Privacy concerns are at the forefront of the current so-called “Techlash.” Be it a social network, an insurance company, or a state, high-profile data breaches regularly lead to breathless headlines that dominate news cycles.
As a result, privacy is now unsurprisingly one of the largest public concerns. According to a recent Pew Research study, 61 percent of Americans would like to do more to protect their digital privacy and approximately two-thirds believe current privacy protection laws are not good enough. State and federal elected officials are taking note.
Given the public outcry for a legislative privacy solution, it is critical that policymakers, particularly those who value personal freedom and free enterprise, avoid rushing headlong into a quick — and damaging — fix. At the state level the ability to act is greatest, and the need for caution in these “laboratories of democracy” is most profound.
There are three major problems with current state legislative responses to the privacy question: objective/outcome mismatch, inconsistency and overbreadth.
First, legislation is tending to focus on regulating data collection without addressing any actual privacy harms, thereby mismatches objective and outcome. That approach does not actually protect privacy; instead it treats “privacy” and “data collection” as one and the same.
Recently, California, inspired by the European Union’s General Data Protection Regulation (GDPR), adopted the California Consumer Protection Act (CCPA). The CCPA purports to give California residents the right to control their own data. It does so by, among other things, requiring organizations to have a “business purpose” for their use of consumer personal information and requiring businesses to comply with consumer demands for “their” data within 60 days.
Ironically, each of these requirements puts businesses in the position of potentially diminishing a person’s privacy in order to comply. The CCPA incentivizes businesses to gather more information to ensure they have a “business purpose” for holding data and creates a verification nightmare for producing data that has some nexus with a particular person. Unintended personal privacy consequences aside, this approach places an extraordinary burden on businesses while flatly failing to address any of the harms caused by poor data management. Indeed, it is unclear how California consumers are actually protected by these measures.
CCPA represents a state-approach to consumer protection that essentially treats all data collection as evil — in reality, data collection is neutral. Privacy harms stem from how data is used, not that it exists or is collected.
Second, a staggering level of regulatory inconsistency is brewing as state-by-state regulation of data collection promises overlapping and mutually exclusive requirements. For instance, the CCPA, although only a state act, affects all internet enterprises that have consumers in California. The very nature of the internet allows online businesses to attract consumers from all over, meaning that the CCPA may essentially become the de facto privacy law for most U.S. businesses once it goes into effect in 2020.
Other states have attempted to pass their own privacy legislation, and Nevada and Maine, to various extents, have. These developments are not confined to “blue” states; the Texas House considered two different privacy bills (HB 4518), practically identical to CCPA, and (HB 4390), a slightly watered-down version.
Though both of those bills were killed in committee, they highlight the specter of a state-by-state approach to privacy regulation. Asking online enterprises to comply to every single state’s separate privacy laws will essentially make doing business online impossible.
Third, states should steer clear of an overbroad approach to the scope of their authority to avoid running afoul of the Constitution’s dormant commerce. The federal government is authorized to deprive states and localities from regulating beyond their borders. After all, the last thing Texans want is to be subject to California’s standards! By imposing disparate data collection standards on out-of-state consumers, states risk violating the dormant commerce clause.
Understanding each of these shortcomings is key to developing effective state-level consumer privacy protections. That said, if state lawmakers want to pass meaningful privacy legislation they should embrace a “harms-based” approach to privacy protection. A “harms-based” approach focuses on creating privacy regulation that targets the specific harms caused by poorly managed data collection — not data collection itself.
This approach requires that specific harms be identified before regulation is crafted and that the regulatory response addresses only the specifically identified harms, and not the actual underlying industry.
If state lawmakers truly want to move the needle forward on privacy protection, they should focus on “harm-based” privacy legislation instead of conflating data collection restrictions with privacy.