'Regulating the Data Market: The Material Scope of American Consumer Data Privacy Law' by Bryce Clayton Newell, Nadezhda Purtova, Young Eun Moon and Hugh J Paterson IIIi n (2024) 45(4) University of Pennsylvania Journal of International Law 1058 comments
Information privacy is having a moment in the United States. Only a few decades ago, data was described as “the sludge of the information age—stuff that no one has yet thought very much about.” Now, scholars refer to the widespread commercial practice of “trafficking in human information.” Clearly, much has changed in the intervening years, yet only recently have any U.S. jurisdictions adopted broad—what might be called non-sectoral, comprehensive, or omnibus—data protection (or data privacy) laws. Recently, there has been a resurgence of legislative interest in data protection or data privacy laws in the United States. This “new wave” of data privacy laws began with enactment of the California Consumer Privacy Act in 2018 and subsequent revisions, including those promulgated in the California Privacy Rights Act of 2020 (referred to collectively hereinafter as “CCPA”). Subsequently, Virginia and Colorado enacted “comprehensive” consumer privacy laws in 2021, followed by Utah and Connecticut in 2022. In 2023, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas also enacted similar laws, followed by New Jersey in early 2024. The text of these laws often tracks language proposed, but not adopted, in Washington State over several previous legislative sessions. Legislatures around the United States, in state houses and houses of Congress, have considered adopting more comprehensive consumer privacy and data protection laws in the last few years. However, Congress has failed to order anything from the plentiful menu before it, although significant bipartisan steps have been taken, leaving U.S. data privacy law in the hands of the few state governments that have moved to adopt such a law.
The importance of data privacy has also received additional attention after the Supreme Court decided Dobbs v. Jackson Women’s Health Organization on June 24, 2022. In that case, the Court overruled Roe v. Wade and Planned Parenthood v. Casey, holding that the U.S. Constitution does not provide a federal right (of decisional privacy) to choose to abort a pregnancy. Importantly, for purposes of privacy law, Justice Alito’s majority decision sparked concerns amongst abortion rights advocates that commercial data collection and surveillance practices would be harnessed by law enforcement to investigate individuals seeking information about and access to abortions in states where abortion is now illegal or at least highly regulated. Of course, privacy and data protection concerns are broad and varied, but this post-Roe America fervor has only put increased pressure on legislatures to act in meaningful ways to protect individual privacy—from both private commercial actors as well as from law enforcement. Indeed, the need to do something about data privacy is only underscored by the fact that, “[u]ntil the CCPA, most American law permitted [non- governmental] entities to collect and use personal data however they wished by default, absent a specific legal rule forbidding a particular practice.” According to Determann, this default presumption to allow data collection and use absent some specific legal prohibition is one of the hallmarks that set data (or information) privacy law apart from data protection law. The second defining characteristic of data protection law is that the focus is on “protecting information concerning persons” rather than persons themselves (personal data essentially operates as a legal proxy where the aim is to protect persons but the focus is on personal data).
Although many countries around the world have enacted broad data protection laws, the most frequent reference is to the European Union (“EU”)’s General Data Protection Regulation (“GDPR”). But the GDPR—which generally applies to personal data processing for non-law enforcement purposes—is not the only important data protection tool in the EU. The GDPR was adopted alongside Directive 2016/680, commonly referred to as the Law Enforcement Directive or “LED.” The Law Enforcement Directive specifically regulates public law enforcement-related processing of personal data, applying when personal data is collected or processed “by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security . . . .” Additionally, Article 8 of the Charter of Fundamental Rights of the European Union (“EU Charter”) makes the protection of personal data a fundamental rights concern within the EU. These data protection rights also exist against the backdrop of a broad fundamental right to a private and family life, home, and communications, as enshrined in Article 7 of the EU Charter and Article 8 of the European Convention on Human Rights (“ECHR”).
In the United States, no comparable fundamental rights to privacy, federal data protection, or law enforcement-directed data protection law exist. The state-level data protection laws analyzed in this Article represent the closest things to the GDPR—or to broad data protection law generally—in the United States at present. Information gathering practices of law enforcement are primarily regulated by state and federal search and seizure laws, including the Fourth Amendment to the U.S. Constitution and other constitutional provisions, as well as communication privacy laws such as the Stored Communications Act, but those provisions are simply not comparable to the LED in purpose or scope, and have failed to limit warrantless law enforcement access to commercial databases in several high-profile contexts. As such, members of Congress have introduced bills such as the proposed Fourth Amendment is Not For Sale Act, which would require law enforcement to obtain a warrant prior to accessing certain personal data in commercial databases.
