The latest US state to consider data privacy law with no right of action: Pennsylvania
The quilt of consumer privacy laws in the United States continues to unfold. This week, lawmakers for the state of Pennsylvania started discussions on their proposed Consumer Data Privacy Act.
More precisely, it would mandate that Pennsylvania businesses make the mechanism for that option. There would be no individual right of action for violations; people would have to petition the state’s attorney general to sue.
Residents would have the right to make businesses confirm that they are accessing or processing their data. Conceivably, that would be every business a consumer interacts with.
The businesses would be required to correct inaccuracies and provide a copy of the data in question.
Biometrics are explicitly included in the Pennsylvanian proposal’s definitions of personal and sensitive data, and excluded from “publicly available information.”
Businesses in the U.S. have for several years bemoaned the possibility of multiple state governments passing their own unique laws regarding privacy. That is exactly what has happened in the absence of federal legislation.
The proposed American Data Privacy and Protection Act (H.R. 8152) would pre-empt the California Consumer Privacy Act, or CCPA, and another privacy act-in-waiting because they conflict with American Data Privacy provisions. That is to say, they hold organizations to a higher standard in terms of consent for collection and management of people’s personal information.
The best-known law is the state of Illinois’ Biometric Information Privacy Act. It requires businesses to get a resident’s consent before gathering or otherwise receiving biometric data. Companies also have to tell people who their data will be managed. Many momentous pro-privacy decisions have resulted from the law.
A chart showing state law and bills compiled by the International Association of Privacy Professionals, shows that 11 states have comprehensive consumer privacy laws. Illinois is not among the 11 because BIPA is not a comprehensive law.