Deep Dive Episode 147 – The State of State Data Privacy Laws Post-2020 Election
In the absence of federal data privacy legislation, some states have acted to pass their own laws on the topic. Notably, California voted in favor of Prop 24 placing additional requirements on the CCPA and in favor of stringent consumer privacy requirements. In other cases, such as Michigan, states have established warrant requirements to protect consumer electronic data and citizens’ privacy from the government. This expert panel discusses what state data privacy actions mean for the debates surrounding data privacy as well as what might be anticipated in the next sessions of Congress and state legislatures.
Although this transcript is largely accurate, in some cases it could be incomplete or inaccurate due to inaudible passages or transcription errors.
[Music and Narration]
Introduction: Welcome to the Regulatory Transparency Project’s Fourth Branch podcast series. All expressions of opinion are those of the speaker.
Colton Graub: Good afternoon and welcome to The Federalist Society’s Fourth Branch podcast for the Regulatory Transparency Project. My name is Colton Graub. I’m the Deputy Director of RTP. As always, please note that all expressions of opinion are those of the guest speakers on today’s call. If you’d like to learn more about each of our speakers and their work, you can visit regproject.org where we have their full bios. After opening remarks and discussion between our panelists, we will go to audience Q&A, so please be thinking of the questions you’d like to ask our speakers.
This afternoon we’re pleased to host a conversation exploring the state of state data privacy laws. To discuss this topic, we’re pleased to feature Jennifer Huddleston, the Director of Technology & Innovation Policy at the American Action Forum. She’ll be joined by Joe Jerome, Multistate Policy Director at Common Sense Media, and Matthew Heiman, General Counsel & Corporate Secretary at Waystar Health and Senior Fellow and Director of Planning at the National Security Institute. Matthew will be moderating today’s call. The floor is yours.
Matthew Heiman: Thanks, Colton, and thanks to Jennifer and Joe for joining us in today’s conversation. I should tell the audience before we get into the conversation that, when we started to think about this topic, we realized that our list of questions and subtopics could go on for quite some length. And so we tried to identify four or five topics that we thought should be at the top of anyone’s list that’s thinking about trends in state law when it comes to data privacy.
So we’ll try and hit those today, and then we will reserve some time, as Colton mentioned — the last 15 to 20 minutes of the hour for questions from you, the audience members. So as he said, be thinking about those as we go along. So what I’m going to ask both Jennifer and Joe to do is to give us five minutes or so on the state of state law and regulation around data privacy today and where they think it might head in 2021. So with that, Jennifer, why don’t we start with you, and then we’ll pivot to Joe?
Jennifer Huddleston: Great. And thank you for moderating today, Matthew, and thank you, Joe, for joining me and to the Reg Project team for helping to get this together and hosting today. I think it’s really interesting to be sitting here in late November 2020 talking about data privacy because for a lot of us, myself included, I think we really thought this was going to be one of the big tech policy debates of the year 2020.
We saw that the CCPA went into effect in January and become enforceable in July. We saw several other state legislatures pre-coronavirus questioning and considering their own potential state level broad consumer data privacy laws and the possible emergence of a patchwork problem. And there seemed to be a real kind of attempt to do something on a federal level as well. We’ve seen multiple bills from both sides of the aisle but never really a compromise on what federal data privacy legislation or federal data privacy framework would look like.
So with the coronavirus and the pandemic, we’ve seen some new questions arise, too, and some different issues that have perhaps gotten more attention than the kind of broader consumer privacy debate we were seeing earlier in the year. That being said, there were some really interesting elements when it comes to the 2020 election, both in what was considered on the ballot at a state level as well as what this might mean for the next state legislative sessions and for the next Congress that will again be having to deal with a lot of these questions in 2021. So most notably, in California we saw the passage of Prop 24, which further cemented the California Consumer Privacy Act and added some additional requirements to it, including the creation of a state-level data protection agency and also made it a lot harder to change that law.
One of the interesting things when it comes to data privacy is that data has constantly evolved. The way we think about privacy and security has changed in many ways. We’ve seen new beneficial usages of this.
