In the past several months, the amount of state legislative activity around consumer data privacy laws has been frantic, by state legislatures standards. So much so, it is not easy to discern the cause for all this effort; is it that consumers are demanding action, are market forces lobbying for the least restrictive options, or have legislators initiated these efforts on their own seeing their citizens simply must be protected from more than data breaches, but also be encouraged to exercise control over their personal information?

State of Laws

In the U.S., existing consumer privacy laws are either sectoral based (think, healthcare and financial services) or state-law based. Despite several federal bills being introduced over the past few years, the U.S. Congress has failed to pass any comprehensive consumer-based data privacy laws to date. (See, "Information Transparency & 12 Personal Data Control Act" introduced by Rep. Suzan DelBene (D-WA) March 10, 2021; "Consumer Data Privacy and Security Act" introduced by Sen. Jerry Moran (R-MO) May 6, 2021; "Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act" introduced by Sen. Roger Wicker (R-MS) Sept. 17, 2020. See also, Consolidating US privacy legislation: The SAFE DATA Act, aipp.org).

Instead, as it often does, California led the way with its groundbreaking California Consumer Privacy Act (CCPA) in 2020 and Virginia followed abruptly in April this year with its "CCPA-like" Virginia Consumer Privacy Act. Also, there are a variety of proposed consumer data privacy laws currently pending in 13 other states (AB, AL, CO, CT, IL, MA, MN, NC, NJ, NY, RI, SC, and TX). As of May 5th, state lawmakers have introduced bills in 26 states and 10 states (AZ, FL, KY, MA, MI, ND, OK, UT, WA, and WV) have rejected these legislative attempts.