The Long-Term Promise of Privacy Federalism, Part 2


Yesterday, guest blogger Bilyana Petkova summarized some of her arguments in favor of “privacy federalism,” i.e., temporary state-level regulation of privacy matters, a topic she addresses more fully in a forthcoming article on SSRN. In helping her prepare her post, I organized my thoughts into some pros and cons of state legislatures as privacy regulation entrepreneurs. Here’s what I came up with:

Some possible benefits of privacy federalism

* States can get stuff done where Congress can’t.
* States passing laws can prompt/force Congress to act. However, as Paul Schwartz has noted, we can’t really rely on Congress fixing any state-level mistakes, or adopting the best ideas, any more due to Congressional gridlock.
* States can act as laboratories of experimentation.
* Legislative intervention is required to engender consumer trust in the marketplace. However, this is an empirical statement where there are many data points indicating that government intervention is not required to lay the necessary foundation for consumer trust. My favorite example is the mockable claim in Reno v. ACLU where the government tried to defend the Communications Decency Act in 1997 by arguing that legislatively suppressing online porn was required to spur consumer adoption of the Internet. History has not treated that argument kindly.

Some possible problems with privacy federalism

* Race to the bottom. Internet companies working across state lines may be forced in practice to comply with the most restrictive state’s rules or must incur substantial expense to create different implementations for different state users.
* The experimentation of one state can affect residents of other states, or even taints other states’ ability to conduct their own experiments.
* States can enact inconsistent rules that conflict with each other.
* The compliance costs of dealing with dozens of slightly different state laws exceeds the social value. Data breach notification stands out as an example–it’s not clear that the notifications benefit consumers OR have the desired compliance effect on companies, but it does impose substantial costs on companies that consumers ultimately pay for.
* If Congress doesn’t preempt state laws when it enacts federal law, we’re left with all of the costs of multiplicitous and inconsistent state laws with none of the uniformity benefits.
* Regulatory capture. State legislatures often are more easily captured than Congress. Thus, I am completely unpersuaded by Bilyana’s argument that state legislatures passing privacy laws are simply catering to their constituents’ desires. Then again, I may have a more cynical view of democracy as mediated by legislatures.
* State legislators are not well educated about technology matters, and there aren’t enough lobbying forces in state legislatures to educate them or prevent them from making really dumb mistakes. Cf. the Utah legislative fiascoes of the 2000s (and don’t forget this Utah gem).
* States often copy the “experiments” of other states before getting the results of whether or not those experiments worked, so bad policy can spread virally throughout the states. My favorite example is the baby CDAs from the 1990s, all of which later got struck down as unconstitutional. But we’re seeing the same phenomenon with state laws regarding social media privacy, where the laws are spreading rapidly but not smartly (and Venkat and I keep seeing lawsuits where the laws seemingly should apply but are proving irrelevant). If we are going to trust the states as our policy laboratories, we need these “scientists” to follow the scientific method–including confirming the legislative experiment succeeded before rolling out the solution more widely.
* There are no “local” conditions on the Internet requiring local solutions. This is the core premise of the laboratories-of-experimentation justification: local regulators encounter local conditions that require local adaptations. That model bears absolutely zero resemblance to either the Internet or consumer privacy. Or flip the argument around: if there really are local conditions regarding privacy, then don’t we want counties, cities, school boards, water boards, and other “local” communities experimenting with their own privacy regulations? After all, why stop at the state level?
* State legislatures routinely pass laws that violate the First Amendment.
* State legislatures routinely pass laws that violate the Dormant Commerce Clause.

My list of “cons” is quite a bit longer than the “pro” list. As you can see, Bilyana attempted to respond to some of my concerns, but apparently it will take a lot more to convince me!

Bilyana’s Sur-Reply

Many thanks, Eric, for a great intellectual sparring! The clash of ideas is not always a bad thing and can sometimes actually spur some consensus. You might even agree with me on one thing: Congress needs to actually do something from time to time! To be sure, on the rest we can agree to disagree:

I will address some of the primary arguments on your “cons” list that I did not address in my initial remarks. I’d like to mention just in passing that Reno v. ACLU should not be seen as government intervention that facilitates trust in the marketplace but it primarily addresses a First Amendment issue. In our email exchange, you mentioned that instead of betting on ex post judicial supervision of state legislatures that would impose a lot of costs on lots of players, it would be better for democracy if legislatures got it right the first time (e.g. on First Amendment issues). True, and yet even the federal government does not always get it right, as in the case of the CDA.

You start with the “race-to-the-bottom” argument and then oppose of the “viral” spread throughout the states of what you regard as bad state policies. I disagree. As I pointed out, unreasonably inflexible rules rarely roll out. Such state rules might face enforcement issues, i.e., from the state attorney generals; and will in most of the cases become obsolete. Further, I do not believe that the roll-out of state laws protecting social media accounts, anti-revenge porn legislation or ban-the-box laws are examples of a race to the bottom. Libertarians might see such laws as a bad idea, although apparently even not all libertarians.

In our email exchange, you elaborated more on what I see as an important argument. In general, established companies are OK with regulations that impose additional costs on them as long as those additional costs create barriers to entry for new market entrants. But what of start-ups? Since start-ups are good for innovation and since most of the benefits of innovation are internalized by the state or region where a start-up is located, there might be a good reason why states should give direct subsidies, tax breaks or venture capital to start-ups. In fact, some states already do, as Camilla Hrdy will argue in a forthcoming paper.

Finally, I disagree with the interpretation that lack of lobbying forces in state legislatures is a sign of regulatory capture. After all, what is regulatory capture? In fact, some might see Congress “captured” by special interests that mobilize easier on the federal level to thwart democratic concerns. If state legislatures are not well educated about technology matters, there might be ways to supply additional tech-savvy expertise. As I mention in my forthcoming article, the ACLU (or the ABA) can provide expertise by drafting templates for state legislative bills (the ACLU did exactly that for legislation on geo-location tracking after Jones).