The State of State Data Laws, Part 2: Consumer Data Privacy Legislation

Many states are not waiting for the federal government to take action on data privacy. California was the first to take matters into its own hands by passing the California Consumer Privacy Act (CCPA), which is set to go into effect in January 2020 and will become enforceable later that year. In their 2019 legislative sessions, Nevada and Maine also passed consumer data privacy legislation, and numerous other states have considered similar laws.

The first piece in this series discussed how states have created a patchwork of data breach notification laws as a next best alternative to a federal solution. However, another emerging patchwork of broader CCPA-like data regulations would introduce more problems and disruptions. Such an approach could fail to solve actual problems and instead could balkanize the internet and undermine many of the benefits of its borderless nature.

Most of the consumer privacy bills introduced so far are modeled after the CCPA. Yet, these proposals do not just copy and paste the text of the CCPA, and the differences are significant.

For example, Maine’s legislation only applies to internet service providers. Other state proposals have gone so far as to seek to regulate the collection of consumer data, but most only focus on the saleor breach of information, or outline what rights individuals have over their data.

Many of these state proposals reflect a shift from an American approach to technology regulation to a more European one. Traditionally, the US has taken a light-touch regulatory stance towards the internet, which largely fueled the Silicon Valley-led digital revolution. These new state laws look more like the EU’s General Data Protection Regulation (GDPR), which is typical of the precautionary European posture towards emerging technologies.

Compliance with stringent data requirements is costly for large firms. But for small companies, these regulatory requirements can further hamper their ability to compete and can keep new competitors out.

For example, an economic study found that in the aftermath of the GDPR, venture funding decreased for small and micro companies. This lower investment level likely cost thousands of jobs as well as the potential benefits of innovation.

Following GDPR, small advertising players saw their market share shrink. By shrinking, the number of competitors and making it more difficult for new entrants, strict regulation can further enshrine the market power of large players while emerging players struggle to comply or choose to exit the market. Recently, a study by Daniel Castro and Alan McQuinn estimated that imposing a restrictive federal data privacy policy similar to the GDPR or CCPA would cost the US economy $122 billion per year.

The compliance burden of many of these policies would not be limited to tech companies. The CCPA, for example, would apply to many brick-and-mortar business practices such as letting diners make restaurant reservations online due to its definition of household information and data storage.

A state-by-state approach to top-down data regulations would likely impose similar costs and consequences as the GDPR, but in an even more complicated way.

As Federal Trade Commission (FTC) commissioner Christine S. Wilson pointed out in a May 2019 congressional testimony, state laws could not only create a patchwork with different requirements, but requirements could be so contradictory that it would be impossible to comply with every state. In some situations, state laws could stifle innovation by making it impossible for the same technology to operate in all 50 states, or by requiring costly state-specific versions that may or may not be interoperable with one another.

This concern is already starting to be realized. For example, the Maine law has an opt-in framework while California and Nevada are opt-out. These laws have different defaults for consumers meaning that innovators would have to develop to different systems to be able to operate in all states. (For a more in-depth discussion of the problem with opt-in frameworks, see Will Rinehart’s piece on this issue.)

Not only could these laws create a patchwork that might limit innovation, state laws might be constitutionally problematic. As I discussed with my colleagues Adam Thierer, Andrea O’Sullivan, and Chris Koopman in comments to the FTC on information harms, broad definitions of harm can create friction between privacy and First Amendment-protected speech. This can occur no matter what level of government implements policies. Informational harm cases should be carefully limited, and the resulting policies as narrowly tailored as possible.

In some cases, privacy regulations risk either favoring privacy over the speech of another individual or regulating the speech inherent in decisions about what information to carry. The potential impact on First Amendment protected speech should be a consideration in any data privacy regulation, whether at a state or federal level.

State and local level data privacy regulations also raise unique constitutional concerns when it comes to the potential disruption of interstate commerce. State data privacy laws like the CCPA could violate the dormant commerce clause by requiring changes to the system for out-of-state platforms, content creators, and businesses, which places an undue burden on commerce conducted or created by these entities.

The breadth of many of these laws will likely result in regulating the data collection standards for consumers and businesses beyond their borders, either for the ease of compliance or because of the definition of “covered entity.” While federal laws would still have to interact and compete with a global regulatory marketplace, it would not raise the same constitutional concerns when it comes to the regulation of interstate commerce.

The CCPA and other potential state laws are driving much of the debate around a possible federal data privacy law. As the effective dates of those laws approach, the concerns about potential disruption grows.  

A patchwork of different data policies could create a quagmire that deters innovation and services both within and beyond state borders. These spillover effects are more likely to be seen in broader-reaching approaches, such as the CCPA. While often well-intentioned, the borderless nature of the internet means state regulations could be counterproductive when it comes to achieving a goal of a better data environment.

In the next section of this series, I will examine some of the ways states are dealing with privacy issues for specific technologies like biometrics.

Photo credit: Justin Sullivan/Getty Images