Regulators, Executives, Consumer Advocates Agree on Need for Data Privacy Standard

AFSA this week attended the US Chamber of Commerce’s Data Done Right Conference, where elected officials, chief regulators, business executives, and leaders of consumer privacy groups spoke about the state of data privacy today and the need for a national data privacy law to avoid a patchwork of state laws. Data privacy was thrust into the forefront of the national policy debate last year after the California legislature passed the California Consumer Privacy Act (CCPA), the nation’s first broad consumer privacy law. The CCPA gave the state Attorney General authority to promulgate rules on the CCPA. As part of the rulemaking process, the Attorney General took comments from interested parties and hosted multiple public forums about the law in the spring. AFSA's State Government Affairs team attended hearings in Los Angeles and Riverside and submitted comments detailing the association's concerns with the law.

Over this legislative season, numerous states introduced more than 30 bills that would institute broad measures similar to the CCPA. Thus far, only Maine and Nevada have passed new consumer privacy laws, both of which are more limited in scope than the CCPA.

There has also been momentum to pass a national data privacy law, which would avert a “patchwork” of state-level laws, in which each state would have their own data privacy standard. During the conference keynote keynote, Californians for Consumer Privacy founder and chief architect of the CCPA Alastair MacTaggart opposed any clause that would allow a federal law to preempt state laws like the CCPA. He noted that any national data privacy law should just represent a “floor” for privacy that would allow states to institute additional protections. Representatives of the business community overwhelmingly supported having one single national standard in order to avert major compliance issues posed by a patchwork system.

AFSA submitted a letter to the Federal Trade Commission on June 30 on the necessity for a "single, federal, risk-based standard" for data privacy.