Feds debate while states act on data privacy laws
As Congress debates its next move on how to regulate big tech, states are already enacting legislation. Their push will likely serve as a model for the federal government.
States are laying the groundwork to protect online consumer data and reign in powerful tech giants -- debating and voting on laws and policies the federal government could borrow from as it advances big tech regulation.
State data privacy laws like the California Consumer Privacy Act, which passed in 2018, give residents the right to control where their personal information is stored and how it is used. Following in California's footsteps, Maine, Nevada and Virginia have passed data privacy laws, and Washington and New York are considering their own data privacy bills.
Some states have gone in a different direction. Maryland recently passed a tax on digital advertising for businesses, which is already facing a federal lawsuit. Other states, including Massachusetts, Connecticut and New York, could soon follow suit.
State laws like these are aimed at the growing power of internet commerce and at especially powerful tech giants like Amazon, Facebook and Google -- companies that collect data generated by millions of users and turn it into profit. But they could also have a broad regulatory influence. California's CCPA as well as other state efforts to oversee online consumer protection may serve as a foundation for a federal framework.
Federal leaders like Sen. Amy Klobuchar (D-Minn.) have introduced federal data privacy laws without success. Most recently, Sen. Suzan DelBene (D-Wash.) proposed online data privacy legislation that would give consumers control over their data. Still, Sarah Kreps, a law professor at Cornell University, thinks the federal government is at the beginning of a long journey and will likely look to state laws to inform its own push on big tech regulation and consumer protection, she said.
"One of the reasons why the federal government hasn't been acting on this and on many other things is just polarization and paralysis," she said. "A side effect of that is indecision about the path to take. So, what the states can do is provide almost a template for action that becomes a model for what different options might look like for the national level."
How states could shape federal policy
Part of the federal government's paralysis may be due to the fact that regulating big tech is complicated, Kreps said.
Breaking up big tech companies, something Sen. Elizabeth Warren (D-Mass.) called for during her 2020 presidential campaign, could have drastic economic impacts and Congress is right to tread lightly, according to Kreps.
"If Facebook does break up, and these different firms are then superseded by a non-U.S. firm, the U.S. loses agency over these huge tech firms and accountability such as it is," she said. "And it's far worse then for this competitor to arise from, [let's say,] China -- we see what's happened with TikTok. You don't want those competitors to arise and have less accountability the way you would if it's some other country."
That's why Kreps believes states have a role to play when it comes to impacting the "interest, incentives and motivation" at the federal level for action related to big tech regulation. As more states write their own laws on consumer data, they create a new norm for what sort of regulation needs to happen -- something that's currently being debated at the federal level.
Kreps said state legislators are right to push forward on regulation, especially on the data privacy and consumer protection front. According to a 2019 Pew Research Center survey, 81% of Americans believe risks such as data security associated with consumer data collection far outweigh the benefits.
"There's a lot of support for this and I think the fact that states are doing this both responds to that pressure, but also helps create this norm that there should be some action taken," she said.
Braden Perry Attorney, Kennyhertz Perry Attorneys at Law
As states venture into something like data privacy, Kreps said their approaches will likely be slightly different, acting almost as pilot programs for the federal government. For example, given California's Democratic leanings, CCPA alone might not garner bipartisan support, but a data privacy law enacted by a more middle-of-the-road legislative body could provide additional information to Congress.
The momentum to regulate big tech at the state level could light a fire under Congress, said Braden Perry, a regulatory compliance attorney at Kennyhertz Perry Attorneys at Law in Kansas City, Mo.
"No one wants a 50-state system of anything, with differing standards in all 50 states," Perry said. "Multiple states with multiple regimes would likely be the catalyst needed to embrace the inevitable and establish a federal legislative framework."
Indeed, Erin Illman, a specialist in privacy and information security law and co-chair of the cybersecurity and privacy practice group at national law firm Bradley, said the more states that pass privacy legislation will influence what happens at the federal level. She believes federal privacy legislation is likely within the next four years -- legislation that she thinks will become the "floor," meaning a foundation upon which states can continue to build more restrictive data privacy laws.
Illman pointed to historical privacy laws like the Gramm-Leach-Bliley Act, a federal privacy law for financial institutions, as a possible example of what to expect from a federal framework on data privacy.
"That law does not preempt state-level action," she said. "You see state laws like the California Financial Information Privacy Act, which actually has a stricter requirement for financial institutions. Financial institutions have to comply with both GLBA at the federal level and CalFIPA at the state level. I certainly see that trend continuing even if there is a federal-level comprehensive privacy law."
Preparing for CCPA
For businesses, complying with state data privacy laws can be tricky.
When the CCPA passed in 2018, businesses like New Belgium Brewing Company, a nationally distributed brewery based in Fort Collins, Colo., implemented automated workflows so California residents could request that their personal information be identified and deleted rather than stored within New Belgium data systems.
"We knew that law was coming into place and we had enough time to sort of plan and prepare," said Tye Eyden, New Belgium's collaboration business systems analyst. "But we also wanted to make sure that we weren't going to be fined, or, if we were audited, we could answer the call and make sure we had our ducks in a row."
To comply with CCPA, New Belgium relied on Nintex, a workflow automation provider, to route California residents' information requests to the appropriate department. California residents can fill out a form on the New Belgium website to kickstart the information request process.
Eyden said, aside from the legal challenge of understanding how to be compliant with CCPA, the brewery also didn't know how many requests it might be fielding and how much time it would have to dedicate to fulfilling those data requests. Since rolling out the automated workflows by the time CCPA went into effect in 2020, Eyden said few requests have come in.
"If we knew the impact was going to be this low, we might not have developed this right off the bat. We probably could've handled it all with email and whatnot," he said.
However, Eyden said getting the infrastructure in place to handle data requests puts the brewery at an advantage as other states follow suit.
"If other states decide they want to do something like this, we might run into multiplying these types of requests at a larger magnitude," he said.