My Testimony on California’s Efforts to Regulate Internet Privacy

CaliforniaAssemblySealIntroductory note: today Santa Clara University hosted “Balancing Privacy and Opportunity in the Internet Age,” An Informational Hearing of the Assembly Judiciary Committee, the Assembly Business, Professions & Consumer Protection Committee, and the Assembly Select Committee on Privacy. My prior blog post. I have notes from the event that I’ll post soon. Today, I’m sharing my notes from my remarks. I don’t normally script out my remarks, and I did deviate from them some, but this is where I was trying to go.

I appreciate the opportunity to be a part of today’s hearing. I’m thrilled to see the dialogue between the Silicon Valley and Sacramento, and I’m especially thrilled that we could host this conversation here at Santa Clara University. I want to thank all of you for attending today and for fostering such a rich discussion. I apologize that I didn’t submit a written version of these remarks in advance. As you probably know, law professors generally do just-in-time manufacturing.

I have repeatedly criticized the California legislature for its Internet privacy regulations [see this compilation]. Today, I’ll explain some of the problems I see, and then I’ll suggest some options for your consideration.

I’ll start with three problems I see. I know that many California legislators take great pride in developing innovative policy solutions. I also know California views itself as a global regulatory leader. Solutions adopted in our legislature often propagate throughout the country and the world; and even when they don’t, we are such a large and important economic market that vendors often will comply with our laws and then incorporate those changes into their offerings globally. Unfortunately, this line of thinking doesn’t translate well to regulation of the Internet.

First, California has no unique Internet issues that require state-specific solutions. Compare California’s innovations on environmental regulation. We face unique geographic and demographic conditions here in California that require a custom-tailored environmental policy. In contrast, California’s Internet issues don’t materially differ from any other state’s. On the Internet, there’s no equivalent of Santa Ana winds or Los Angeles’ inversion layer or the Central Valley’s tule fog. Instead, if anything is unique about California’s Internet presence, it’s that we’re the home of the most dynamic community of Internet entrepreneurs in the world. This means we have a global responsibility to nurture that community and avoid undercutting the entrepreneurial spirit that has produced so many amazing innovations.

Second, the Internet’s architecture doesn’t understand geographic borders. Websites often lack a cost-effective and reliable way to identify the state residence of their users, so any effort to comply with California regulations automatically affects people outside California. You may be familiar with Justice Brandeis’ famous statement about states as laboratories of experimentation:

It is one of the happy incidents of the federal system that a single courageous state may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country.

Notice that last part of that phrase: “without risk to the rest of the country.” When it comes to Internet regulation, no state can achieve that. Because a state Internet law typically can’t limit its effects to within the state, I believe that state laws regulating the Internet categorically violate the Constitution’s Dormant Commerce Clause.

Third, Congress has further restricted states’ ability to regulate the Internet via 47 USC 230, the law that says websites aren’t liable for third party content. I think other states have a worse track record than California for disregarding Section 230, but California’s record isn’t spotless. For example, parts of the recent law restricting the display of certain online ads to minors unquestionably conflict with Section 230.

For these reasons, I hope the California legislature will fundamentally rethink its approach to regulating Internet privacy. But I also know that legislatures are in the business of making new laws, so now I’ll offer four suggestions of relatively simple steps that would be responsive to my concerns.

First, before acting, the legislature would benefit from hearing from the full range of voices in the Internet community. The Internet industry isn’t just well-known public companies like Google and Facebook. Some of the most exciting developments—new services that will someday soon make our lives better every day—will come from start-ups we’ve never heard of. The big incumbents often acquiesce to new regulation because they easily afford any compliance costs, and it’s OK with them if the regulation happens to increase the costs of potential new rivals. But acquiescence from the incumbents doesn’t mean it’s a good deal for the Internet industry. If the legislature truly wants to understand the consequences of its regulatory proposals for the Internet industry, it will need to affirmatively reach out to folks who aren’t coming to its offices. Start-up entrepreneurs are too busy innovating to try to keep up with the interstices of the legislative process, and they’re too financially strapped to hire a lobbyist to look out for them. Events like today are a good start in the right direction.

Second, California should only attempt to regulate its geographic corner of the Internet. When the legislature enacts an Internet regulation, the law should expressly say it applies only to service providers located in California when they serve users they actually know are in California. Knowledge should not be inferred. I believe this restriction is required by the Dormant Commerce Clause.

Third, policy experiments should have a natural end to the experiment. Many laws implicitly assume prevailing technology limits and social practices. On the Internet, technology and social practices evolve rapidly, so laws routinely become quickly outdated. To address this problem—found in pretty much every state Internet law I’ve seen—every Internet law should include a sunset provision. When the expiration date arrives, the legislature should revisit the law’s assumptions and fix the outmoded pieces. Furthermore, every Internet law should include an empirical study to measure the law’s efficacy.

Fourth, creating new laws doesn’t have to mean imposing new restrictions. Rather, there is much merit to enacting safe harbors and immunities from liability. Many key Internet services are offered non-profit organizations or altruistic individuals, yet they face the possibility of ruinous legal exposure. Furthermore, safe harbors and immunities reduce the legal risk faced by the for-profit entrepreneurs, which stimulates entrepreneurship generally. It may seem counter-intuitive to deregulate, but the return on investment from those policy innovations can be huge.

Thank you for giving me a chance to offer my thoughts, and thank you again for taking the time to come here to the Silicon Valley to engage us in this conversation.