2022 Data Privacy Day – An Update on Where the Laws Stand

Well, it’s Data Privacy Day, and it would be great to be able to report that the federal legislature has finally agreed on a comprehensive federal data privacy law – but alas, that has not happened. Like so many other legislative initiatives, it comes down to a matter of the legislators not being able to agree. It seems that the two primary issues of dispute are (a) whether the federal law should preempt state privacy laws, and (b) who will enforce the law. At present California, Colorado and Virginia have enacted comprehensive data privacy laws on a state level, and many other states, including New York and Massachusetts, are considering their own versions of a privacy law. The challenge with the patchwork of state privacy laws is that each state’s law differs from the others, sometimes in material respects, making compliance with every applicable law time consuming and costly. For example, the bill pending in the Massachusetts legislature goes beyond existing state laws in a number of ways, and if enacted would likely make it the most exacting law to comply with. Preemption of state laws in the data privacy area would provide a degree of certainty and efficiency for both organizations and individuals. Furthermore, a comprehensive federal privacy law that takes into account federal surveillance laws would go a long way towards convincing the European Economic Area and other countries that the USA is a safe place to transfer personal information to. Still, there is the question of who would enforce the law. Possibilities are the Federal Trade Commission, the Attorney General’s office, some other department or agency, individual subjects of the personal information, or some combination of those. So for now we wait – as the other state privacy laws come rolling in.