Conventional wisdom suggests that the growing interest in omnibus data protection laws in the U.S. has been driven by adoption of the GDPR in the EU. An alternative theory of catalysis posits that American data privacy laws differ significantly from the GDPR and are more likely inspired by the CCPA adopted in California in 2018, just a month after the GDPR went into effect in Europe. There is also a semantic difference in basic terminology, as American commentators often refer to these new laws as data privacy laws instead of data protection laws. However, to the extent they focus on data rather than personal privacy and set baseline, default prohibitions on data processing, these laws resemble data protection laws, albeit limited to a consumer protection framing that is narrower than the fundamental rights foundation of the GDPR. Despite resembling data protection law, Chander, Kaminski, and McGeveran, argue that the CCPA, “differs significantly—and consciously—from the European model . . . [offering] a fundamentally different regime for data privacy,” one that lacks “major structural elements of the GDPR . . . .” Yet again, while either might have been the impetus, the current swath of laws being adopted and proposed in the last few years often appears to follow what has been called the “Virginia Model” —copying and replicating many aspects of Virginia’s Consumer Data Protection Act of 2021 (“VaCDPA”) which was based on legislative language proposed previously in Washington State—even if their impetus was the CCPA. There is also evidence that corporate interests have been lobbying these states to create business-friendly, uniform laws that minimize variation across jurisdictions, including such lobbying in Virginia in support of the VaCDPA.
Minimal variation is, of course, better for business. However, such uniformity at the state level would gut the possibility for legislative experimentation in the various states, and with high levels of corporate involvement and lobbying at the state level, the likely outcome is watered-down, business-friendly legislation that lacks much real innovation in establishing strong data protection rules in ways that promote privacy interests. In that vein, Utah’s law, one of the latest enacted at the time of writing, has also been described as taking “a lighter, more business-friendly approach to consumer privacy” than other existing data protection laws, and it appears the trend may be moving away from more privacy-focused laws like the GDPR and CCPA. Additionally, at the federal level, movement in Congress toward potentially adopting the American Data Privacy and Protection Act (“ADPPA”) recent legislative sessions became enmeshed in debates about federal preemption of state data privacy, especially since the ADPPA was seen by some as less robust than the CCPA in California.
In this Article, we examine and compare the material scope of these new American data privacy laws. Understanding the material scope of the law is important, as it forms the foundation upon which the rights and obligations rest. We compare the laws in the first five states to have enacted broad data protection laws—each of which have also gone into effect as of the end of 2023—with each other and with the GDPR. Specifically, we look at how these laws define and conceptualize their subject matter, focusing on the key concepts of 1) personal data and similar terms that determine what is subject to regulation; 2) “persons,” “consumers,” and other terms that determine to whom and in which contexts the law provides rights (data subjects); 3) which forms of “data processing” are subject to regulation; and 4) which entities acquire obligations (and potential liability) arising from such rights. Importantly, we do not examine the rights enshrined in these laws themselves, or the full range of other provisions contained in the statutes, although future research ought to compare those provisions as well.
Examining the affordances that these new information privacy laws provide to commercial data controllers, including to share data with state institutions, highlights how certain legislative choices allow the continued consolidation of informational power within corporations and state organs, resulting in the potential for domination and the loss of individual and collective freedom. Drawing from neorepublican political philosophy, we analyze how well these laws protect user (consumer, data subject) privacy and ensure some measure of what Philip Pettit calls “antipower” — that is, the power to resist the possibility of arbitrary or uncontrolled interference by others. This analysis is informed by Julie Cohen’s notion of “semantic discontinuity,” and we show how developing more robust laws that regulate data practices with the aim of preserving or enforcing interstitial complexity can promote antipower and reduce possibility of informatic domination. This, in turn, can better protect privacy as a fundamentally important right, instrumentally linked to personal and collective freedom. We question whether the material scope of these laws adequately captures and protects the underlying interests that appear to have motivated their adoption, such as privacy and the need to protect people from other data-driven harms. We also briefly note whether, and to what extent, these laws regulate or address the issue of law enforcement access to commercial databases. Finally, we examine to what extent the material scope of these laws—including how they protect privacy interests and limit corporate power—contributes to promoting neorepublican notions of liberty, non-domination, and antipower. ...
In this Part, we provide a brief overview of the major theoretical constructs that we use later on to reflect on the comparative findings of this research—namely, civic or neorepublican conceptions of liberty and domination, and the application of those ideas to the realm of privacy and data protection. At the outset, it should be noted that we have intentionally kept this analysis separate from our primary comparative analysis of these laws, so as to maintain the ability for the comparison to stand on its own, regardless of whether readers are sympathetic to the particular political philosophy employed or the normative conclusions we draw from it. Thus, even if one rejects the tenants of the neorepublican position we take on privacy and its application to data privacy law, we argue the comparative analysis will still be useful.
