Eric Reagan

19 Laws and Counting . . . by way of The Brussels Effect

January 5, 2025 by Eric Reagan Leave a Comment

2025 is kicking off with several new comprehensive state privacy laws taking effect – with Delaware, Iowa, Nebraska, New Hampshire and New Jersey’s laws all taking effect in January and a total of 19 state laws either in effect or a countdown ticking to their effective dates.

While many of these laws look and feel like copycats of other state laws that are already in effect, the real catalyst for each of these laws can be traced back to EU privacy regulation (with the 2018 effective date of GDPR being the biggest driver). This is the Brussels Effect at work and on full display in the US privacy patchwork. If you haven’t read Anu Bradford’s book The Brussels Effect and you work in privacy, it’s worth adding to your reading list this year. I read it a couple years ago and have looked at state privacy laws and industry lobbying different since.

In the book, Bradford breaks down just how the EU drives privacy globally through both the de facto Brussels Effect (companies adopting practices that comply with EU privacy regulation on a global scale) and the de jure Brussels Effect (when jurisdictions outside the EU embrace GDPR-like comprehensive privacy laws). While The Brussels Effect is applied to other regulations in the book, the five key elements make privacy regulation a perfect storm for “unilateral regulatory globalization.”

Market Power
Regulatory Capacity
Stringent Standards
Inelastic Targets
Non-Divisibility

Market Power

The EU’s population of roughly 450 million people makes up a substantial market force as global companies seek to offer their goods and services to this massive market. As a result, the regulatory power of the EU reaches broadly around the globe to impact the compliance and governance of US and other third countries’ firms.

Regulatory Capacity and Stringent Standards

The EU’s “[r]egulatory capacity refers to [its] ability to promulgate and enforce regulations,” and is “often closely associated with . . . the propensity to promulgate stringent rules.” The capacity to regulate privacy by a relatively small regulatory body like the EU is bolstered by the delegation of GDPR enforcement to EU members states. The preference for stronger privacy rights that stem from the EU’s desire to treat privacy as a human right and offer stringent protections for its citizens through regulation. See The Brussels Effect at 41 (quoting Commission President Jean-Claude Junkcer, “I will not sacrifice Europe’s safety, health, social and data protection standards . . . on the altar of free trade.”)

Inelastic Targets

Bradford’s inelastic target, as it relates to privacy law regulation, is demonstrated through “[t]he inelastic nature of consumer markets[, which] does not leave producers with a choice regarding the jurisdiction; they cannot ‘shop’ for favorable regulations without losing access to the regulated market.” The Brussels Effect at 48.

Non-Divisibility

Finally, the non-divisibility of global privacy regulation is demonstrated by the inefficiency to embed data protection tools, technology, and processes for different jurisdictions on a global scale. Of course, there are situations where tech companies use local cloud environments for EU data subjects; however, it’s harder to scale product features and teams across the entire tech stack than it is to embrace a data protection scheme that works across the globe. Additional fallout from that non-divisibility encourages global firms to lobby for consistent regulations that will impact local competition in the US and other third countries.

19 Laws and Counting

While California was a bit of a wildcard from a lobbying and drafting perspective, industry has continued to lean in to influence everything from the failed Washington Privacy Act that was reborn in Virginia and every other state along the way for a thematically consistent GDPR-lite framework with a regulatory lineage back to Brussels.

The European Union recently updated its privacy law through the passage and implementation of the general data protection regulation, affording its residents the strongest privacy protections in the world. Washington residents deserve to enjoy the same level of robust privacy safeguards.

– from Legislative Findings in the failed Washington Privacy Act (S. 5376, 66th Leg., 2019 Reg. Sess. (Wa. 2019)).

The Brussels Effect is full steam ahead in the US privacy landscape and we’re sure to see more state privacy laws passed in 2025. And buckle up for the upcoming deluge of AI regulation to accompany the privacy patchwork – brought to you by The Brussels Effect!

Tennessee Information Protection Act Passes House on a 90-0 Vote

April 10, 2023 by Eric Reagan Leave a Comment

The Tennessee Information Protection Act (TIPA) passed the House (HB1181) today on a 90-0 vote. The TIPA version that passed (virtually the same as the previously-discussed amended Senate bill) looks to be the most business-friendly state privacy law to date.

SB0073 is scheduled for a vote in the Senate later this week, which is also expected to easily pass. As a result, it’s likely that Tennessee will be the next state with a privacy law within the next week or so.