And so when we’re looking at hard top-down law, we also have to ask the question of what sort of trade-offs may be involved. And particularly if a law is hard to amend or hard to adapt, what might that mean for future innovation? Not to mention that this is probably the primary data privacy law we’re looking at right now, and it’s a state level law.
But because of how the California looks set to be enforced and several of the definitions on it, it’s likely to have impacts far beyond its borders because it’d be very difficult for innovators to just execute this law in California. And data by its very nature is cross-border. So we really should be asking if states are the right place to be making these broad data privacy laws. And I would suggest that this is a case where, if we’re going to have data privacy legislation, if we’re going to have data privacy regulation in a framework, it needs to be done at a federal level.
Now, there are some other interesting trends going on at a state level as well. And one of those is what we’ve seen in Utah and Michigan when it comes to data privacy laws that don’t consider consumer privacy data in the sense of what is Facebook doing with your data or what happens to the email addresses that you give for free coupons. But instead, it’s considering that relationship between those who may have electronic data from a social media site or even a personal device and the access to that data by government and law enforcement officials.
So we’ve seen some states try and take action to go farther than the Carpenter case that clarified that the third party doctrine no longer applies to cell site location information and try and establish additional requirements when it comes to law enforcement or government access to other types of electronic data and address this data privacy question. So Michigan had a ballot initiative on this. Utah has taken similar actions that don’t prevent law enforcement from being able to obtain this data but instead clarify that they are imposing a warrant requirement on certain types of data instead of much lower levels of requests.
So I think as we head into 2021, the question of will there be policy over data privacy isn’t going anywhere, that we should be concerned about some of the ways states are acting in kind of the vacuum of not having a federal data privacy approach and what that might mean for the future of innovation and for consumers’ ability to make their own trade-offs, particularly if we do see this disruptive patchwork start to emerge.
Matthew Heiman: Great. Thank you so much, Jennifer, for that summary. Joe, your thoughts on the state of data privacy law today at the state level and where it might go in 2021 and beyond?
Joseph Jerome: I may be echoing exactly what Jennifer just said but maybe putting a little bit more of a positive spin on it. First, obviously, thanks to the Regulatory Transparency Project for the invitation today. And I’m actually really looking forward to sparring with Jennifer.
Now that the dust has settled on the election, I’m a long-time privacy advocate and privacy professional. And I really am excited about the opportunity to geek out about what is next for privacy and really how state and local law makers are trying to regulate information technology. I always think it’s important — I know this is an audience of lawyers. But I think it’s really important to take a step back and ask what do we mean by privacy here?
We’re going to get into the weeds of a bunch of different legislation and ballot initiatives pretty quickly. But regardless of whether we’re talking about government surveillance or consumer privacy, I think we need to recognize that lawmakers are ultimately trying to put controls in place on how powerful entities can use data to our individual detriment. And I think that sort of explains Common Sense Media’s interest here.
As an organization, we’ve been invested in kids’ digital well-being for nearly two decades now. And privacy is really in our organizational DNA, whether it’s social media manipulating kids or schools profiling and data mining to determine who could be a good or bad student. Just yesterday, for example, we saw a story out of the Tampa Bay Times that was highlighting how information that law enforcement was collecting from local schools was basically being used to try and identify which kids could be criminals, giving them a scarlet letter.
That type of stuff highlights just how important or how influential technology can be and how important it really is to create baseline protections for how entities in positions of power can collect and use information. Common Sense Media has been a proud sponsor of both the California Consumer Privacy Act and Proposition 24. So all of you either have us to thank for those laws or to blame for the new compliance work you’re going to have to do.
But I think it’s really important that — we’re a California-based organization. And a lot of energy and focus is on California’s privacy efforts. That gets so much more attention. But I actually think we’re seeing across the country states and local lawmakers really trying to think about how they should legislate around data privacy. I think we’ll have an opportunity in the conversation to sort of push back on the notion that there’s an emerging patchwork.
