The U.S. lacks a federal comprehensive privacy law, but the states have sprung into action by passing broadly-applicable consumer privacy laws. Nearly 20 states have passed such laws – so about 40% of the states now have privacy laws.
Are these laws any good?
Short answer: No
But I am glad they exist. Well, sort of. . .
In my view, most of the state laws are rather weak, and use primarily a rights-based approach that doesn’t work, unfortunately. I’ve written extensively about how rights, consent, and the overall approach to rely on individual privacy self-management really doesn’t work and can’t work.
Ultimately, while I applaud the sentiment about the states passing privacy laws, I don’t think most really move the needle on privacy. I wouldn’t tell anyone: “Yep, your state just passed this privacy law so you can now rest easy. Your privacy is safeguarded! No more worries. Problem solved!” Instead, people will get a bunch of rights they won’t use, and the law will be papering over the problem. The problem won’t improve, and eventually, people will realize they’ve been fed a placebo.
So, I like the fact that states are passing privacy laws, just like I appreciated my grandma when she gave me crap she bought on some home TV shopping show. She meant well. The stuff was crap, but it was the thought that counts.
Many of the state privacy laws are cut-and-paste jobs. The original law as the California Consumer Privacy Act (CCPA) of 2018, later strengthened by a referendum. Perhaps a bit delirious from their giddy excitement over the CCPA, some commentators even called the law the GDPR of the U.S. But when sobered up, people realized that the law, while adopting some GDPR elements like its definition of personal data, sensitive data, data protection impact assessments, a right to delete, a right to data portability, and a few other things, is ultimately far narrower and weaker than the GDPR. Most U.S. laws lack the lawful basis approach; they are warmed-over versions of the notice-and-choice approach which has long been discredited. Nobody plausibly can defend notice-and-choice, but it persists anyway. The CCPA is obsessed with data transfer and fails to do much to address data use by the original collectors of the data. It relies far too heavily on privacy self-management and gives people rights that are largely empty and impractical to use at scale. Unlike the GDPR, it exempts smaller businesses (which can be quite large) and it has exceptions for publicly-available data. But it is at least a law spiced up with a little GDPR dust and terminology.
Other states joined the bandwagon, but for the most part, they passed even weaker laws. Instead of rethinking the scope and focus of the CCPA, other states have largely approached it as follows: Let’s do something like California, but less. But let’s throw in a few tiny differences, enough to create a few headaches for corporate compliance, but not enough to meaningfully move the needle on privacy protection.
States wanted to be different – I guess to justify themselves as unique – but not really different in truly meaningful ways (though there are a few small exceptions). The laws vary slightly in the list of things they designated as sensitive data. They differ slightly on the thresholds for business size for applicability. They also differ in their names – some fashion themselves as a “privacy” law and others as a “data protection” law. Most states have used Virginia’s law as a model – and Virginia’s law is the CCPA but watered down considerably – what I might refer to as the Bud Light of privacy laws.
Vermont tried to pass a privacy law with something different – and potentially powerful – a private right of action. This would address a big problem with many privacy laws – the enforcers of the law simply lack the resources to do truly effective enforcement, so they must strategically enforce, often going after a few usual suspects. But Vermont’s governor vetoed the law because it might actually pack a bit of a punch. Maryland’s law is attempting an interesting approach through a data minimization requirement. It remains to be seen how this is enforced, as data minimization, while a great principle and goal, can be difficult to translate into practice.
And that’s the problem. These laws are easy to pass because they don’t really ask much of companies. Multinational companies are already doing nearly everything these laws require and more because the GDPR mandates it. When the GDPR was passed in 2016, many companies cried out that compliance would be impossible and that they would struggle to do business in the EU. But then they got over their tantrum and realized that it wasn’t so bad after all, and they could make it work. And they made it work. So when the states came along and offered up warmed-over notice-and-choice laws with some GDPR sprinkles, the companies haven’t really been challenged. The paradigm hasn’t changed.
Of course, companies are afraid. They just don’t like being regulated, even if it’s not too onerous. Yes, there’s a cost. And yes, the laws create a headache because of the small differences. Despite companies decrying a high cost of compliance, the overall cost if visualized in a pie chart of their overall expenses (and certainly as one in relation to their overall revenue) would be such a small sliver that the chart would have to be magnified 1000 times to see it. But companies, seized with the fear of uncertainty, are now pressing Congress to pass a federal law, though they are doing so at a time when Congress can’t even change a lightbulb.
More states will probably pass privacy laws, but I worry that few of these laws will be meaningfully different. The count of states with laws will increase. It will make for a nice headline when we can declare that a majority of states have a consumer privacy law. The fact that states are passing these laws is at least an indication that privacy is a strong and bipartisan issue, one that the public cares a lot about. The passage of these laws makes the statement that policymakers are willing to regulate, that companies no longer have a blank check to do whatever they want with impunity — when the companies push too far, the law will push back. The laws make the statement that the early days of self-regulation are over.
But unfortunately, we haven’t traveled too far beyond self-regulation. So far, the laws have been underwhelming. They use approaches and measures (sensitive data, rights, notice-and-choice, etc.) that are either unworkable (I argue elsewhere that sensitive data doesn’t work) or ineffective. These laws don’t move the needle much.
As more state legislatures pass these laws, I wonder what they think they are really doing. It’s not clear that more of the same will make much of a difference at this point other than to score some political points. What I hope for is a state to break from the pack, to do some independent thinking, and try something new. There are plenty of promising ideas out there, such as redefining privacy harm and better addressing it to imposing duties of loyalty to many other things. Many law professors have thought of solutions that are practical and will likely be far more effective than the tired dose of placebos policymakers are currently passing. But rarely do we get contacted; and rarely are we listened to. It’s just easier for policymakers to cut and paste than to research, discuss the problem with experts, and craft meaningful solutions that actually might work.
These laws are a missed opportunity. We have a great window now to experiment with various approaches to regulating privacy. Although the GDPR is the best and broadest law, it has many weaknesses. The oft-mentioned saying that the states are the “laboratories of law” is sadly not what is occurring here in the U.S. The states are largely just cutting and pasting, not conducting new experiments. I will put it nicely – the states are currently lacking in imagination. I could describe the state consumer privacy laws in less gentle ways, but I’ll leave that to your imagination.
– – – – –
Daniel J. Solove is John Marshall Harlan Research Professor of Law at George Washington University Law School. He is the founder of TeachPrivacy, a company that provides computer-based privacy and data security training. His most recent book is Breached! Why Data Security Law Fails and How to Improve It, published by Oxford University Press 2022.