A National Data Privacy Framework Is Needed Rather than Individual State Laws
The WasteWatcher
Personal information is increasingly being used for data analytics, online advertising, and targeted messaging without a national standard of protection, transparency, ownership, and consumer choice. In an attempt to resolve these issues, several states have enacted or are considering enacting legislation to protect the personal information of their residents. While state legislatures should act in the interests of their constituents when necessary, creating a patchwork of privacy laws will create confusion instead of certainty.
Instead of writing their own laws, states should encourage Congress to pass a national data privacy framework and protect state laws from being superseded by one constructed by the European Union or some other foreign entity.
In 2021, there were 29 states, including Alaska, Colorado, Oklahoma, Virginia, and Washington, that considered consumer privacy legislation during their legislative sessions. Virginia and Colorado were the only two states that had bills signed into law, making them the second and third states after California to enact such laws. Virginia Governor Ralph Northam (D) signed the Virginia Consumer Data Protection Act into law on March 2, 2021, which has provisions similar to, but not as comprehensive as, the California Consumer Privacy Protection Act. It will take effect on January 1, 2021. Colorado Governor Jared Polis (D) signed the Colorado Privacy Act into law on July 7, 2021. The law, which will take effect in July 2023, will allow Colorado residents to opt out of data collection on websites and require companies to make it clear what data is collected, what will be done with the data, and how long the data will be kept.
Unfortunately, these laws and the bills that were considered did not pass in other states will fail to achieve their objective of protecting consumer privacy. Instead, they will create instability and uncertainty for companies doing business over the internet and their customers. The internet is not contained within a single state’s boundaries and therefore participants operating within the internet ecosystem can only be regulated by the federal government under the Commerce Clause, Article I, Section 8 of the Constitution.
States are attempting to protect personal information, online privacy for children, websites, and monitoring employee e-mail communications because there has been no comprehensive action in Congress. These laws affect any business operating or selling to customers in each state, impinging on interstate commerce. Without the adoption of a consistent national privacy protection regime that preempts state and local laws, more states will enact their own rules, which will raise costs and complicate compliance for businesses and individuals.
Rather than enact state laws imposing restrictions on online interstate commerce, state legislatures should encourage Congress to pass a national data privacy framework that will promote innovation while providing certainty across state borders for the regulation of data privacy.