The Long-Term Promise of Privacy Federalism, Part 1 (Guest Blog Post)


[Eric’s introduction: as I’ve remarked previously, the academic and policy discourse about privacy focuses principally on the substantive legal boundaries of privacy law and pays comparatively little attention on which policymakers are best positioned to develop and supervise those rules. The “who” question in privacy policymaking has significant implications, as I pointed out when discussing the ironic consequences of class action lawsuits as a privacy regulatory mechanism.

Elsewhere, I’ve written about the illogic of state legislatures as primary contributors to privacy policymaking. Thus, I was excited–and skeptical–when I saw that Bilyana Petkova, a Visiting Fellow at Yale’s Information Society Project, had posted a forthcoming article evaluating the “who” topic…and reaching the counterintuitive (to me) conclusion that state legislatures and generally, state institutions, are good manufacturers of privacy regulation in the long run.

In this post, part 1 of a 2 part series, Bilyana explains why she thinks states are a good backstop for privacy. In a companion post, I’ll offer some rebutting thoughts and her sur-reply.]

The conventional wisdom is that neither federal oversight nor fragmentation can save data privacy any more. In the United States, there are concerns regarding the increased fragmentation of American data privacy law and the lack of relevant federal consolidation. In the European Union, the fear is of “over-centralization of powers” in the European institutions.

The conventional wisdom is not entirely wrong. But it is too simplified and often incomplete. Congress has been drifting further away from a comprehensive statutory scheme after a federal proposal for a Consumer Privacy Bill of Rights failed to gather much consensus twice, first in 2012 and then in 2015. Meanwhile, legislative activity on data privacy in the states has been on the rise. Why all the noise on privacy by state officials? One way to think about this is that state legislators andattorney generals that enforce the state laws are simply engaged in political grandstanding.

But The Obvious Way to Think About This Is: Democracy

Whereas the checks and balances of US federal lawmaking could be understood as originally designed to guard the states from federal overreach, at present Congress’ acute gridlock may endanger the traditional state-federal legislative dialogue. As Professor Schwartz writes, “Gridlock in Washington, D.C. has suspended the normal process of privacy federalism.”

There are many state laws without any attempt to replicate them on the federal level. For example, since 2012 twenty-one states have introduced bills protecting the private social media accounts of employees. These are Arkansas, California, Colorado, Connecticut, Illinois, Louisiana, Maryland, Michigan, Montana, Nevada, New Hampshire, New Jersey, New Mexico, Oklahoma, Oregon, Rhode Island, Tennessee, Utah, Virginia and Washington. The count gets bigger if one adds up to the numbers other states that are in the process of enacting or considering similar laws at the moment of writing, or yet another category of states like Maine and Vermont that have passed legislation mandating studies on the subject. State legislatures have navigated around the preemption provisions of the Fair Credit Reporting Act in order to modernize and ameliorate employment opportunities for constituents with criminal records often incurred decades ago, as well as to tackle issues related to identity theft problems and the inclusion of medical debt in consumer reports. The state institutions are filling in a gap of democratic demand. When Congress cannot deliver, the state legislatures and state attorney generals react to the democratic concerns of their constituents.

State Laws Kick off a Nationwide Debate

Currently, 47 US states have adopted breach notification laws under one form or another. The count of states with variations of student privacy bills that require schools to contractually oblige vendors to safeguard student privacy and security or introduce other measures for the collection and use of pupil data is growing. Similarly, a major development is the movement against “revenge porn”: as of last month, Maine became the 25th state to abolish nonconsensual pornography. Now there are attempts to regulate student privacy and to consolidate state data breach notification laws on the federal level. Even a federal revenge porn statute that navigates around the First Amendment does not seem as far-fetched of an idea as it did just a few years back. Eventually, at least some jurisdictional spillovers tee up for national resolution. Some controversial policy issues that can otherwise be conveniently overlooked make it up to the agenda of the federal lawmaker, be that Congress or a federal agency.

The States as Laboratories of Experimentation

If Brandeis’s oft-cited dissent is taken to heart and “…(t)here must be power in the states and the nation to remold, through experimentation…economic practices and institutions to meet changing social and economic needs,” then the best state ideas can still serve as templates for federal intervention. Clearly, not all of the new state statutes are sensible, but many actually are: other state jurisdictions and private companies decide to take them up voluntarily. The Massachusetts security requirements have become a de facto standard for many entities that do not necessarily operate in Massachusetts. Similarly, California’s laws on breach notification and data privacy are now serving as a starting point for negotiations on federal baseline regulations in these areas.