A quick summary of TIPA:

Effective July 1, 2025
Applies to businesses that have $25M+ in annual revenue AND process the personal info of at least (1) 175,000 consumers; or (2) 25,000 consumers if they derive 50% of their revenue from the sale of personal data.
Consumer does not include a person acting in commercial/employment context
Sale of personal info requires “monetary” consideration
Personal information is “information that is linked or reasonably linkable to an identified or identifiable natural person” and excludes publicly available or de-identified consumer data
Consumer rights include:
- Right to know
- Right to access
- Right to correct
- Right to delete
- Right to portability
- Right to opt-out of sale, profiling, and targeted ads
Data controller responsibilities include:
- Transparency requirement
- Purpose limitation requirement
- Secondary use prohibition
- Data security requirement
- Nondiscrimination policy
- Sensitive data additional consent
Privacy Notice must include:
- The categories of personal information processed by the controller
- The purpose for processing personal information
- How consumers may exercise their consumer rights
- The categories of personal information that the controller sells to third parties
- The categories of third parties, if any, to whom the controller sells personal information
- The right to opt out of the sale of personal information to third parties and the ability to request deletion or correction of certain personal information.
Time to Respond to DSAR = 45 days + 45 additional days “when reasonable necessary”
Consumer has right to appeal with 60-day response required
No private right of action
TN Attorney General has sole enforcement authority
Up to $7500 fine per violation
Businesses have 60-day cure period
Data Processing Agreements must include:
- Processing instructions
- Nature and purpose of processing
- Type of data subject to processing
- Duration of processing
- Rights and obligations of both parts
- Duty of confidentiality with respect to the data
- Processor duty to delete or return data at controller’s request
- Assist with compliance obligations of controller for data in processor’s possession
- Flowdown of processor requirements to its subcontractors
Data Protection Assessments required when:
- Processing for targeted advertising
- Sale of personal information
- Profiling, when there is a risk of:
  - unfair or deceptive treatment / unlawful disparate impact
  - financial, physical, or reputational injury
  - invasion of privacy
  - other substantial injury
- Sensitive data processing
- Any processing with a heightened risk of harm
Affirmative defense for businesses with privacy program that reasonably conforms to NIST Privacy Framework or other documented policies, standards, and procedures designed to safeguard privacy

Tennessee Information Protection Act (TIPA) Amended Bill Headed to Senate Floor

March 26, 2023 by Eric Reagan Leave a Comment

Last week, the Tennessee Senate Commerce and Labor Committee recommended the Tennessee Information Protection Act for passage with amendments as it sent the bill (SB0073) to the floor.

There have been substantial amendments to the bill since its introduction in January and entire sections have been rewritten. Many of the changes were directed at cleaning up confusing or ambiguous phrasings and the overall changes have been more business-friendly. The effective date was also pushed from July 1, 2024 to July 1, 2025.

Below, I hit the highlights but consider my prior post that covered the entire bill along with my comments and criticisms on particular sections.

[Read more…]

Tennessee Information Protection Act (TIPA) Introduced in 2023 State Legislature

March 5, 2023 by Eric Reagan Leave a Comment

The Tennessee Information Protection Act (TIPA) was introduced for the session in January 2023 as companion bills in both the Senate (SB73) and the House (HB1181). As of this writing, it has been referred to committee in both the House and Senate. Last year’s version of the TIPA failed to make it out of committee in either chamber. Reports suggested that concerns about small and medium business impact, along with compliance costs were the key problems with the 2022 version.

The bill amends Title 47, Chapter 18, of the Tennessee Code Annotated with an entirely new part 32 for the TIPA. Chapter 18 is where the consumer protection parts are located – with part 1 devoted to the Tennessee Consumer Protection Act.

If the TIPA happens to pass this session, the current effective date would be July 1, 2024.

[Read more…]

Colorado Privacy Act Adds Another Log to the US Privacy Legislation Campfire

November 30, 2021 by Eric Reagan Leave a Comment

bonfire surrounded with green grass field — Photo by Vlad Bagacian on Pexels.com

Governor Jared Polis signed the Colorado Privacy Act (CPA) as SB 190 into law on July 7, 2021. It goes into effect on July 1, 2023.

With the CPA, Colorado becomes the third state to enact comprehensive privacy legislation. We’re starting to see trends form as state legislatures have success in passing these laws – limited/no private right of action is a common theme. In Colorado’s case, the CPA offers no private right of action.

[Read more…]