FEATURE
Alex Pearce
Time for a
Fragmented patchwork of state laws creates compliance issues
As 2019 comes to a close, organizations and their counsel have been investing time, energy and money into complying with the California Consumer Privacy Act of 2018, which is in effect the nation’s first comprehensive consumer privacy law.
6 DELAWARE LAWYER SPRING 2020
That law imposes strict rules on the col- lection, use and disclosure of a broad range of personal information. It ap- plies to organizations regardless of the sector in which they operate and can ap- ply no matter where they are physically lo- cated. One study has concluded that the law will affect more than half a million U.S. companies.1 And compliance will be expensive: a government-commissioned economic impact analysis estimated that the total cost of initial compliance for businesses subject to its requirements, in- cluding legal, operational and technology costs, will be around $55 billion.2 Despite its nationwide impact, this law was not passed by Congress, and the rules it imposes were not set by, and will not be overseen by, any federal agency. Instead, the law is the creation of the California state legislature and will be enforced by the California Attorney General’s office. The CCPA, as the law is commonly referred to, is part of an increasing trend of fragmented regulation of consumer
privacy in the United States that shows no signs of abating. That general trend, and the CCPA in particular, have caused a diverse range of stakeholders to call for a uniform national privacy law. This ar- ticle discusses the factors driving the dis- cussion around such a law and examines one promising proposal for what it might look like.
The Current State: A Fragmented Patchwork
The CCPA’s extraterritorial impact notwithstanding, the United States lacks a comprehensive national privacy law. Historically, privacy has been regulated by federal and state laws that apply to the collection and sharing of personal infor- mation by organizations in certain sec- tors (e.g., health care, financial services, education) or to certain types of sensi- tive personal information (e.g., children’s personal information), and by state data- breach notification laws that require orga- nizations to notify individuals and regula- tors when certain types of information are
 National Privacy Law?