As people’s lives increasingly take place in the digital realm, concern is growing about how private companies and government entities store and use sensitive data. These anxieties have led to demands that state legislatures pass data privacy laws. In 2021, Morning Consult found that 86% of Democrats and 81% of Republicans believe passing a federal data privacy standard should be a priority for Congress.
Speaker Nancy Pelosi refused to bring the bill to the floor because it did “not guarantee the same essential consumer protections” as California’s California Consumer Privacy Act (CCPA), a new and harmful data privacy law, and that is the main problem with the federal bill. The ADPPA would not solve the developing state patchwork issue because it only acts as a floor for minimum required regulations where states could add additional regulations. California’s CCPA is such an example where the state regulations are heavier than the federal standard. The federal standard should instead act as a ceiling and should not be as extensive as the CCPA.
In the Senate, it faced an equally hostile reception, with Senator Maria Cantwell (D-WA), chair of the powerful Commerce Committee, refusing to hold a hearing because of her concerns surrounding enforcement holes. The ADPPA requires annual algorithmic assessments which would create recurring compliance costs for firms and would also require considerable federal resources to enforce. These enforcement difficulties suggest that an entity like the government may not be in the best position to regulate something as dynamic and technical as algorithmic decision making.
This begs the question of whether a data privacy law is needed at all. If it is, it would ideally be a bill that would address all these issues and create a reasonable data privacy standard for the country that solves the patchwork problem. But without that standard, states may feel compelled to address privacy concerns and should be aware of pitfalls to avoid.
Since the implementation of the CCPA in 2020, four other states – Colorado, Connecticut, Utah, and Virginia – have enacted privacy laws. Complying with a regulatory system in which data laws vary from state to state is the least efficient method for the economy. Businesses have online presences and more and more operate in all 50 states. The costs of compliance in this type of environment stifle competition – only those businesses with sufficient capital can comply and smaller upstarts can’t.
For several years, it looked like Florida would join the growing number of states and pass a data privacy law. However, while Governor DeSantis supported a bill, the State legislature was split over a private right of action, which would have granted Floridians the right to sue and receive financial compensation for violations. With a new legislative session approaching, it’s time to consider what a data privacy bill in Florida should look like, especially if Florida lawmakers want to avoid the mistakes of CCPA and Europe’s General Data Protection Regulation.
The most serious mistake to avoid would be including a private right of action. On the surface, allowing individuals to bring suits against violators may seem like it would help hold firms accountable, but the unanticipated reality is much different. Even laws that govern more serious and personal information, such as the Health Insurance Portability and Accountability Act (HIPAA), do not include a private right of action. In other laws, like the Americans with Disabilities Act (ADA), a private right of action exists, but has been significantly curtailed to reduce the number of “serial” cases abusing the ADA. If Florida passes a data privacy law with a private right of action, it will inevitably feed a cottage industry of frivolous lawsuits that trap businesses in litigation cycles, suppressing innovation and raising costs.
Overly burdensome data privacy regulations also stagnate innovation. For example, one study of the Fair Credit Reporting Act (FCRA), which regulates how credit bureaus manage consumer data, argues that because of data privacy requirements, the industry has become so tightly regulated and costly that innovation has stagnated, and new entrants cannot enter the market. It is likely that only large and resource rich firms will have the continued ability to comply with complex laws like data privacy. Evidence from the EU may support this claim.
Two months after the EU implemented the General Data Protection Regulation (GDPR), 30% of US news sites blocked EU access due to an inability to comply. Another study of 6,286 EU websites found a general 10 percent reduction in internet traffic, resulting in millions of lost dollars. The study also found that GDPR’s rules hurt smaller websites (10-21% drop) more than larger ones (2-9% drop), suggesting that similar to credit score regulation, data privacy regulation may entrench current large websites and deter entrants.
Policymakers may also consider that many consumers’ “rights” commonly included in data privacy bills will eventually become regulations that will negatively impact consumers. For example, the right to “opt out” of the sale and sharing of data becomes a prescription for how websites earn revenue and handle data.
Websites share consumer data with advertisers and data processing companies to generate revenue. Allowing users to opt out of this transaction, the primary form of revenue for many websites, would alter the fundamental business model at the internet’s core. Some websites may shut down if forced to accept users but cannot monetize their data through advertising because users have opted out. In other cases, they may have to charge these users for previously free websites to keep servers running. Policymakers should consider these downstream impacts on consumers as they decide what data “rights” consumers may have.
In addition, there is certain to be confusion around what constitutes the “sharing” of data. For example, if a website provides a temporary interface for advertisers to determine which data segment they want to market, that could reasonably be considered sharing. However, there is no industry accepted definition of “sharing” data. Therefore, when considering data privacy legislation, Florida policymakers must provide clear guidelines for what constitutes data sharing.
Data privacy can happen without such burdensome regulations. Other rights, such as the right to correction and deletion, as long as they are given appropriate curing periods, such as 90 days, can be of minimal impact. Privacy notices with continued opt-in, which prevent users from having to accept cookies every time they visit a site, can smooth the experience while providing consumers with a transparent and understandable privacy contract available at any time. Distinguishing between personally identifiable data and de-identified data can also prevent needless regulations on non-personal data.
As people increasingly move their lives into the digital world, demands will inevitably grow for greater data protection rules and more restrictions on what private companies can do with this information. However, crafting data privacy rules that balance consumer demands and the needs of businesses is a perilous task that either risks providing too few protections or overregulating the digital space, ultimately harming Floridians. While perilous, the state legislature can strike this balance by excluding a private right of action, limiting the right to opt out, and providing clear guidelines for data sharing with an open and transparent privacy agreement.
Florida can do better than California or Europe, but only if lawmakers recognize the promise and perils.
Spence Purnell is the Director of Technology Policy at Reason Foundation. Edward Longe is the Director of the Center for Technology and Innovation at the James Madison Institute.