Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.

 Skip to Content

The Imitation Game: How the CCPA Is Inspiring Other States to Regulate Consumer Data and Online Privacy
September 12, 2019
On January 1, 2020, certain companies doing business in California will be subject to the California Consumer Privacy Act (CCPA). This statute is designed to grant California consumers various rights with respect to their personal information that is collected, stored, and monetized by commercial enterprises. Accordingly, in the absence of a federal consumer privacy statute in the United States, the CCPA is arguably the most significant law in the country in terms of regulating consumer data and online privacy.

With that said, other states in the United States are following California's lead and adopting consumer privacy laws of their own. Nevada recently amended its existing data privacy statute governing the security of information maintained by data collectors and other businesses. The amendment prohibits "an operator of an Internet website or online service which collects certain information from consumers in this State from making any sale of certain information about a consumer if so directed by the consumer." This amendment is slated to go into effect on October 1, 2019 (nearly three months before the CCPA). Maine is another state that has proposed and passed a bill related to consumer privacy. Unlike the CCPA and Nevada's statutory amendments, however, Maine's new law focuses exclusively on the regulation of broadband internet access providers.

There are a number of other states that have consumer privacy proposals in the pipeline, and the International Association of Privacy Professionals has designed a useful comparison table of these bills (while also identifying 17 common privacy provisions). While not a full-fledged consumer privacy statute, Connecticut passed a bill creating a task force to study this subject matter and what related laws might be implemented in the future. Massachusetts, on the other hand, has a comprehensive bill progressing through its legislature, which provides for a private right of action that is broader than the CCPA. Similar to the CCPA, however, any contract or agreement that attempts to waive or limit consumers' rights under the proposed Massachusetts statute will be void and unenforceable. But even in the midst of states' collective interest in protecting consumer data and online privacy, some jurisdictions are facing setbacks.

For example, New York's robust consumer privacy bill was not passed during the state's most recent legislative session. Washington, a state that even has an Office of Privacy and Data Protection, also failed to pass its Washington Privacy Act this year (and this bill sought to regulate new forms of data collection such as facial recognition technology). Nevertheless, even though some proposals are facing legislative obstacles, the comprehensiveness of these bills reinforces the trend that states are becoming more engaged in this space.

In conclusion, as the CCPA is getting ready to go into effect, states across the country are following California's lead to implement consumer data and online privacy laws within their respective jurisdictions. However, in the absence of a federal statute, it is possible that the growing number of nuanced state bills will be an administrative headache for companies that fall within the ambit of each state's laws. For now, the next step in tracking this regulatory evolution is to look to California, Nevada, and Maine to observe how these laws will be enforced in practice, how the business community will respond to this new reality, and how other states will build these practical considerations into their emerging legal frameworks.
Related Practices
Cybersecurity and Privacy
©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.