Frontrunner States Generate Races to the Top, Not To The Bottom

A major concern seems to be that any privacy regulation is bad for the digital economy. However, regulation is required to engender consumer trust since failures in self-regulation can create long-term harms for businesses. Further, businesses need uniformity and legal certainty to function, but uniformity can also be negotiated around a high data privacy bar. As one of my interviewees whose company is focused on education software shared, “…higher [data] privacy standards are beneficial for folks like us: we are supporting economies of scale, this is good for us, and it’s good for education…But everyone has to do it…” If the federal courts refrain from preempting state law on Dormant Commerce Clause or on statutory grounds for a period of time, at least some of the higher standards of consumer rights protection introduced in at least some of the states are likely to be taken up by other states but also by the industry. The federal lawmaker can then capitalize on such privacy-friendly initiatives to introduce a level-playing field beneficial for the industry and consumers alike.

Privacy Federalism as a Necessary Backstop, Not A Permanent Solution

The states are often seen to offer “mockable”, “sloppily drafted and misguided” laws for the Internet. And it is not just California’s eraser button for minors that stirs passions. One worry is that state privacy laws are not ambitious enough to protect privacy in an efficient manner. For example, how does California’s Reader Privacy Act help if it does not cover intermediaries? But just because they are insufficient to address privacy concerns does not mean state laws are useless. Such laws raise awareness and contribute to business models that value privacy. Ultimately, even imperfect state laws are a necessary backstop toward a federal-wide approach.

How to Tackle First Amendment and Inflexible State Law Issues

State laws can at times run into First Amendment issues; at other times, they might be too inflexible. For example, the Arizona legislature passed a “nude photo law” (that law is now dead because the AG has stopped defending it in court). Under the guise of fighting “revenge porn,” the law made the display, publication, or sale of all nude or sexual images without the subject’s explicit consent a felony punishable by nearly four years in prison. Similarly, a proposed bill on student privacy in Louisianacompletely prohibits the sharing of student data, even when a public or a private company is contracted to provide services to the students. The proposed Louisiana law has not won hearts or minds, and it is highly unlikely that it will be copied by other states. The state affiliates of civil society organizations such as the ACLU can in turn be trusted to police state laws inconsistent with the First Amendment by fighting legal battles in the state courts, the ACLU’s successful challenge of Arizona’s nude photo law being a case in point.

What About Dormant Commerce Clause Issues?

There might be constitutional objections to some state laws on the basis of the Dormant Commerce Clause. Such objections are usually hypothetical. In practice, the courts have been careful to limit Dormant Commerce Clause objections to anti-discrimination questions, and for a good reason. One of the basic principles of liberalism is neutrality. There is no way of knowing whether a state experiment is going to be successful without giving it time to unfold. Moreover, the Pike test is essentially about balancing: some state burdens upon interstate commerce can be upheld when they are designed to counter market inefficiencies (e.g. data privacy problems that the federal lawmaker is yet to address or that private companies face problems with when self-regulating).

What of Statutory Preemption?

If Congress doesn’t preempt state laws when it enacts federal law, we are left with all of the costs of multiple and inconsistent state laws with none of the uniformity benefits. But if Congress preempts state laws at all times, there will be a lot of preemption going on…or a lot of our time will be spent in courtroom. After all, we need not forget that legislative spillovers are ubiquitous in a highly integrated, tightly networked legal system like the US one. True, just because spillovers are unavoidable, it does not mean that spillovers are always a good thing. But if we want to avoid the skyrocketing costs of litigation that chasing just about every spillover will leave us with, perhaps we are better off separating the wheat from the chaff. One can distinguish between “malicious spillovers” that impose social costs (like when other states are forced to de facto comply with Delaware’s corporate laws) from legislative “spillovers that facilitate economies of scale” (like the ones we often encounter in privacy law). Some spillovers help establish a de facto baseline for a market in privacy solutions to emerge.

There is a need to think harder about how the state and the federal tier can go hand-in hand in a way beneficial for Internet businesses, consumers and law enforcement alike. There are no easy solutions. Still, one conclusion seems safe: federalism can promote data privacy in the long run.


Eric’s Note: as regular readers have already inferred, I don’t agree with much of this post. Normally, I’d respond on the spot, but this post grew too long. As a result, in part 2 of this series, I explain some of my issues with these arguments, and Bilyana follows up with a sur-reply.