As more states introduce and consider their own data privacy bills, public support for Congress to pass a national standard is holding strong, with 83 percent of voters saying it should be a “top” or “important, but lower” congressional priority this year.
While Congress continues to punt on a conversation about a national framework, states have been taking matters into their own hands: at least 20 states have introduced their own privacy bills this calendar year alone, according to the International Association of Privacy Professionals, with Virginia becoming the second state after California to pass a law in March. And experts are watching longer legislative sessions in Florida, Colorado, Alaska, Connecticut and New York for any additional privacy laws this year.
State lawmakers are picking up on a growing appetite from constituents for any legislation putting rules on what data about them is collected, stored and used by companies. In the Morning Consult survey conducted April 16-19, the share of registered voters who said Congress should make passing this legislation a priority grew 4 percentage points since a December 2019 survey, the last time the question was asked. A year earlier, in November 2018, 78 percent of voters said the same.
And the push for Congress to prioritize a privacy bill claims bipartisan support: 86 percent of Democrats and 81 percent of Republicans said this should be a “top” or “important but lower” priority this year.
The survey, conducted among 1,992 registered voters, has a margin of error of 2 points.
Despite high bipartisan support among the public, conversations on Capitol Hill are still slow moving. So far this year, Rep. Suzan DelBene (D-Wash.) introduced the first comprehensive privacy bill of the current congressional session — the Information Transparency and Personal Data Control Act — in March, but aside from that, discussions have been relatively quiet. The last congressional hearing about the topic was in September.
When it comes to regulating data privacy, voters place similar amounts of responsibility on federal and state lawmakers, as well as federal regulators. While 72 percent of voters said Congress is either “very responsible” or “somewhat responsible” for regulating how companies collect, store and share personal information, 79 percent said the same for federal agencies and 75 percent for state governments.
Ever since the passage of the first state privacy law in California in 2018, more states have been pursuing their own options, said Pollyanna Sanderson, policy counsel at the Future of Privacy Forum.
Some pursue comprehensive bills, which face their own legislative hurdles such as partisan debates about enforcement styles or what the exact definition of personal data should be. Others are considered sectorial, meaning they just focus on a specific type of data, like Illinois’ law regulating collection of biometric information.
Most respondents in the Morning Consult survey said it was either “very” or “somewhat” important to protect the most precious identifiable information under any privacy law, including their Social Security number (89 percent), banking information (89 percent), biometric data (88 percent) and driver’s license number (88 percent).
In March, Virginia introduced a new model for states to follow that’s favored by industry players including Amazon.com Inc. and Microsoft Corp. The Markup reported earlier this month that 14 of the 20 states considering state privacy bills this year modeled theirs after the Virginia standard, which is considered weaker than California’s since it doesn’t give residents the ability to sue companies themselves for privacy violations and requires them to opt out of data collection, rather than opting in.
But some aren’t sure the two laws are enough to inspire Congress to put a federal standard higher on their list of priorities. Sanderson pointed to a blog post on IAPP’s website by Kirk Nahra, the co-chair of WilmerHale’s big data practice, predicting that it will take anywhere between three to five significant state privacy laws to put enough pressure on Congress for action.
As more states start to introduce their own bills, Sanderson said additional companies will start to push Congress to act so they don’t have to figure out how to comply with a patchwork of laws.
“It’s really in everyone’s interest to enact a uniform federal privacy law,” Sanderson said.