A key congressional subcommittee begins debate today, June 23, 2022, on legislation leaders are calling the closest Congress has ever come to enacting a national standard for data privacy. As an increasing number of states enact consumer privacy laws, many businesses must comply with seemingly conflicting standards on what information they may collect, what they may – and may not – do with this data, and what level of notice they must give to and permission they must obtain from consumers before collecting personal information. A national standard would reconcile many of these inconsistencies among state laws, including:

  • Which businesses are subject to each state's privacy law. Thresholds for which businesses are subject to state data privacy laws include the amount of revenue a company generates, either overall or through certain endeavors relating to the sale of personal data; the number of consumers whose data the business possesses; and whether the business processes or controls personal information in the applicable state.
  • What constitutes "Personal Information" and "Sensitive Personal Information." Personal information generally means information that can be used to identify, relate to, describe, or is associated with an individual, but each state's definition of "Personal Information" or "Personal Data" has a slight variation on this general description. The definition of what constitutes "Sensitive Personal Information" varies even more from state to state, with many statutes including racial and ethnic origin; religious beliefs; information relating to mental and physical health; sexual orientation; and genetic and biometric data in the category of "Sensitive Personal Information." Some, but not all, definitions of "Sensitive Personal Information" also include geolocation data; information provided by a minor; and citizenship status.
  • Whether businesses must allow users to opt out from selling or using consumers' personal information and sensitive personal information. Most jurisdictions mandate that consumers may opt out of the sale or use of their personal information or sensitive personal information. Some states are more specific about the type of use from which consumers may opt out, while others allow users to opt out of all transactions that include their personal information. Other differences include what constitutes a "sale" of personal information and whether states may treat users who have opted out of a sale of their personal information differently than users who have not.
  • Whether consumers must opt in before businesses use their personal information and sensitive personal information. Some states require opt in, and virtually all state privacy laws contain a requirement that businesses collecting users' information inform the users at the point of the collection which data is being obtained and the purpose or purposes for which the data will be used. Additional requirements include notifying users how long the business will retain their data and how consumers may exercise any individual rights they have under the applicable statute or regulations.
  • Whether consumers can access, correct, and delete their information — and how. Most state privacy laws require that businesses disclose what information they have collected about consumers and allow the consumers to correct or delete this information. However, the means of this disclosure, including limits on how frequently a consumer may make such requests, vary from state to state.

Other differences include when and how notice must be given in the event of a data breach and, to the extent consumers have private rights of action against businesses collecting or selling their data, the rights and remedies available in such an action vary from state to state.

With these overlapping definitions of what constitutes personal information and sensitive personal information; whether or not a business must comply with a certain state's law; how those states which regulate data practices do so; and what notification laws, rules, and regulations apply to a data breach, Pew Research reports that many users have elected to not use a product or service due to concerns about how a business may use (or misuse their data). As a result, consumers and businesses alike are looking to Congress to develop a national data privacy standard. While there have been a number of attempts to do so over the past several years, it appears Congress may be getting closer than ever to passing a comprehensive data privacy law.

Earlier in June, a first draft of the American Data Privacy and Protection Act was released, and the House Energy and Commerce Committee's Subcommittee on Consumer Protection and Commerce began consideration of this legislation at a hearing on June 14, 2022. Subcommittee Chairwoman Jan Schakowsky called the hearing a "significant and long-awaited day," and noted that the Act would "ensure that online privacy rights are there for all Americans." Her goals are for American consumers to have access to their data; the ability to correct or transfer their data; and the right to delete their data. Ranking Member Gus Bilirakis called the hearing an "exciting day" and stated his goal of ensuring that small businesses are exempted from some of the same requirements as large collectors and processors of data such as Google and Facebook. House Energy and Commerce Committee Chair Frank Pallone summed up his goal for the legislation: to "put consumers back in control of their data," and Committee Ranking Member Cathy McMorris Rogers stated that there needs to be "one national standard" for data privacy.

While the debate on this legislation has just begun, it has bipartisan, bicameral support, and leaders speaking at the June 14, 2022 hearing noted that they believed this is the closest Congress has ever come to achieving the goal of a national standard for data privacy.

Rhoades McKee shareholder Hal Ostrow, CIPP/US, regularly advises clients on cybersecurity, privacy, data aggregation, information technology, and public policy. He and other members of the Rhoades McKee Technology Transactions, Privacy, and Cybersecurity Team will continue to monitor the American Data Privacy and Protection Act as it progresses through Congress and are available to answer any questions you have about state and federal data laws, rules, and regulations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.