Should Congress be concerned about California’s data privacy law?
As 2019 comes to a close, the debate over a potential federal data privacy framework continues. The Senate Commerce Committee is set for a Dec. 4 hearing examining potential legislative proposals for protecting consumer privacy, and Senate Democrats recently listed a set of principles they desire in any federal data privacy legislation. But with little overall movement on the federal level, states including Nevada, California, and Maine have passed their own policies that are or will soon be effective.
These state laws will have a national effect. Some technology companies, including Microsoft, already plan on honoring the California Consumer Privacy Act (CCPA) nationwide. Indeed, because of its structure and application to California residents the CCPA will have an outsized impact, even outside of the state. California firms are expected to spend nearly $55 billion in compliance costs the first year alone, and many more firms based outside of the state will also be subject to requirements that could easily have six-figure compliance costs if they wish to continue doing business there.
In addition to worrying about the ability of one large state to influence — and potentially stifle — innovative industries from coast to coast, we should explore whether this development could affect the constitutional framework of federalism. Namely, such laws could trigger questions about potential unconstitutional burdens on interstate commerce.
Laws like CCPA may not directly discriminate against out-of-state companies, but the costs and burdens associated with compliance — as well as the potential national impact on consumer choice, decisions regarding privacy and data, and free expression and innovation — raise doubts. Should the purported in-state benefits of a law outweigh the burdens it creates for out-of-state parties?
Such burdens raise concerns about constitutionality under the Dormant Commerce Clause. They will only grow as other states follow California’s example and create a patchwork of state and local data privacy laws that could provide significant disruption to one of America’s key industries.
Some people argue that the benefits of privacy legislation are worth some reduction in economic activity or innovation, but it’s important to recognize that these things are difficult to measure and compare. The incalculable benefits of privacy legislation also involve tradeoffs to other intangible values — such as free expression — and should be carefully considered. For example, privacy laws often result in free speech concerns either due to content-based restrictions on commercial speech or deletion requirements, such as a “right to be forgotten,” that silence other speakers.
At times, the requirements of data privacy laws may even undermine the privacy they seek to protect. This can happen when companies are incentivized to respond to a request rapidly rather than carefully. One researcher was able to gain significant access to his fiancé’s online data by requesting it from companies under the EU’s new General Data Protection Regulation.
Even large companies make mistakes under expansive, evolving data protection frameworks and the incentives to act they create, like when Amazon sent 1,700 Alexa recordings to the wrong person following a GDPR request. Dealing with a patchwork of state laws with different timelines and enforcement requirements makes similar mistakes practically inevitable.
Many Americans are confused or concerned about their data these days. The state-by-state, patchwork approach starting with the CCPA is only likely to further that confusion for both consumers and innovators. The internet by its very nature is an interstate tool, and a single interaction can easily involve multiple states. In some cases, the most stringent laws will simply trump the more permissive ones. In others it may be impossible to comply with both laws if, for example, one state requires users to opt-in to data collection while the other requires that users have the ability to opt-out.
The CCPA is set to go into effect on Jan. 1 and become enforceable on July 1. As the clock ticks towards 2020, the potential consequences become more of a reality. It’s not the end of the debate over data privacy, but rather a reminder of the risks and disruptions that a state-driven approach will have on consumers and innovation.
Without federal preemption, the U.S. approach to data privacy may see its changes come from Sacramento rather than Washington.
With significant costs and other consequences for both consumers and innovators, policymakers should carefully consider what such a shift might mean before rushing to follow California and Europe’s lead.
Jennifer Huddleston is a research fellow with the Mercatus Center at George Mason University. She has a JD from the University of Alabama School of Law and a BA in political science from Wellesley College.