States Tighten Data Privacy Laws In Response to Evolving Digital Challenges

California’s landmark privacy legislation, the California Consumer Privacy Act (CCPA), which grants consumers the legal authority to instruct businesses not to sell their data, has entered a new phase of enforcement.

Spearheaded by the California Privacy Protection Agency (CPPA), the nation’s first dedicated privacy regulator, this recent development underscores the stringent nature of the law in safeguarding consumer privacy rights and holding businesses accountable for their data practices.

The CPPA recently issued its inaugural enforcement advisory, reaffirming the principle of data minimization at the heart of the CCPA. Specifically, it emphasizes the application of this principle to businesses’ handling of CCPA data subject requests, including the rights to deletion and opt-out.

“We intend for our Enforcement Advisories to promote voluntary compliance, but sometimes stronger medicine will be in order,” Michael S. Macko, the Agency’s Deputy Director of Enforcement, said in an April 2 announcement. “We won’t hesitate to act when necessary.”

Since its enactment in 2020, the CCPA has primarily been enforced by the California Attorney General (AG), Rob Bonta, with numerous investigative sweeps conducted last year targeting non-compliant mobile applications and ensuring employers adhere to the CCPA’s privacy standards concerning employee and job applicant information.

Prior to that in August 2022, Attorney General Bonta announced a $1.2 million dollar settlement with beauty giant Sephora, representing the first enforcement action officially announced under the CCPA.

More recently, attention has shifted to streaming services, reflecting the evolving landscape of consumer data protection. “From watching live sporting events to blockbuster movies, families increasingly use streaming platforms for entertainment, and we must make sure that their personal information is protected,” Attorney General Bonta said in January.

Following California’s lead, other states are also moving to enact and enforce their own data privacy laws. Notably, the Maryland Online Data Privacy Act, for instance, has passed both the Senate and House of Delegates and is awaiting the governor’s approval, PYMNTS recently reported.

Moreover, Attorney General Bonta has spearheaded a coalition of attorneys general urging Congress not to preempt stronger state privacy laws that adapt to evolving technology and data protection practices. This signals the potential for more states to assert their autonomy in shaping robust privacy frameworks tailored to their specific needs and concerns.

In a broader national context, efforts are underway to establish comprehensive data privacy protections through the American Privacy Rights Act (APRA). Announced on April 7, APRA aims to institute “clear, national data privacy rights and protections for Americans,” including curbing excessive data collection by companies, empowering consumers with greater control over their data, and imposing stricter measures against unauthorized data transfers.

These legislative initiatives reflect the growing recognition of the challenges posed by the connected economy, where every online interaction leaves a lasting digital footprint.

As such, the pursuit of robust data privacy regulation is becoming increasingly imperative to safeguard individuals’ privacy in an era of pervasive data collection and usage.