Ken McConkey

The|Lawyer's|Blog

Corporate|Technology|Transactional

BLOGGER

Neither this Blog nor its contents constitute legal advice. Neither accessing nor reading this Blog creates an attorney/client relationship. The contents of this Blog are presented for general informational purposes only and should not be relied upon as a substitute for engaging a competent attorney. The information is presented "as is" without warranty of accuracy, completeness or timeliness. If you desire to determine if the information presented in this Blog applies to you or your specific circumstance, please schedule an appointment with me or other counsel of your choosing. The simple truth is that details matter and this Blog does not attempt to explore all possible situations, applications and exceptions. So do yourself a favor, if you find a topic interesting and are curious whether and how it applies, do your due diligence.

Linkedin
Facebook
The Data Privacy Hodge-Podge
Thirty-One U.S. states will have their own separate and unique data privacy laws in effect by early 2026 in the absence of an overarching federal data privacy law.
U.S. Data Privacy Lock
Ken McConkey
February 14, 2025
Data Privacy

On February 12, 2025 the U.S. House of Representatives Committee on Energy and Commerce announced the formation of a working group to explore creation of a framework for a comprehensive national data privacy bill. It seems Congress is catching a little heat from some business industry groups growing evermore concerned about the proliferation of state-specific data privacy laws. Will Congress put on their big boy/girl shorts and work together to pass a federal data privacy law that will preempt state data privacy laws and unify data privacy law across the nation? Looking back at my magic 8-ball again…”all signs point to probably NOT.” Congress has tried repeatedly over the last few years to hold hands and agree on some sort of privacy legislation, but failed to even get a bill to a full vote of their respective chambers. Most recently, just last June, a data privacy bill in the House Energy and Commerce Committee was scheduled for a markup session but was cancelled due to disagreement over its provisions. I’ll also note this year’s would-be data privacy law is being assigned to a working group of nine Republicans and ZERO Democrats; not exactly a bipartisan hug-it-out to get this done for the people kind of a start.

In the absence of any ability of the U.S. Congress to get their collective brains dreaming in the same direction to pass a cohesive national data privacy law that doesn’t leave companies pulling their hair out attempting to be aware of and comply with various state’s data privacy laws, the problem is growing more unmanageable. As of this post 19 states have passed some version of a comprehensive data privacy law in an effort to protect their citizens personal data (6 of the 19 states’ laws don’t go into effect until later this year or 2026). In addition, there are 12 more states that currently have data privacy laws either introduced or already in committee in this 2025 legislative session. So, by the beginning of 2026 businesses will be struggling to navigate 31 or more distinct state data privacy laws. How does that sound, business leaders?

Setting aside the 19 remaining states that, for whatever reason, do not yet have data privacy laws currently in process, this state-by-state solution is becoming a very large administrative burden on business. Before long we’ll all be telling jokes about the company’s army of data privacy specialists instead of its heard of accountants. Speaking of data privacy jokes, a little something from the Dad-Files, “Why doesn’t Cookie Monster have good internet privacy? Because he always accepts the cookies!” All my IT nerds out there are spitting Mountain Dew all over their monitors.

The take away? Although our federal legislators continue to talk about, getting around to, proposing, to do something about a nationwide data privacy law. I’m not holding my breath. And in the mean time the states are cranking out new state-specific data privacy laws by the bushel. So, if you are a business that deals with personal data for employees, contractors, customers, vendors, or any other human being who possesses personally identifiable information, you need to enlist the assistance of a data privacy attorney or other privacy professional to ensure your business is compliant with all data privacy laws applicable to it. Data privacy is not going away, and its only getting bigger and less likely to not apply to you.

Don’t think data privacy applies to you? Here is a fun fact for you. All data privacy laws define the processing of personal data. They might use a different word for “processing,” but it’s the same concept. I’ve participated in countless meetings with executives who assure me, neh, outright lecture me that the business is not processing personal data. All I do in response is read aloud the General Data Protection Regulation (“GDPR”) (fyi, GDPR is the mother and 500 lb. elephant in the room of data privacy laws) definition of “processing."

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- GDPR, Art. 4(2).

It is correct to say that there are many reasons why a particular data privacy law may not apply to your business. But one thing that almost all data privacy laws have in common is a very broad definition of what constitutes processing (or selling or sharing, or whatever a specific jurisdiction may call it). So, if you store, transmit, delete or view personal data, you likely qualify as having processed it.

Do yourself a favor, work with a data privacy attorney or other privacy professional to understand how your company’s data handling practices fit in with any and all applicable data privacy laws. If the professional you counsel with tells you data privacy doesn’t apply to you, then you can keep all the cookies too.

Conduct yourself accordingly!

🔖Tags: Congress Data Privacy Federal Law State Law
Share on Facebook
Share on Twitter
Share on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *