states-push-web-privacy-rules

States Push Web Privacy Rules

Spread the love

A growing mosaic of state-level internet privacy proposals in lieu of a nationwide framework could provide new protections for consumers and additional question marks for businesses.

Lawmakers in Virginia are nearing passage of data protection legislation in a rapid-fire legislative session slated to conclude this month. Washington state officials are considering compromises over enforcement of a potential privacy law for the third time. States including New York, Minnesota, Oklahoma and Florida are pushing ahead with similar proposals of their own.

The movement in recent weeks comes as the coronavirus pandemic has pushed daily life further online, privacy experts say, adding to consumer fears of potential abuses. Executives warn the emerging landscape for how companies can collect and use personal data could create headaches for firms that do business across state lines.

“The notion that you can divide up your business to treat consumers in California differently than you do in Washington or Virginia is silly,” said

Tanya Forsheit,

chair of the Privacy & Data Security Group at law firm Frankfurt Kurnit Klein+Selz PC.

Many businesses have warned of a patchwork of privacy laws since California passed its landmark statute in 2018 and as elected officials in Washington, D.C. have clashed over a federal baseline.

Responding to divergent approaches could be complex for e-commerce, which has surged during the pandemic, said Cy Fenton, chairman of the National Retail Federation’s information-technology security council. While online stores sell products to consumers in one state, he said, they often deliver those products to recipients in other states and share data from those transactions with third-party marketers elsewhere.

Going it Alone

California’s 2018 privacy law supercharged other state-level attempts to pass comprehensive data protections in lieu of a federal standard.

NH

ND

WA

MT

VT

MN

ME

SD

WI

OR

ID

NY

MI

WY

MA

IA

NE

RI

PA

IL

CT

OH

ID

NJ

NV

CO

UT

WV

KS

MO

DE

KY

VA

CA

MD

TN

OK

NC

AR

NM

AZ

SC

MS

AL

GA

TX

LA

FL

AK

Bills enacted

Bills currently in legislatures

HI

Bills died or stalled in legislatures

No proposed bills

NH

ND

WA

MT

VT

MN

ME

SD

WI

OR

ID

NY

MI

WY

MA

IA

NE

RI

PA

IL

CT

OH

ID

NJ

NV

CO

UT

WV

KS

MO

DE

KY

VA

CA

MD

TN

OK

NC

AR

NM

AZ

SC

MS

AL

GA

TX

LA

FL

AK

Bills enacted

Bills currently in legislatures

HI

Bills died or stalled in legislatures

No proposed bills

NH

ND

WA

MT

VT

MN

ME

SD

WI

OR

ID

MI

NY

WY

MA

IA

NE

RI

PA

IL

OH

CT

ID

NJ

NV

CO

UT

WV

KS

MO

DE

KY

VA

CA

MD

TN

OK

NC

AR

NM

AZ

SC

MS

AL

GA

TX

LA

FL

AK

Bills enacted

HI

Bills currently in legislatures

Bills died or stalled in legislatures

No proposed bills

Bills enacted

Bills currently in legislatures

Bills died or stalled in legislatures

No proposed bills

NH

ND

WA

MT

VT

MN

ME

SD

WI

OR

ID

MI

NY

WY

MA

IA

NE

RI

PA

IL

OH

CT

ID

NJ

NV

CO

UT

WV

KS

MO

DE

KY

VA

CA

MD

TN

OK

NC

AR

NM

AZ

SC

MS

AL

GA

TX

LA

FL

AK

HI

The upshot of trying to comply with a web of rules, he said, “is that your targeted advertising becomes a little less effective.”

Many companies are responding to such pressures by staffing up with lawyers or enlisting startups for compliance help, often tailoring their approaches to the strictest law on the books.

But lawmakers, consumer advocates and corporate lobbyists are now debating details that might differ from existing statutes in California and the European Union, such as carve-outs for some data processing, definitions of “publicly available information,” or consumer rights to opt in or opt out of firms’ collection of “sensitive” data.

Officials in Virginia, where near-identical proposals have passed both chambers of the legislature, say they hope to craft a business-friendly approach to regulation. Unlike California’s law, which gives consumers a limited right to sue companies for privacy lapses, the commonwealth’s Consumer Data Protection Act gives Virginians’ no such right.


Newsletter Sign-up

WSJ Pro Cybersecurity

Cybersecurity news, analysis and insights from WSJ’s global team of reporters and editors.


Consumer Reports and other advocacy groups criticized the inability for individuals to file lawsuits against companies for privacy violations in a letter to Virginia lawmakers this month. Tech companies such as

Amazon.com Inc.

and

International Business Machines Corp.

say they support the bill.

“If states could look to Virginia as a model, and states sort of follow that in some sort of a uniform way, that would be helpful to us,” said Christina Montgomery, IBM’s chief privacy officer. She added that Virginia’s proposals also use terminology for data “controllers” and “processors” that are similar to EU rules.

Enforcement remains an open question in Washington state, where Democratic Sen. Reuven Carlyle last month introduced an updated version of the Washington Privacy Act, which has stalled each of the past two years over concerns the attorney general couldn’t enforce the resulting law alone.

Rep. Shelley Kloba, also a Democrat, unveiled a competing bill, backed by the American Civil Liberties Union of Washington, that includes a private right of action and allows local governments to pass potentially stronger privacy protections.

But Ms. Kloba said that she is open to potential compromises given the digitization of work, school and socializing during the pandemic.

“It is just so much more urgent that we have a privacy policy in place,” she said.

T’Juana Albert, director of global compliance and legal affairs at digital advertising firm GumGum.



Photo:

GumGum

Some companies are trying to innovate around the consumer concerns and regulatory questions.

The digital advertising firm GumGum Inc., based in Santa Monica-Calif., places ads by analyzing content and metadata on pages users visit, company officials say, rather than by analyzing those users’ behavioral data such as past browsing habits.

Even so, the firm responds to about 10 requests a day to stop selling consumers’ information, said T’Juana Albert, GumGum’s director of global compliance and legal affairs. Such compliance questions for third-party vendors could multiply as more businesses share data to market their products and more state laws come online, she said.

“Oftentimes, [outside partners] are the ones that are not compliant,” Ms. Albert added. “You as a business don’t necessarily know that.”

Write to David Uberti at david.uberti@wsj.com

Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *