One of the central questions hanging over Florida’s last legislative session was whether lawmakers would pass a comprehensive data privacy bill that would grant consumers greater control over what data private companies hold on them and what they can do with it. The passage of a comprehensive data protection bill was widely seen as a top legislative priority for Governor Ron DeSantis and House Speaker Chris Sprowls. However, the bill’s failure highlights the continued and growing need for a federal data standard instead of the current fifty-state patchwork that harms consumers and businesses.
Opinion polling routinely shows that Americans are deeply concerned about data privacy. A 2019 study from Pew Research found that 79% of Americans were “at least somewhat concerned about how much data is collected about them by…companies.” The same study also found that 70% of Americans “feel their personal information is less secure than it was five years ago.”
These findings show that Americans feel current data protection standards fail to offer sufficient protection from increasingly active and sophisticated cybercriminals. The lack of confidence Americans display is exacerbated because data protections are determined by individual states, not the federal government. This state-driven approach has led to a ZIP code lottery where a state of residence determines levels of protection and created a regulatory environment that raises compliance costs for businesses operating in multiple states.
Had Florida’s proposed bills become law, it would have established a data protection environment similar to the one established by the California Consumer Privacy Act (CCPA). While CCPA offered robust protection to consumers, it came at the expense of companies who faced significant compliance burdens.
Under the proposed bills, HB969 and SB1734, Floridians would have been able to “demand a copy of personal information that a business collected about them,” request personal information be deleted, demand inaccurate information be corrected, and demand businesses disclose what consumer data private companies have sold. The proposals would also have allowed consumers “to opt-out – at any time – of the sale or sharing of personal information to third parties.” Disagreements between the House and Senate over private right of action and thresholds for compliance that killed the bill.
The failure of comprehensive data protection legislation in Florida keeps the state one of the 46 states with weak or non-existent data privacy laws.
The similarities between Florida’s data protection proposals and CCPA shows that state legislatures can struggle to strike the appropriate balance between consumer data protection and not overburdening businesses operating within their borders. Additionally, the failure of 46 state legislatures to offer even a modicum of protections shows that they do not consider data protection a priority in the same way their residents do. In the absence of state action and sometimes overly punitive proposals, it’s time for the federal government to step in and establish a national data standard that would make up for the state-level deficiencies.
The principal benefit of a federal data privacy standard is that it would eradicate the ZIP code lottery for data protection state inaction has left. While residents in Florida have only limited protections, residents of Virginia, California, Maine, and Nevada all enjoy significant control over what information private companies hold on them and how that information is used. Put simply, ZIP code should not determine the extent to which consumers’ data is protected and the amount of control they have over how their information is used.
A uniform national data standard would also create a friendlier regulatory environment for businesses operating in multiple states. According to the Washington Legal Foundation, inconsistent data protection laws create “operational inefficiencies and distort interstate markets for data, products, and services.” The absence of a federal data standard means that companies must expend labor and capital resources to ensure compliance with 50 laws. A single, comprehensive data standard would provide businesses the ability to operate in multiple states with confidence that they are complying with the law and are not likely to face litigation. As cybercriminals become increasingly active, the number of Americans who feel their data is not sufficiently protected will undoubtedly grow. To correct for this and the lack of activity at the state level to protect consumers’ data, it’s time for Washington to step in and pass a federal data privacy standard. This will not only ensure an individual’s degree of data protection is not determined by their ZIP code, but it will provide certainty for companies doing business across state lines as they will not have to grapple with 50 different laws governing data privacy.