The US is finally getting serious about privacy. After California passed its Consumer Privacy Act in 2018, Virginia (in February 2021) and Colorado (in June 2021) recently joined its ranks, passing their own Privacy Acts. Currently, four other states have active Bills, including New York and Massachusetts, with numerous other states’ Bills failing to pass over the past year but with further legislative attempts expected.

The Patchwork

1. California

The 2018 California Consumer Privacy Act (CCPA), most recently amended in 2020, was the first comprehensive state-based privacy framework in the US, and has influenced the Bills of many other states. It is currently the only privacy-specific regime in effect in the US, with Virginia’s and Colorado’s Privacy Acts set to become effective in 2023. Despite taking inspiration from the EU’s GDPR, privacy protections for consumers under the CCPA are generally not as broad as those provided by the GDPR. See our previous article covering key aspects of the CCPA: Why Australian businesses should care about the California Consumer Privacy Act

The CCPA focuses on providing consumers with transparency and control over their personal information. It defines ‘personal information’ broadly, and specifies items that are captured such as geolocation and biometric information.

Among other rights and obligations, the CCPA includes:

• rights of data rectification, deletion and portability – rights for consumers to delete, have corrected and move personal information held about them by businesses;
• right of restriction on data processing - if exercised, means that data may be stored but not processed without individual consent;
• right to reject automated individual decision-making – allows individuals to opt out of automated decision-making, and requires businesses to provide information about the logic involved in automated decision-making processes;
• private right of action – consumers whose personal information is subject to an unauthorised data breach can bring civil action to recover damages ranging from US$100 – US$750 per consumer or per incident or actual damages (whichever is greater);
• obligations in relation to notice and transparency – for example, businesses need to disclose categories of personal information they collect and provide notices explaining their privacy practices; and
• prohibition on discrimination – consumers must not be discriminated against for exercising their privacy rights.

Partly to ‘iron out’ unresolved issues with original law and in an effort to stem the flow of proposed amending legislation, a 52 page densely red-lined revision of the CCPA was put to Californian voters (California Proposition 24). The Proposition 24 amendments, which will come into effect in 2023, both strengthen and weaken the privacy protections of the CCPA. One of the big changes is to establish a privacy protection agency – the first dedicated privacy regulator in the US, responsible for implementing and enforcing the CCPA and Proposition 24.

Another big Proposition 24 change allows companies to charge more or alter their business experience depending on whether individuals choose to share their data with them. For example, a business may offer a loyalty card which gives discounts in exchange for a customer's contact information and spending habits. The American Civil Liberties Union, which opposed Proposition 24, characterised this as ‘pay for privacy’. Conversely, the CCPA now makes it illegal for websites to limit access for users who elect not to have their data tracked or sold — for instance, requiring users to turn off an ad blocker before they can read free news articles.

Websites have to provide prominent links to separate online forms which allow users to require that their personal information is not sold or shared or which allow users to place other limits on use of their personal information by the business itself.

An example where privacy advocates said Proposition 24 took the CCPA backwards is that a business will be able to refuse a request from a user to delete personal information where the information is “reasonably necessary to help ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for those purposes.”

Possibly the most striking thing about Proposition 24 was the level of public engagement on a set of dense legal issues. It was passed by the 6th highest majority ever received in California’s long history of referendums.

2. Virginia & Colorado

Virginia’s Consumer Data Protection Act, and Colorado’s Privacy Act generally include all of the rights of the CCPA, except the right of restriction and a private right of action. Both Acts include a right against automated-decision making, a provision seen in the GDPR, however not present nor proposed in Australia.

Colorado’s Privacy Act, which passed just last month, adds its own novel elements, like banning ‘dark patterns’, something also introduced in California’s 2020 amendment. Colorado’s Privacy Act is also the only regime that currently applies to non-profit entities as well as for-profit entities.

3. Key Focusses and Inconsistencies

The weight given to consumers’ privacy differs across states, as does the focus on obtaining consent to the collection and handling of personal information.

(a) Opt-in vs Opt-out

The CCPA adopts a strict opt-out approach. Entities may collect and sell personal information by default, with individuals having the right to opt-out of the sale of personal information, sharing for advertising purposes and the handling of sensitive information.

Some state Bills modelled on the CCPA take a more restrictive approach; while all allow opting out from the sale of personal information, many do not allow opting out of other instances of collection, or only allow opting out if information is used for targeted advertising (e.g. Florida’s failed Bill).

Colorado’s Privacy Act represents a hybrid approach, with the collection of ordinary personal information being subject to an opt-out approach while collection of ‘sensitive information’ (e.g. health information, religious beliefs, ethnicity) is opt-in. Similarly, in Texas’ failed Bill, ‘geolocation tracking’ was specifically included as a type of sensitive information for which consent must be opt-in, while other information is subject to an opt-out approach.

Other states such as New York and Massachusetts, have proposed a strict opt-in approach to consent for the collection of all types of personal information.

(b) 'Dark Patterns'

Unique to both Colorado’s Privacy Act and California’s CCPA (following the Proposition 24 amendment), is that organisations are explicitly banned from using ‘dark patterns’ in obtaining consent. See our previous article covering regulatory approaches to dark patterns - Regulators shine a light on dark patterns.

Dark patterns are elements of digital user interface that are ‘manipulative’; they are designed to take advantage of inherent psychological biases and lead users to unfairly give consent to information collection. Entities may do this, for example, by highlighting the ‘yes’ button while minimising ‘no’ or making it inconvenient to deny consent by requiring individuals to click through multiple pages.

In addressing ‘dark patterns’ explicitly, Colorado and California are leaders internationally, though manipulative practices in obtaining consent might be seen to invalidate ‘consent’ under the GDPR, which is required to be ‘freely given, informed and unambiguous’. Virginia’s Privacy Act has also adopted the GDPR’s broad definition of consent.

It is likely that explicit regulation of ‘dark patterns’ will become more prevalent throughout the US and globally; for example, New York’s proposed privacy Bill includes a similar prohibition on manipulative practices to obtain consent, and, in Australia, in 2020, the Office of the Australian Information Commissioner (OAIC) suggested explicitly regulating ‘dark patterns’ in its submission to the Privacy Act Review.

Why does this matter? 

As most privacy laws will apply to online transactions with residents in a state, the growing patchwork of US privacy regimes will be a concern to foreign online platforms and providers serving US customers, adding to the complexity of compliance.

With Australia’s privacy laws under review, we often look to the EU’s GDPR to see which way the ‘privacy wind is blowing’, particularly because the EU seems determined to make the GDPR the de facto global standard. However, a comparison of the similarities and differences in US privacy laws also tells us something about other approaches to privacy in an online world.

Authors: Meaghan Powell, India Monaghan, Rishabh Khanna and Peter Waters

Read more: US State Privacy Legislation Tracker