In prior posts, we’ve commented on the California Consumer Privacy Act (“CCPA”), likening it, and its Texas ‘flavored’ variant(s), to ‘elephants in the room’. Here, we’ve opted to expand our coverage and talk about what we’re seeing other states do (or, let’s expand the elephant metaphor to: elephants, elephants everywhere.)
It seems that all of a sudden, consumer privacy is THE hot topic and everyone’s jumping on the CCPA bandwagon! Consumers have woken up to what is happening with their personal information and are demanding government protective action! These are sensationalist statements, to be true, but are they accurate statements? Well, as is usually the case it is a bit more nuanced and it is important to set some things straight.
First, while it is true that other state (and federal) legislators are submitting consumer privacy bills, consumer privacy isn’t exactly sweeping the country, at least not yet. Since the passage of the CCPA, we’ve seen proliferation of similar (and not so similar) consumer privacy bills introduced in the 31 state and federal legislatures. Now, you may be thinking: “isn’t this what “sweeping the country’ means”? It is important to note that only 9 of these states are emulating the CCPA ‘whole-cloth’ – meaning that the text of the CCPA is used, nearly verbatim, in drafting that state’s bill.
Second, for any of these bills (and any bills, for that matter), it’s important to recognize that they are not laws yet. For consumer privacy to sweep the nation, these bills have to pass. There is no guarantee that they will all become law (or for that matter, any will become law). Here’s a case in point: ‘hot on the heels’ of the CCPA, legislators for the state of Washington introduced what was hailed as an even stronger state response to consumer privacy protection than the CCPA because it borrowed more heavily from the GDPR. Privacy pundits predicted its passage, further spurring a U.S. consumer privacy legal revolution. This bill, SB 5376 has now stalled in committee, meaning it won’t be considered further this legislative session. Another example is Texas HB 4390‘s quick demise (under the guise of an amendment), and Mississippi’s DOA bill.
Third, there’s the specter of the federal consumer privacy initiative. Passage of a federal omnibus consumer privacy law could make state by state efforts moot, provided such a federal law preempts the field.
Fourth, while it doesn’t directly relate to the other state bills, the CCPA itself has been amended in September weeks after its initial passage and there are multiple amendments on the horizon, pending in the CA legislature. Also, let’s not forget the Attorney General’s legislative charge to draft and finalize regulatory rules and procedures. One could say that consumer privacy, rather than sweeping the nation, is currently sweeping the state of California.
What are the Takeaways? We advise to take ‘sky is falling rhetoric’ with a grain of salt. Where consumer privacy is a hot topic today, and will not go away; realistically, laws have to be passed for compliance to be immediately concerning. This isn’t to say that businesses shouldn’t watch and participate in the discussions (or regulatory drafting process for your jurisdiction). Businesses should monitor these bills (and any new ones) and keep an eye on the CCPA rules the California Attorney General generates, due in Fall 2019. Monitoring events as they occur in this space is smart, allowing your business the flexibility to act proactively and tactically. As we continue to emphasize, privacy as an issue isn’t going away – and at some point, privacy laws will impact your business in ways it isn’t right now.