Good morning, Chair Kristin Phillips-Hill, Minority Chair Timothy Kearney, and distinguished members of the Communications & Technology Committee.
My name is Jennifer Huddleston and I am a research fellow with the Mercatus Center at George Mason University, where my research focuses on the intersection of law and technology, including issues related to data privacy and protection. Thank you for the opportunity to submit this statement today regarding potential considerations for policymakers regarding data privacy and protection at the state level.
In this statement I focus on three key points:
- The current landscape of data protection policy, including how the less regulatory approach has enabled innovation and existing privacy regulations for more sensitive types of data
- The potential problems arising from state-level actions regarding the regulation of data privacy, including the creation of a disruptive patchwork and potential constitutional concerns
- Ways in which states can be a leader in data privacy while avoiding these potential pitfalls, such as clarifying warrant requirements for access to electronic data
The Current Landscape of Data Privacy
The past 18 months have seen increased discussions from policymakers at all levels regarding issues related to data protection and privacy. Much of this conversation has been driven by both the enactment of new regulations, such as the European Union’s General Data Protection Rule (GDPR) and California’s Consumer Privacy Act (CCPA), which establish many more requirements for the use and collection of data, and headlines related to various data breaches and concerns about the use of data such as the Cambridge Analytica incident. While this increases the sense of urgency for policymakers at all levels to consider data protection legislation, the potential consequences of changes to the traditional American approach to data privacy and protection need to be carefully considered as well.
In general, the United States has approached the regulation of information technology from a “permissionless” framework that presumes a technology should be allowed free of regulatory intervention except in cases where there is a high probability of tangible, potentially irreversible or catastrophic harm. This approach is in contrast to the “precautionary” approach taken by many European countries that requires technology innovators to show that potential negative consequences, even if unlikely, have been fully considered and avoided before the innovation is allowed on the market. The results of these different policy approaches is apparent when examining the fact that most of the current tech giants have emerged from the United States, while few of the most innovative companies are found in Europe and other more regulated regions.
When it comes to data privacy, the United States is not necessarily the Wild West it is portrayed to be. In fact, many of the already-considered most sensitive areas of data such as healthcare and financial information are already subject to industry-specific regulations at a federal level. Similarly, many concerns about privacy are actually concerns about data security or data breach. While the current 50-state data breach notification patchwork is not ideal and illustrates some potential consequences of a state-by-state approach, it does insure that affected consumers in each state should receive some form of notification if the covered data is compromised.
Over the past year, there have been many proposals for federal data privacy legislation and many Congressional hearings on the issue, yet no specific proposal seems to have gained sufficient traction to become law. In the perceived void, some states, including California, Maine, and Nevada have chosen to pass their own legislation to address what they perceive as a pressing problem. Yet such an approach is far from a second-best solution and may create far more problems than it solves.
Problems with a State-Level Approach to Data Privacy Regulation
States have been leaders in many areas of technology policy and provided an important laboratory of democracy for different approaches to regulation. For example, Pennsylvania has an innovative approach to autonomous vehicle governance that allows it to be a leader in the field. However, when it comes to issues surrounding data privacy, state actions could result in creating a disruptive regulatory patchwork that could undermine future innovation. Even if there were no concerns about the content of such regulations, state data privacy laws could be found unconstitutional.
State laws on data privacy could face three constitutional concerns. First, since data rarely obey borders and a single transaction can involve multiple states, state data privacy laws are likely to have significant out-of-state effects. Therefore, it is possible that these laws could be found unconstitutional under the Dormant Commerce Clause, given the potential burdens on out-of-state consumers and firms with minimal measurable benefits for states’ interests. The courts, when considering potential Dormant Commerce Clause violations, will first look if the law is directly discriminatory against out-of-state actors; but even when it is not, the courts will examine whether it might indirectly discriminate against those actors and whether the burdens on such actors are disproportionate to the purported in-state benefits. For example, in Bibb v. Navajo Freight Lines, the Supreme Court struck down as unconstitutional under the Dormant Commerce Clause a state law specifying a type of mudflap on trucks. The law could have resulted in truck drivers not being able to comply with laws in all 50 states and having to change their mudflaps at each border. It would be even more difficult for today’s online commerce and the data associated with it to stop at state borders. Additional constitutional concerns could also arise from state data privacy laws. For example, conflicts with the existing federal data privacy laws in other regulated areas such as financial and health information could render supposedly comprehensive laws at least partially preempted in these areas. Additionally, regulations of data privacy at any level should carefully consider the potential impact on free expression from either deletion requirements or content-based distinctions in such regulations.
Even if such laws are found to be constitutional, there are significant concerns of the negative effects a patchwork could have on consumer choice and innovation. In some cases, companies may find it easiest to comply with the most restrictive regulations rather than create state-specific products, meaning consumers would be limited to the choices allowed under the most restrictive state’s regime. But in some cases these laws might contradict one another, thereby balkanizing the internet and preventing the same products from being offered in all 50 states. Not only would this result in consumers being unable to benefit from certain products, it could also create confusion regarding what rights individuals have and how companies should respond to certain requests.
While often well-intentioned, policymakers should also consider the other tradeoffs and costs that might be involved with a far more restrictive data regulation in the name of privacy. For example, the GDPR has resulted in decreased venture capital investment in small companies, making it more difficult for new players to emerge and even preventing the creation of new jobs by these companies. The compliance costs of the CCPA for in-state firms is expected to be $55 billion by the state’s own estimates and there is no doubt that at least some out-of-state firms will incur costs to comply as well. But beyond the costs, privacy regulations can also fail to solve the problems they intend to; they may create incentives to respond rapidly to requests rather than focus on other privacy- or security-related measures, and as a result such regulation could lead to loopholes that could be exploited and exacerbate concerns about privacy and security.
When it comes to broad consumer privacy legislation, states may not be the appropriate actors for regulation.
What States Might Consider Doing regarding Data Privacy
While broad consumer data privacy regulations might not be an appropriate use of state power because of the potential patchwork and spillover effects, states can consider other ways to be a leader on data protection issues. These actions, however, should be reserved only to those data transactions that can be considered wholly intrastate rather than interstate. This means that, largely, such actions will not be restraints on the consumers interactions with companies, but rather restraints on the government’s own use of data.
Some potential areas states might want to consider include clarifying the warrant requirements for access to electronic data. Last year, Utah became a leader by establishing warrant requirements for police access to electronic information, effectively ending the state’s use of the Third-Party Doctrine. The Third-Party Doctrine, which allows government access to various information shared with third parties such as numbers dialed or interactions with a bank teller without a warrant, has already come under question at the federal level, and in 2018 the Supreme Court established that cell site location information requires a warrant for access rather than being accessible under this doctrine. The issue of when information has been sufficiently shared to waive a warrant requirement will be increasingly relevant for a variety of technologies, including wearable fitness trackers and connected transportation technologies. Forward-thinking states can establish clear guidance that protects civil liberties without stymying government and law enforcement. By clarifying guidelines on this issue, states can provide increased certainty to government actors, citizens, and innovative companies without the spillover effects associated with broad consumer data privacy laws.
Data privacy is likely to continue to be a topic of discussion in the coming years. Policymakers at all levels should consider the potential tradeoffs associated with broad regulation as well as the potential for a patchwork to create more problems with few solutions. While states have often been leaders when comes to technology policy, the broader issue of consumer data privacy may be beyond their constitutional role in the federalist system.