Dec 9, 2019

State Data Privacy Laws May Well Be Unconstitutional

Constitutional constraints and the borderless nature of data make a federal approach more appealing
Jennifer Huddleston Former Research Fellow

While Congress continues to debate various data privacy proposals, some states are moving ahead with their own legislation. California, for instance, recently enacted the California Consumer Privacy Act (CCPA), which will go into effect on January 1, 2020. Meanwhile, other states have also either passed (Maine and Nevada) or are considering (Massachusetts and New York) their own data privacy laws.

Without some kind of coordinating mechanism across the nation, data privacy could be governed by a potentially messy patchwork of different state and local privacy laws. In addition, these state laws, like the CCPA, may not even be constitutional. Indeed, in a new paper for the Federalist Society’s Regulatory Transparency Project, TechFreedom’s Ian Adams and I argue that the CCPA and similar proposed state and local data privacy laws raise a number of serious constitutional concerns.

To begin with, these laws may unfairly burden consumers and businesses outside of the state that enacted them, thus likely making them unconstitutional under the legal doctrine known as the Dormant Commerce Clause, one element of which generally prohibits states from regulating interstate commerce.

There are also potential First Amendment problems. Courts have ruled that First Amendment speech guarantees, while not absolute, require governments that limit speech to show they have a compelling interest in doing so—a very high standard to meet. In this case, any new data protection regulations—whether federal, state, or local—could place content-based restrictions on free expression (for example, by treating data differently depending on how it’s being used). Other free speech issues could arise when laws, in the name of protecting someone’s privacy, require digital platforms to delete others’ content or make information less available, such as a European Union–style right to be forgotten.

Finally, these laws could run afoul of existing federal statutes that regulate privacy in areas such as financial information, healthcare records, and children’s data. Some federal laws allow states to add their own privacy requirements, but in doing so these state laws could still create conflicts that make it difficult (if not impossible) to comply with both federal and state statutes. If a requirement in a state law ends up conflicting with one in a federal statute, then the federal requirement generally applies. This is owing to the Constitution’s Supremacy Clause, which generally prioritizes federal over state law. As a result, those parts of state and local data privacy laws that conflict with federal statutes could be voided by courts, making them less comprehensive than they may initially appear.

In addition to these constitutional issues, state data privacy laws are also raising broader policy questions. For instance, the highly regulatory CCPA law is a dramatic shift away from what, up to this point, has been a very light, or “permissionless,” federal regulatory policy, which generally allows firms to innovate without seeking government approval.

Changing this permissionless regulatory landscape could have a huge impact on the ability of the United States to continue being the leader in many technology areas going forward. Indeed, one huge reason the United States is the leader in innovation and the birthplace of most existing digital technologies is because of its permissionless federal approach to technology regulation, which dates back to the early days of the internet. A shift to a more regulatory approach could lock in big existing players (larger companies such as Facebook or Google) who are better able to absorb regulatory costs while placing insurmountable burdens on smaller upstarts. Additionally, regulations could eliminate options that some consumers prefer in favor of a one-size-fits all approach.

Instead of a state patchwork approach, a national framework for data privacy protection is a far better and constitutionally appropriate solution. But a national policy needs to clearly define the harms it seeks to address and balance any potential benefits from privacy protection with possible harms in areas such as free speech and innovation.

In the absence of congressional action, it is likely that more states will continue to consider and enact their own laws like the CCPA and that courts may soon have to grapple with the constitutional questions associated with them. Much easier would be to act on the federal level because of the borderless nature of data and the need by businesses and consumers for regulatory uniformity.

Photo by David McNew/Getty Images

Support Mercatus

Your support allows us to continue bridging the gap between academic ideas and real-world policy solutions.Donate