Analysis

The State Data Privacy Act: A Proposed Model State Privacy Bill

September 25, 2024 | Caitriona Fitzgerald, EPIC Deputy Director and Kara Williams, EPIC Law Fellow

The fight for strong state privacy laws has been challenging. In recent years, industry lobbyists have been successful in getting weak privacy laws passed in several states. But last legislative session, the tide started turning. Early last year, EPIC proposed a compromise privacy bill for states to consider modeled on the bipartisan consensus language in the American Data Privacy and Protection Act. The bill was introduced in several states. Maryland enacted the Maryland Online Data Privacy Act with key provisions from the model, including data minimization rules. Versions of the bill came close to passage in Vermont and Maine. A Committee in Massachusetts gave the bill a favorable report.

But we have heard from many lawmakers that they would prefer to strengthen existing state laws rather than enact a new framework. With this in mind, we chose the Connecticut Data Privacy Act (CTDPA) as base text to build from, as the CTDPA is the bill most often cited by industry as the model they would like states to adopt. CTDPA is far too weak, but it is an established bill that many state lawmakers are already familiar with. Strengthening the CTDPA provides consistency for businesses while giving consumers meaningful privacy protections.

We were pleased to work with our colleagues at Consumer Reports on this model legislation. The goals of the State Data Privacy Act are to:

  • Limit ubiquitous online tracking;
  • Encourage more privacy-protective methods of online advertising;
  • Protect the most sensitive data, including data about kids and teens;
  • Use language from existing state laws; and
  • Allow for meaningful enforcement of the law to ensure compliance.

The State Data Privacy Act borrows existing language from strong state laws and federal bills wherever possible. Borrowing existing language reduces the chances of conflicts of law and, in many cases, also represents years of deliberation and stakeholder discussions. Because our organizations have been involved in privacy advocacy at the state level for many years, we are familiar with recurring patterns of contention and compromise between businesses and consumer privacy advocates. While this draft does not represent the ideal privacy bill for any of the signatory organizations, it is a compromise that would meaningfully protect consumers. 

The State Data Privacy Act has been endorsed by the Center for Democracy and Technology, the U.S. Public Interest Research Group, and Public Knowledge.  

WHAT CHANGED? KEY AMENDMENTS WERE NECESSARY TO PROVIDE MEANINGFUL PRIVACY PROTECTIONS

Data Minimization. A strong privacy law should limit the data companies can collect and use to match what consumers expect based on the context of their interaction with the business. In contrast, the core of the framework found in many state laws is notice-and-choice focused on disclosures in privacy policies. These laws allow businesses to continue collecting whatever personal data they want and using it for any reason they want as long as they disclose that practice in their privacy policies—policies that very few consumers read or could even decipher if they did—meaning the status quo of massive data collection and sale continues uninterrupted. Rather than continue with this approach that harms consumers, the State Data Privacy Act sets out a rule that businesses can only collect and use data when it is “reasonably necessary” to provide the services the consumer asks for. Personal data collected in compliance with these rules may be used for most forms of advertising, providing businesses with data they desire to target ads while avoiding harmful effects stemming from the overcollection of personal data. Adding data minimization requirements is arguably the most important improvement over CTDPA and other similar state laws. (Section 6) 

Sensitive Data Protections. We added critical protections for the most sensitive personal data. Sensitive data (including precise geolocation, health data, data about minors, and more) cannot be sold or used for targeted advertising. While the State Data Privacy Act largely moves away from a consent-based system, we kept requirements for affirmative consent when sensitive data changes hands. (Section 1, Section 6)

Clarity on Advertising Rules. Much of the debate around privacy laws comes down to the types of data that are available to use for targeted advertising. The State Data Privacy Act sets forth clear definitions of the different forms of online advertising, aiming to give businesses flexibility to advertise while protecting privacy. (Section 1, Section 4, Section 6)

Enforcement. Existing bills mainly rely on state Attorneys General (AG) to enforce privacy protections. AG offices often have limited resources to conduct investigations and enforce the law. Leaving enforcement solely in the hands of under-resourced state AGs makes it much more likely that state privacy laws will be under-enforced—and businesses may be willing to take the risk of not complying with the law because they know that their state AG is unlikely to have the time, money, or staff to investigate violations. Instead, consumers who have been harmed by violations of the law should have the ability to take action to protect themselves, so the State Data Privacy Act includes a private right of action. The bill proposes a compromise that exempts small businesses from the private right of action in recognition of the fact that small businesses often collect less personal data and have fewer resources to implement new legal compliance programs. This narrower private right of action is the best way to protect consumers’ privacy while preserving state resources and protecting small businesses. (Section 12)

Enhanced Protections for Children and Teens. The State Data Privacy Act includes enhanced privacy protections for minors under 18 years of age. Targeted advertising to minors is prohibited, as is already law in Maryland. The sale of minors’ personal data is also banned. Any personal data about a minor is considered sensitive data and therefore can only be collected and used if strictly necessary for the product or service the minor is requesting. If transferring such data is strictly necessary, the company must still request consent before the transfer – from the parent for a child under 13, or from the teen themselves for minors ages 13 to 18. (Section 1, Section 6)

Removed Loopholes that Exempt Big Institutions. CTDPA and most state privacy laws provide entity-level exemptions to any business that already comply with federal privacy laws involving health, finance, or education. In an ideal world, many advocates would like to see all of these exemptions removed (particularly because most existing federal privacy laws are decades old and do not provide the level of protection in the State Data Privacy Act). Still, we recognize that some compromises on narrowly tailored exemptions for already-regulated data may be necessary to ease compliance burdens for businesses. To that end, we included narrow, data-level exemptions for the data covered by existing federal law rather than exempting an entire entity simply because some personal data they handle falls under existing law. The personal data collected from a consumer who visits a hospital’s website shouldn’t be without protection simply because the hospital has to comply with federal privacy laws for its health data. (Section 3)

Definitions. Definitions are the core of any comprehensive bill. After discussions in many states, we’ve solidified important definitions like “targeted advertising” and “sensitive data.” We added a few useful definitions for clarity, including “small business” and “third party.” (Section 1) 

THE STATE DATA PRIVACY ACT PROVIDES STATE LAWMAKERS WITH THE OPPORTUNITY TO PROTECT THEIR CONSTITUENTS.

The State Data Privacy Act is not the model bill that EPIC would write if we were setting out to write our ideal privacy bill. But it represents a reasonable compromise that gives businesses the consistency they seek across state laws while making the changes that are necessary to ensure that the law actually offers meaningful privacy protections. EPIC and Consumer Reports look forward to working with state lawmakers who are interested in the State Data Privacy Act. 

Support Our Work

EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.

Donate