But I do think Jennifer and I can both agree that we are facing a congressional vacuum. I’m a denizen of the swamp in D.C. So in terms of home field advantage, I’d love for Congress to get more involved in technology policy. I’m not going to hold my breath on that. For better or worse, Congress has not done anything on technology policy for going — certainly not on privacy for nearly 20 years now, excluding our limited genetic non-discrimination law. Congress — really the most action that Congress has done with respect to privacy legislation has been to sort of repeal wildly popular broadband privacy rules.
I do think a Biden administration could be useful here. There’s just been a litany of federal privacy proposals. And to be honest, the Trump administration hasn’t done a whole lot either way, leaving Congress to squabble amongst itself. So I do think a slightly more engaged presidential administration could make headway. And a Congress that’s going to be pretty divided on a host of big issues might be able to work on information privacy and call that as a major win for both sides. But again, not holding my breath.
States, meanwhile, are really doing all the heavy lifting here, whether it is reining in data brokers, placing limits on facial recognition — and that may warrant a conversation entirely of its own — efforts to protect student data. All of these issues really are being handled at the state level right now. I do think it’s worth pausing to acknowledge that the pandemic has changed the landscape for good or bad. I think, frankly, the pandemic has called into question the need for stronger health privacy laws.
But it’s also, I think, limited the interest of states in trying to do really aggressive privacy bills simply because they’re going to be resource constrained right now. I think it really has changed what states are going to be willing to do. That said, heading into 2021, we’re definitely going to see more privacy bills introduced across the country. And I actually think in a couple of states, Washington being a prime target, you’re likely to see some advancements on certainly the consumer privacy front.
Matthew Heiman: Great. Thank you, Joe. So if we focus on the action at the state level, let’s start in a state that you both talked about in your opening comments, which is California, which for better or for worse, depending on your perspective, has probably been the most aggressive in passing legislation in this area. So for talking about the California Consumer Privacy Rights Act, I would like you all’s thoughts specifically on that piece of legislation and then the Prop 24 item.
How does that change things, and what is the impact of CPRA in California? And then is there a spillover effect for CPRA in terms of how other state legislators and legislatures are thinking about privacy? Maybe, Jennifer, we’ll bounce to you, and then we’ll come back to Joe.
Jennifer Huddleston: Right. So it’s interesting when it comes to this question around CCP and now CPRA, given that the ballot initiative passed, because while this does appear on its face to be a state law, as I mentioned earlier, because of the nature of data and particularly because how these laws define a California resident and someone whose data is subject to these laws, they are going to have impact well beyond the state border. I argue with Ian Adams in a piece that was published about a year ago through the Regulatory Transparency Project that I think there are potential Dormant Commerce Clause concerns with laws like the CCPA and now the CPRA, given the fact that they will almost undoubtedly impact interstate commerce. Also, I think to kind of Joe’s point about it’s important that, when we talk about privacy, we clarify what exactly we’re talking about, when we’re talking about these consumer data privacy bills, I think it’s also important that we take a step back and think about all the things that consumer data and consumer data privacy law, therefore, would apply to because often these bills are portrayed as just applying to the big tech companies, to the Microsofts and the Facebooks and the Apples of the world.
And what we’ve seen, though, is that because of how many different industries data touches, it’s not going to just be these large tech companies. Some of it is going to be small startups, but there are also going to be brick and mortar businesses that are clearly impacted by these data protection laws as well that many consumers may not typically think of. Things like grocery store loyalty programs actually ended up being quite a contentious debate during the CCPA. And I, for one, personally feel that I benefit from my grocery store loyalty program, and the idea that a regulatory regime could make that a much less likely thing to occur is very different and very concerning.
So I think it’s important to consider all the different industries that data protection law may impact and what the tradeoffs and benefits in that are — may be as well. When it comes to the way California may impact other states, we’ve seen some state propose what are effectively copycat bills of the CCPA. And I would guess that we may see similar with the CPRA now. Although, it is somewhat of a uniquely California law, both in the way it was passed and its structure. And I defer to Joe’s expertise when it comes to the California side of things.
