By Jennifer Huddleston
Each day headlines seem to tell a new scary story about something that has gone awry in the world of data privacy. In response to the growing number of concerned voices, states from Washington to Mississippi have considered data privacy legislation. Even some cities, such as Chicago, have proposed their own regulations for data privacy. While states can be leaders for new policy solutions when it comes to disruptive technologies, the potential consequences of a privacy patchwork could show the negative side of federalism.
Why Are States Regulating Data Privacy?
Much of the impetus behind state and local actions stems from the lack of a federal privacy law. In some other areas of technology, states have had a positive impact in filling the gap left by federal inaction. However, a patchwork of state privacy laws would create a complicated compliance conundrum that could deter online innovation. While several policy proposals have been introduced in Congress, none has yet emerged as a likely legislative solution.
Most states are following existing models like Europe’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). The plethora of potential problems associated with the CCPA have been discussed by many scholars and industry groups. A growing number of states passing similar but unique laws would only increase the amount of costly compliance steps companies would have to take. Such laws apply not only to tech giants but also to new startups or the online presence of certain existing small businesses. It is far more difficult to compete and create more innovative alternatives when instead resources must be devoted to insuring compliance with 50 or more different standards.
Would State Data Privacy Laws Be Found Constitutional?
Even if states pass these laws, there are strong cases that they are unconstitutional. The Internet is a remarkably beneficial as a tool for commerce and information sharing. As a result, there are concerns that state data privacy laws could be found unconstitutional either on the basis of the dormant commerce clause or First Amendment Free Speech grounds.
The Dormant Commerce Clause finds state laws unconstitutional when the law either explicitly discriminates against out-of-state commerce or when the court finds the burden imposed on interstate commerce clearly outweighs the claimed local benefits. While the details of such concerns deserve much more significant discussion than this blog post, these laws would impose clear burdens for compliance on companies both in and out of the states. In some cases, companies may even avoid doing business in a certain state. All while the additional benefits of state level data privacy laws often seem minimal especially given existing consumer protection laws.
Such laws also risk silencing legitimate speech and could face a First Amendment challenge. Whether it is Mommy bloggers whose kids don’t want to be talked about any more or overly aggressive and often illegitimate copyright claims, attempts to regulate the Internet quickly can brush up against speech rights. One great benefit of the internet is how it has allowed anyone to express an opinion and connect with others. Given the extent to which America holds Free Speech in such high esteem, we should cautiously consider the potential balance between First Amendment rights and privacy.
What could states consider doing instead?
Given the pitfalls of state data privacy regulations and the possibility that such laws could be found unconstitutional, what other options might well-intentioned policymakers consider.
One option would be to increase education around data security and privacy options. This would include both education on best practices for protecting individual information and what to do if you’ve been notified of a data breach. Ideally, such education would also include information on existing options available if you wish to protect privacy, such as opt outs and changing your privacy settings.
Another thought is to take a step back to truly consider the concerns underlying the problem and examine what tools already exist to address those concerns. For example, are consumers being misled or deceived about how their data is being used or what data is being collected? Can prosecutors use existing tools to go after those who engage harmful behavior and harassment? Rather than assuming the answer is always more regulation, in many cases remedies may already be available and could address consumer concerns without placing a greater burden on innovation. In some cases these remedies may require updates or clarity, but policymakers should consider whether existing tools could adequately address bad actors rather than passing burdensome new regulations that may hinder the development of the next great thing.
It is clear that state and local governments intend the best in the absence of federal action on data privacy. But, it could be that rather than fixing a gap, they are creating a far messier solution with potential for damaging innovation and consumer choice.
Jennifer Huddleston is a research fellow at the Mercatus Center at George Mason University.