Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The US will soon have a unified federal government under the incoming administration.
While much of his agenda is unclear and the margins in the House and Senate are razor thin, we can expect the next two years to be relatively business-friendly, deregulatory and somewhat hostile to expansionary regulatory regimes.
Really, the unexpected resignation of prominent researcher and regulator Ashkan Soltanifounding executive director of the California Privacy Protection Agency (CPPA), may be a case of writing on the wall.
Moreover, it may be an acknowledgment that recent efforts for a comprehensive federal privacy law are finally feasible — even if the resulting law ends up being significantly different from the approach taken by Europe and California.
Two models of privacy legislation
State-level privacy legislation in the US has evolved rapidly over the past six years. The laws have been driven by the demands of regulators and their constituents in the wake of scandals like Equifax and Cambridge Analytica. They are also the result of the ongoing war between Apple and Google over which one is perceived to be more private and secure.
Nineteen states have enacted comprehensive laws, beginning with the California Consumer Privacy Act of 2018 and the subsequent California Privacy Act, which mandated the creation of the California Privacy Agency—a de facto privacy office.
Meanwhile, the Texas Data Privacy and Security Act of 2023 (TDPSA) went into effect in July 2024, parts of which deal with universal opt-out mechanisms (UOOM).
Many provisions of the Texas law are in stark contrast to the California regime, although there are some similarities.
Like California, Texas has raised the bar on regulatable personal and sensitive personal information, with “reasonably connected to an individual” as the new standard.
They enshrined consumer rights such as access and erasure and introduced tough penalties for businesses that fail to respect these rights or misuse personal data. Furthermore, both have introduced GDPR-like distinctions between processors/controllers. They also defined what constitutes the sale of personal data and the obligations of the parties involved. Additionally, they have implemented broad opt-out requirements for targeted advertising.
But that’s where their similarities end.
California’s laws are European, mandating the creation of the CPPA and imposing highly prescriptive requirements on everything from disclosure to business documentation. (See the “Don’t sell my personal information” links in the footer of the main website.) It also allows for private rights of action (PRA) in the event of a data breach.
The Texas legislation, on the other hand, is much more traditional in terms of its exclusive enforcement by the Attorney General, design choice flexibility available to businesses seeking to comply, and exclusion of the PRA. It has an additional focus on children’s data, including a ban on its use in targeted advertising.
With Texas Sen. Ted Cruz slated to take over as chairman of the Senate Commerce, Science and Transportation Committee in 2025 — the same committee tied to the American Privacy Act — it is the TDPSA that the federal legislation will most closely resemble.
Federal Privacy Act – Really?
But how close are we really to a federal privacy law?
First, state laws are facing increased opposition. A pair of vetoes by the governors of Vermont and California in 2024 — justified as necessary to avoid harming business — shook the privacy movement at the state level.
The U.S. Congress, meanwhile, flirted with comprehensive privacy measures but ultimately failed to pass them due to eagerness for stronger measures and electoral gamesmanship, as was the case with the American Privacy Act last session. But these federal failures took place in times of mixed government. With the election behind us and a unified federal government ahead, the future of privacy is coming into sharper focus.
Contrary to the initial analysis of many, and supplemented by the successes of state laws like Texas, there is now a genuine attempt at a federal privacy law that levels the playing field and simplifies compliance.
Such legislation will almost certainly preserve the status quo opt-out for non-sensitive categories of personal data, provide expanded notice requirements and universal consumer rights, preempt state laws, and alleviate the current patchwork compliance burden. It will also eliminate private rights of action for all but the most negligent practices.
And while the Federal Trade Commission will have the authority to enforce such a law, the historically deregulatory tendencies of this Congress, as well as the president’s newfound focus on efficiency, suggest that designated safe harbor entities are a real possibility. In this case, self-regulatory organizations (think FINRA for the SEC) will likely see renewed relevance.
Even if such a bill does not gain American proportionality under the GDPR, companies of all shapes and sizes should be prepared to support it. Internet and legal teams just don’t work at the state level. Enhanced user rights with reduced compliance costs are a win-win.
“Data-driven thinking” is written by members of the media community and contains new ideas about the digital revolution in media.
Follow RTB house and AdExchanger is LinkedIn.
More articles with Charles Simon click here.