With little chance of Congress passing a national regulation, states are beginning to enact their own data privacy protection plans for consumers.
California, Colorado and Virginia have passed laws that take effect in 2023, and an idea has been introduced in Washington.
Sponsored by Rep. Steve Elkins, DFL-Bloomington, the bill is “in that same mold” in how it would regulate the collection and treatment of personal data by private entities and provide individuals certain rights regarding such data.
“We’re doing our best to make sure businesses don’t end up with a 50-state hodgepodge of completely unrelated data privacy bills,” he said. “We are trying to create a common framework of as many as states as possible.”
The preliminary Minnesota plan was heard on an informational basis Monday by the House Commerce Finance and Policy Committee.
“(Rep. Elkins) and I both thought it was a good time to get some public feedback and some discussion going about this bill as we look forward to the 2022 session,” said Rep. Zack Stephenson, DFL-Coon Rapids, the committee chair.
Elkins has pledged to work with concerned parties before members get back together in late January. “There’s no reason this should be a partisan bill,” he said.
As of now, the bill would, in part, provide consumers with rights to their personal data maintained by a private entity, including obtaining a copy, how to correct inaccuracies, data deletion, awareness if your information has been sold and the right to opt-out of sale of the data. Businesses would be required to provide a privacy notice regarding how personal data is collected and used.
“A company should not be collecting data about you that it does not need to do business with you or be using it for extraneous purposes that are not related to the reason you are doing business with that company,” Elkins said.
“This would be a major plus for consumers,” said Jim Halpert, who heads the U.S. Data Protection, Privacy and Security practice of DLA Piper. “I think there are, with little tweaks, ways to make this very workable for businesses without undermining protections for consumers.”
Enforcement would be handled by the Office of the Attorney General. A preliminary fiscal note shows a $378,000 cost in fiscal year 2023 and $278,000 annually thereafter.
For various reasons, including complexity, unknown business implementation costs, opt-in consent requirements and definitions of an applicable sale, some business representatives argue this bill in its entirety is not the solution.
“Compliance costs will continue to mount – hitting smaller and medium sized businesses the most,” Tyler Diers, executive director of TechNet Midwest, wrote in a statement.
John Reynolds, director of energy, telecommunications and elections policy for the Minnesota Chamber of Commerce, said an estimate from the California attorney general’s office projected initial compliance costs in that state of $55 billion. “Despite significant costs to comply, early analysis from one data servicer in California shows pretty low consumer utilization,” he said.
Added Anton van Seventer, counsel to the State Privacy & Security Coalition: “It is important to understand that (private rights of action) for alleged privacy violations involve highly asymmetrical eDiscovery costs because they give rise to costly and disruptive eDiscovery into business’s data operations. … A plaintiff lawyer could easily allege a knowing violation of a complex privacy right with the bad faith purpose of extracting a settlement from a defendant forced to settle in order to avoid an expensive and disruptive eDiscovery.”