Protecting data privacy is a hot topic of debate with state and federal lawmakers. Consumers need to have their data protected and businesses need clear rules of the road so they can continue to offer new and innovative products and services. Unfortunately, since Congress has yet to pass a preemptive federal data privacy law, state legislatures have felt pressure to fill the void, which could lead to an unworkable patchwork of state laws for businesses and consumers to navigate.
Until there is a preemptive federal data privacy law, there are a few safeguards states should include in data privacy legislation to protect consumers and give businesses certainty. Specifically, states should exclude private rights of action, which outsource enforcement actions to plaintiffs’ lawyers rather than the state attorney general (AG), and include cure periods and caps on civil penalties.
During this state legislative session, three states have introduced the right kind of state data privacy laws: no private right of action and a cap on civil penalties:
- Iowa: SF 262 was signed by Gov. Kim Reynolds and is set to take effect in 2025. The package caps civil penalties at $7,500 per violation and includes a 90-day cure period.
- Tennessee: HB 1181, which the Chamber supports, was recently passed by Tennessee’s legislature and caps civil penalties up to $15,000 per violation, includes a 60-day notice and cure period, and provides an affirmative defense for businesses that implement effective compliance programs.
- Texas: HB 4, which the Chamber supports, was recently passed by the Texas House of Representatives and caps civil penalties up to $7,500 per violation, and includes a 30-day notice and cure period.
According to ILR’s 2019 research paper, Ill-Suited: Private Rights of Action and Privacy Claims, laws that keep enforcement power with state AGs and agencies, and don’t include a private right of action, are a much better way to protect privacy. Agency enforcement is led by experts who understand the complexities of the law, leading to better outcomes for both consumers and companies.
The Illinois Biometric Information Privacy Act is a great example of what not to do. The law is supposed to make sure businesses correctly collect and store biometric data, but plaintiffs’ lawyers have taken advantage of the law to file hundreds of lawsuits against businesses. Since the law is extremely technical, a minor mistake can mean thousands of dollars in damages per violation and the law contains no cure period to fix the problem.
Businesses that face an onslaught of litigation and massive penalties might have no choice but to stop offering innovative products and services. Consumers lose out on new digital tools that make their lives easier because plaintiffs’ lawyers use excessive lawsuits to keep everyone in the analog past.
Kudos to Iowa, Tennessee, and Texas for taking significant steps to protect consumer data and provide companies with certainty rather than giving plaintiffs’ lawyers the green light to file lawsuits.
Stay in the loop with the latest news and subscribe to our newsletter.