Privacy: A Growing Focus on Privacy Raises the Stakes

Broader privacy laws are proliferating throughout U.S. states. At the same time, federal and state regulators are pursuing more rigorous enforcement of data breaches. The interplay between these two trends is increasing the risk of privacy-centered litigation for businesses operating in all sectors.

Historically, state privacy legislation focused on specific aspects of privacy, such as the processing of biometric information, health information, children’s online data, etc. Recently, legislatures have moved away from this sectoral approach and have been increasingly turning to comprehensive privacy laws that regulate the way that businesses gather, use, and disclose personal data. These comprehensive laws typically give consumers certain rights, such as being able to access, correct, and delete their data, or they require businesses to implement procedures and agreements intended to protect such data. Under such laws, “privacy is not just a concern when a data breach has occurred,” says Matthew Welling, a partner in Crowell & Moring’s Privacy and Cybersecurity Group. Instead, Welling suggests that “you now have to think about how you collect, store, and handle data throughout your business.”

This legislative shift began in 2018, when California passed the California Consumer Privacy Act and became the first state to enact this type of comprehensive law. Other states gradually followed suit, and, by the end of 2022, four more states—Colorado, Connecticut, Utah, and Virginia—had comprehensive privacy laws on the books. This trend continued throughout 2023. The National Conference of State Legislators reported that by September 2023, at least 25 states had considered comprehensive privacy laws during the previous nine months and eight had enacted them—Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas. Absent comprehensive privacy legislation at the federal level, more states can be expected to join that lineup in the near future, opening the door to more privacy-related enforcement and litigation against companies.

While these state laws are similar, there are some important differences. Many companies are likely to be subject to these laws in states where they don’t have facilities but do keep personal information about customers and have remote workers. “Suffice it to say, a lot of businesses are going to need multistate compliance, which adds a pretty significant layer of complication for those companies’ data-privacy programs,” says Welling.

The public and governments are increasingly focused on protecting personal data in general, and “there is a broad agreement on a nonpartisan basis that this is a priority,” says Welling. This is leading not only to new state privacy laws but also to increased regulatory scrutiny of data breaches. Data breach laws are essentially a specific type of privacy law. Thus, Welling says, “there is a natural progression to use the resources devoted to data breach enforcement for privacy enforcement as well. We are seeing a lot of state and federal regulators, who historically focused more on data breach laws, start to lean in on the comprehensive privacy laws.”