What Florida And Washington Are Teaching Us About Privacy Legislation

What Florida And Washington Are Teaching Us About Privacy Legislation

Last week, two of the most prominent privacy bills in the country died, in large part over a debate about a private right of action. Here’s a rundown of the ongoing disagreement and how it could shape the trajectory of US privacy.

Taking Stock of State-Level Privacy Bills

Ever since March 2020, our collective sense of time has had its tenuous moments, to say the least. Working from home and not holding in-person events to mark special occasions, some days seem to fly by while others float in place. But time is indeed moving along; just look at how the privacy landscape has evolved. A little over two months ago, I was giving a summary of the growing number of state-level privacy bills coming down the pipeline. Today, the numbers still remain high, currently at eighteen. But behind the increased numbers, there’s an undeniable trend: in 2021, one state (Virginia) has passed a privacy regulation, while ten have failed. While each outcome depends on a web of political factors, the debate over a private right of action – the right for individual residents to sue a company for alleged privacy violations – has played a major role in fatally stalling two of the most prominent privacy bills of 2021: Florida’s and Washington’s. Understanding and resolving this debate are essential steps toward successful privacy legislation in the US, at the state and federal levels.

Understanding Florida And Washington’s Privacy Hurdles

Most recently, the Florida Privacy Protection Act (FPPA) skidded to a halt on April 30, after a wild ride in the legislature this spring. The House and Senate versions of the bill had been diverging from one another for weeks, with the Senate stripping away provisions like a private right of action. On the other hand, the House overwhelmingly supported a version with this right. The legislation was on a collision course that culminated on the very last day of Florida’s legislative session: Florida’s House, having just received the Senate version, refused to even consider the bill because it lacked a private right of action.

While Florida’s privacy legislation only emerged this year, Washington attempted to enact a privacy regulation for the third consecutive year, and the Washington Privacy Act (WPA) failed in late April. Throughout its attempts the debate over a private right of action has prompted unsuccessful tries at compromising between privacy advocates and business lobbyists.

Unpacking a Private Right Of Action: An American Phenomenon?

While it’s not encoded across all privacy legislation, a private right of action has gained a particular foothold in American privacy discussions. Indeed, it is less prominent in the EU, which has been setting the digital agenda. On an ideological level, the idea of a modest individual leveling a lawsuit against Big Tech has a populist appeal that aligns with politicians and communities feeling fed up with powerful tech companies. As red Florida and blue Washington demonstrate, support for a private right of action is not specific to one political party. But a private right of action is often framed as inherently unfriendly to businesses, and this tension is proving fatal for privacy legislation.

Cases For And Against A Private Right Of Action

Proponents of a private right of action point out that without it, enforcement is left to an office like that of the state’s attorney general. As a result, a company’s privacy violations only receive their due enforcement according to one enforcer. A private right of action is seen as a linchpin in modern privacy, giving actual teeth to regulations. The private right of action could enable a greater number of cases to be considered. Beyond a greater volume of cases, more diverse types of cases might be brought forth. To quote Kyle Dull, former Florida Assistant Attorney General:

With the private right of action there, if the consumer thinks there is an issue, then they can always file their own lawsuit. And sometimes those cases end up resolving major issues.

Opponents claim that a private right of action would overwhelm regulators, and the influx of lawsuits would actually weaken the law. They also argue that large class-action suits made possible by this right only benefit attorneys with legal fees, rather than the victims of a privacy violation. Finally, a private right of action raises alarms among businesses that their ability to innovate would be stifled by a constant fear of lawsuits. In the case of Florida’s bill, over 300 business lobbyists were involved in the legislative process to keep out provisions like a private right of action.

Graphic: The Florida House passed its version of the Florida Privacy Protection Act with a vote of 118 to 1. The version included a private right of action. Source: Florida House of Representatives, official site.

Existing Privacy Regulations and Their (Lack of a) Private Right Of Action

Because of the private right of action in the Biometric Information Privacy Act (BIPA), Illinois residents have been able to join class-action lawsuits with settlement figures in the hundreds of millions. The case shed new light on how the judicial system views modern privacy violations. Namely, the courts found that statutory privacy injuries are sufficient for litigation under BIPA. Regardless of one’s stance on a private right of action, this finding legitimizes a private right of action as a means to enforce privacy violations.

Proposed biometric privacy legislation in states like New York also include a private right of action, but it is less prevalent in broader consumer privacy legislation. While Virginia’s CDPA lacks a private right of action, California’s CCPA permits individuals to sue businesses under a specific set of security circumstances. Among current state-level privacy bills, a private right of action is included in only a minority of currently active bills. When it comes to broad consumer privacy legislation at the federal level, zero of three bills introduced in 2021 have included a private right of action.

Just this week, though, a US Senator – from Florida, it turns out – introduced privacy legislation with a right for individuals to sue companies for privacy violations. Importantly, this bill has a narrower scope in users’ data rights and in which companies must comply. As I write this, the bill’s full text is not even public yet. In the weeks to come, the reception of this bill will elevate this key issue from state legislatures into the national spotlight.

Spurring Regulation Into Action

Florida House members demonstrated last week that having no private right of action is a deal-breaker on consumer privacy legislation. Yet business interests are as present as ever in exerting force in the opposite direction. Another important factor also at play, and key to passing privacy bills at the state and federal levels, is time. For Florida and Washington’s bills, the nail in the coffin was that they ran out of time in the legislative session. At the state and federal levels, successful legislation could hinge on having the debate over a private right of action further upstream in the process, rather than keeping stances in silos until the very end.