Momentum for state privacy bills has been growing over the past couple of years, as lawmakers respond to privacy invasions and constituent demand to address them. As several states end their legislative sessions for the year and lawmakers begin to plan for next year, we urge them to pay special attention to strengthening enforcement in state privacy bills.
Strong enforcement sits at the top of EFF’s recommendations for privacy bills for good reason. Unless companies face serious consequences for violating our privacy, they’re unlikely to put our privacy ahead of their profits. We need a way to hold companies directly accountable to the people they harm—especially as they have shown they’re all-too willing to factor fines for privacy violations into the cost of doing business.
To do so, we recommend a full private right of action—that is, making sure people have a right to sue companies that violate their privacy. This is how legislators normally approach privacy laws. Many privacy statutes contain a private right of action, including federal laws on wiretaps, stored electronic communications, video rentals, driver’s licenses, credit reporting, and cable subscriptions. So do many other kinds of laws that protect the public, including federal laws on clean water, employment discrimination, and access to public records. Consumer data privacy should be no different.
Unless companies face serious consequences for violating our privacy, they’re unlikely to put our privacy ahead of their profits.
Yet while private individuals should be able to sue companies that violate their privacy, it is only part of the solution. We also need strong public enforcement, from regulators such as attorneys general, consumer protection bureaus, or data privacy authorities.
We also advocate against what are called “right to cure” provisions. Rights to cure give companies a certain amount of time to fix violations of the law before they face consequences—essentially giving them a get-out-of-jail free card. This unnecessarily weakens regulators’ ability to go after companies. It can also discourage regulators from investing resources and lawyer time into bringing a case that could very easily disappear under these provisions.
Last year, California voters removed the right to cure from the California Consumer Privacy Act. Unfortunately, several other state bills not only refused to include private rights of action to hold companies accountable, but they also hobble their one enforcement lever with rights to cure.
Some Improvements, But We Still Have a Long Way to Go
The Colorado Privacy Act passed very near the end of the state’s legislative session. It covers entities that process the data of more than 100,000 individuals or sell the data of more than 25,000 individuals. EFF did not take a position on this bill, viewing it as a mixed bag overall. It has no private right of action, centering all of its enforcement in the state Attorney General’s office. The bill also has a right to cure.
However, we do applaud the legislature for adding a sunset to that bill’s right to cure—currently set to expire in 2025. Companies argue that rights to cure make it easier to comply with new regulations, which is often persuasive for lawmakers. We are glad to see Colorado recognize this loophole should not last indefinitely. EFF continues to oppose right to cure provisions but is glad to see them limited. We hope to see Colorado build on the basic privacy rights enshrined in this law in future sessions.
We’ve also seen some small progress toward stronger enforcement. Opponents of strong privacy bills often argue that private rights of action, or expanding the private rights of action, is a poison pill for privacy bills. But some legislatures have shown this year that is not true. Nevada improved a consumer privacy bill passed last year, SB 220; that change now permits Nevadans to sue data brokers that violate their privacy rights.
Furthermore, the Florida house voted to pass a bill that contained a full private right of action—a small but significant step forward and a blow against the argument from big tech companies and their legislative enablers that including this important right is a complete non-starter for a privacy bill. Given the recent Supreme Court ruling in the TransUnion case, which places limits on who can sue companies under federal laws, it has never been more important for states to step up and provide these crucial protections for their constituents.
Overall, we would like to see continued momentum around prioritizing strong enforcement—and to see other states move beyond the baselines set in California and Colorado. We certainly should not accept steps backwards. Unfortunately, that is what happened in one state. The data privacy bill passed in Virginia this year is significantly weaker than any other state law in this and other crucial areas. Virginia’s law lacks a private right of action and includes a right to cure. Adding insult to injury, the state also opted to give the law’s sole enforcer, the attorney general’s office, only $400,000 in additional funding to cover its new duties. This anemic effort is wholly inadequate to the task of protecting the privacy of every Virginian. This mistake should not be repeated in other states.
As other states look to pass comprehensive consumer data privacy bills, we urge lawmakers to focus on strong enforcement. There is much work to do. But we are encouraged to see more attention paid to properly funding regulatory bodies, growing support for private rights of action, and limits on rights to cure.
EFF will continue to push for strong privacy laws and demand that these laws have real teeth to value consumer rights over corporate wish lists.