Managing Expectations: The Role of Exemptions in State Data Privacy Laws

The Mountain West state of Colorado, home to the snow-capped Rocky Mountains, boasts some of the most iconic ski resorts in the world. From Vail to Aspen to Breckenridge, Colorado’s outdoor recreation industry contributes $17.2B to the state’s GDP, and its ski industry is the largest in the nation.

You might ask, What does this have to do with data privacy laws? SB-41, which amends the Colorado Privacy Act (CPA) by providing further protections for minors, contains a unique exemption for “ski area operators.” While SB-41 requires controllers—defined as persons that “determine the purpose for and means of processing personal data”—to obtain consent when collecting a minor’s precise geolocation data, it explicitly clarifies that this requirement “does not apply to any service or application that is used by and under the direction of a ski area operator.”

This exemption may be specific to Colorado and protective of one of the state’s largest industries, but it is not the only exemption in Colorado’s data privacy legislation. In fact, the CPA itself has seventeen blanket exemptions, including exemptions for air carriers, employment records, data maintained by state institutions of higher education, and customer data maintained by public utilities. The CPA also limits the obligations imposed on data controllers and processors, and clarifies that the law does not apply in situations where a controller or processor has to comply with federal, state, or local laws; cooperate with law enforcement agencies; conduct internal research; respond to security threats; or identify and repair technical errors that affect a service’s functionality.

This laundry list of exemptions does not make Colorado an outlier in the data privacy space. To the frustration of privacy advocates, many—if not all— “comprehensive” state privacy laws in the US contain entity-level or data-level exemptions that limit the scope of data privacy protections. For example, both Connecticut and Virginia have passed data privacy laws that exempt government bodies, nonprofit organizations, and institutions of higher education from compliance. Further, most states also provide exemptions for data or entities that are covered by existing federal laws, like the Gramm-Leach Bliley Act, the Fair Credit Reporting Act, and HIPAA.

This multitude of exemptions found within “comprehensive” state data privacy laws poses a number of challenges to the applicability of these laws. Practically, because exemptions are not uniform across all state laws, this patchwork creates a recognizable burden for regulated parties that may need to adjust their business practices on a state-by-state basis in order to remain compliant with the law.

Further, many of these sometimes arbitrary exemptions—think back to the ski area operators—also weaken the scope and efficacy of state privacy laws. For example, exemptions for parties covered by existing federal laws may be more consequential than one might imagine. Provided that most federal privacy laws cited in state legislation are antiquated, they offer narrower protections than those included in the statutes being passed today.

This implies that valuable user data, including financial data, may be less protected than other data categories where state privacy laws exempt data governed by federal financial data laws. To this end, it is important to question the purpose of some of these exemptions, especially given the fact that some federal privacy laws create only a statutory floor, not a ceiling, for state laws. The Gramm-Leach-Bliley Act, for instance, includes an anti-preemption provision, thereby allowing states to step in and create more demanding requirements for financial institutions where and when they see fit.

Against this backdrop, it is difficult to understand or accept the notion that state data privacy laws in the United States can be considered “comprehensive” and “broad-based.”The reality of these laws is important because the discourse around “comprehensive” state privacy laws may have a direct impact on consumers and technology companies alike. While consumers may be misled to believe that “comprehensive” state data privacy laws offer more protection than they actually do, technology companies may benefit from this misdirection. If the public perceives a state data privacy law as being “comprehensive,” it may be less likely to ask for greater protections. This acceptance of the status quo would benefit tech lobbying groups, who have historically sought to make weaker, more industry-friendly privacy laws the model for states nationwide.

With this in mind, privacy advocates should continue to push for stronger data privacy laws across the US, and continue to challenge the country’s current patchwork of “comprehensive” state data privacy laws – paying special attention to the ways that numerous exemptions may weaken consumers’ privacy rights, especially across state borders in the absence of a federal data privacy law. State legislators have undoubtedly made progress in pushing for greater data protection for their constituents, but their efforts should not end there. Revising the exemptions present in state data privacy laws, particularly where they may seem arbitrary and carve out protections for large industries, may serve as low-hanging fruit for regulators.

With changes like these, our comprehensive state privacy laws may begin to live up to the label.