States Draw from Common Principles to Craft Comprehensive Privacy Legislation

Even the most optimistic observers are skeptical of the chances for a comprehensive federal privacy law. In the meantime, state legislatures are crafting comprehensive privacy bills designed to increase transparency and boost consumers’ control over their information. No fewer than 22 states have proposed some form of comprehensive privacy legislation. These proposals share many common themes, or principles, including those described below.

Right to Access/Know. This right empowers a consumer to request disclosure from a business the information the business has collected about that consumer. It may require a business to provide the raw data the business has about a consumer or categorical information about the data, including other parties to which it was shared.

Right of Deletion. As its name implies, this is the right for a consumer to request that a business delete their information. Often businesses have the option to apply various exemptions to an obligation to delete, and “delete” can mean erasure or obscuring the identity of the data subject in another way.

Right to Opt-Out. The right for a consumer to direct a business not to sell their personal information to other parties, whether for monetary, or in some bills, non-monetary consideration.

Right of Portability. This right coincides with the right to access/know. It obligates a business to provide the requested information in a form that is easily transferred from one entity to another. A consequence of that description, however, is that the requested information may not be in a form that is easily interpreted by the consumer requesting the information. For example, businesses can easily digest JSON files, but a consumer is unlikely to know how to read them.

Private Right of Action. Arguably the most controversial component to any privacy proposal, a private right of action (PRA) allows an aggrieved individual to sue a business directly. Most frequently a PRA is triggered only in the event of a data breach and not a violation of one of the consumers’ rights.

States are living up to their reputation as engines for legislative creativity and experimentation while drawing from common principles to protect privacy.

Mitchell S. Noordyke, Associate, Faegre Drinker Biddle & Reath LLP


Mitchell specializes in privacy and cybersecurity practices, protocols and compliance strategies. As a former fellow with the IAPP, Mitchell developed expertise on state privacy law developments.