocacy group, urges not. Tech superpowers including Facebook and Google (as the “Internet Association”) have been lobbying for the enactment of a federal privacy law, but the EFF contends that enacting a federal privacy law will undermine stricter state laws through preemption (an issue that may be able to be resolved with careful legislative drafting).[4]

Oppositely, some business advocates contend that universal federal privacy legislation that resembles the General Data Protection Regulation (GDPR) would be needlessly costly.[5] Gartner estimates that consumer requests for current and future privacy legislation will cost, on average, $1,406 and take about a week to fulfill.[6] These compliance costs are doubtlessly expensive but may be offset by return on investment from increased consumer trust.[7]

Regardless, Congress is considering two bills that resemble the GDPR (with a private action being the most controversial provision), the Consumer Online Privacy Rights Act (COPRA) and the United States Consumer Data Privacy Act (USCDPA). COPRA is effectively broader in the way it defines personal information, while USCDPA is restricted to a more linear definition of “sensitive” personal information. COPRA allows for a private right of action while USCDPA does not. COPRA retains state authority for most areas of privacy protection (allowing states to enforce their own laws if they are more stringent than the federal equivalent), while USCDPA preempts most areas of existing state data privacy laws.[8] We will likely see the passage of one of these bills in 2020, albeit modified. Get to know them here: COPRA[9] and USCDPA.[10]


[1] Mitchell Noordyke, U.S. State Comprehensive Privacy Law Comparison, Iapp (June 2020), https://iapp.org/resources/article/state-comparison-table/ [https://perma.cc/V583-4LMB].

[2] Id.

[3] Id.

[4] Bennett Cyphers, Big Tech’s Disingenuous Push For a Federal Privacy Law, Electronic Frontier Foundation (Sept. 18, 2019), https://www.eff.org/deeplinks/2019/09/big-techs-disingenuous-push-federal-privacy-law [https://perma.cc/2XLJ-MEF8]; Michael Beckerman, Americans Will Pay a Price for State Privacy Laws, New York Times (Oct. 14, 2019), https://www.nytimes.com/2019/10/14/opinion/state-privacy-laws.html [https://perma.cc/8KEX-VPPA].

[5] Alan McQuinn and Daniel Castro, The Costs of an Unnecessarily Stringent Federal Data Privacy Law, Information Technology and Innovation Foundation (Aug. 5, 2019), https://itif.org/publications/2019/08/05/costs-unnecessarily-stringent-federal-data-privacy-law [https://perma.cc/P5XL-H66C].

[6] Jordan Bryan, 4 Legal Tech Trends for 2020, Gartner (Feb. 6, 2020), https://www.gartner.com/smarterwithgartner/4-legal-tech-trends-for-2020/ [https://perma.cc/HN7R-SVKB].

[7] Nasdaq, Cisco 2020 Data Privacy Benchmark Study Confirms Positive Financial Benefits of Strong Corporate Data Privacy Practices (Jan 27, 2020), https://www.nasdaq.com/press-release/cisco-2020-data-privacy-benchmark-study-confirms-positive-financial-benefits-of [https://perma.cc/3386-D6GL]; Brooke Auxier et al, Americans’ Attitudes and Experiences With Privacy Policies and Laws Pew Research Center (Nov. 15, 2019), https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/ [https://perma.cc/XN2K-DPJJ]; Emily Leach, Iapp, (2016), https://iapp.org/media/pdf/resource_center/ROI_Whitepaper_FINAL.pdf [https://perma.cc/BV8R-P5BQ].

[8] Wendy Zhang, Comprehensive Federal Privacy Law Still Pending, National Law Review (Jan. 22, 2020), https://www.natlawreview.com/article/comprehensive-federal-privacy-law-still-pending [https://perma.cc/4U4H-8EPX]; Christian T Fjeld, Christopher Harvie, Cynthia J. Larose, Congressional Privacy Action – Part 1: The Senate, National Law Review (Jan. 28, 2020),  https://www.natlawreview.com/article/congressional-privacy-action-part-1-senate [https://perma.cc/VTK5-3YMC]; Angelique Carson, At Senate, consensus on federal law until you get to ‘private right of action’, Iapp (Dec. 5, 2019), https://iapp.org/news/a/at-senate-consensus-on-federal-law-until-you-get-to-that-private-right-of-action/ [https://perma.cc/938E-RKKU]; Charlie Warzel, Will Congress Actually Pass a Privacy Bill?, New York Times (Dec. 17, 2019), https://www.nytimes.com/2019/12/10/opinion/congress-privacy-bill.html [https://perma.cc/GY6Q-T9QG]

[9] Consumer Online Privacy Rights Act, 116th Cong. (2019), https://www.cantwell.senate.gov/imo/media/doc/COPRA%20Bill%20Text.pdf [https://perma.cc/EA85-5BQT].

[10] United States Consumer Privacy Act of 2019, 116th Cong. (2019), https://aboutblaw.com/NaZ [https://perma.cc/3J8X-MP3G].

Important: Read our blog and commenting guidelines before using the USF Blogs network.

Skip to toolbar