But with that in mind, when more states are passing the CCPA or CCPA-like laws, it’s not going to result in just a uniform federal standard. In fact, we could still have a lot of concerns about a patchwork because each of these states, even if they passed identical language, would likely have state AGs that interpreted it slightly different — that would have different enforcement mechanisms and different enforcement actions. And so you would still really see this patchwork effect.
So the idea that if this was done on a state by state basis that it might be a second-best option still leaves a lot of room for innovation disruption. And, I mean, one of the — I guess the kind of other example in terms of the privacy security framework to think about is data breach law. We eventually got a 50-state patchwork of data breach law. But as a result, different areas are covered in different states. There’s a lot of confusion about what different notifications mean. At times, there can clearly be conflicts about these bills. So when it comes to the internet and particularly to data, I really feel this is a topic that is going to be best handled on a national level.
Matthew Heiman: Joe, thoughts on the CCPA, CPRA, or any of Jennifer’s comments with regard to the same?
Joseph Jerome: Well, I think there’s a lot to unpack there. I think we should be honest. Jennifer’s not a huge fan of consumer privacy laws. I would never speak of what Prop 24 is doing as something of — as an innovation disrupter. I think it is basically a bill coming due on companies sort of flagrantly using information in ways that undermine consumer expectations and impact folks’ privacy.
Again, I’ll say upfront I think everyone agrees that the federal government should play a role here. They’re not, so we are stuck with these state laws right now. And so I look at the CCPA as it’s been sort of — there’s many folks that have sort of claimed that this is this incredible compliance costs and this incredibly unfair law. But from my perspective as a long-time privacy advocate, it was a — sort of a weak sauce version of the EU general data protection regulation.
And the reality is the world is being wrapped in data protection laws. And the United States is falling behind. And California’s, I think, trying to sort of put a plug in a breaching dam so to speak. I like Jennifer and Ian’s paper that discusses the Dormant Commerce Clause. I do, however, think that that argument is a little bit overstate.
As a practical matter, yes, privacy laws have costs. Yes, they may have spill over costs across state lines. But if we want to get into the weeds of Dormant Commerce Clause jurisprudence, I don’t think the CCPA fails the Pike test. The law would probably survive rational basis review in court. And I know that this innovation disruption argument points to the monetary costs of the CCPA, but I just don’t think that’s enough for a court to second guess the legislative and electoral determinations of the state of California.
If we actually wanted to have a law that had stronger privacy protections, that would probably require and even stronger law. And that’s going to have more costs. And similarly, if you look at sort of the jurisprudence of the Dormant Commerce Clause, a court will find that the CCPA and Prop 24 improve privacy. And that is certainly a legitimate state interest. And the absence of congressional action, I think, also suggests that I think a Dormant Commerce Clause challenge is really tough here.
But to get back to the nuts and bolts of both the CCPA and Prop 24, my day job is to actually try and evangelize state privacy laws across the country. And I do think one challenge we have with the CCPA and now with Prop 24 is that the laws are fundamentally unfinished. Prop 24 — I don’t know. We should probably discuss how that law is going to go into effect in stages.
The California Privacy Protection Agency is likely to be set up and staffed by early 2021. The Agency isn’t even empowered to start doing regulations that would flesh out Prop 24 until July 2021. And the law doesn’t even go into effect until 2023.
So as a practical matter, I like to be optimistic and say states are going to introduce other pieces of legislation, but I’m actually honestly a little bit skeptical of that. As I’ve been advocating for privacy laws across the country, I think lawmakers are pretty cognizant of California and California’s importance in the country. So you see a lot of pushback and resistance for states to enact anything similar until the law is finished. So I think that is part of the legislative landscape we should consider.
I also think we keep talking about this dreaded patchwork. But again, we haven’t even seen any enforcement of the California Consumer Privacy Act by the California Attorney General. I just think it’s incredibly pre-mature to suggest that there is a patchwork of consumer privacy laws across the country. I’ll acknowledge that that could be a concern. But you’re also going to have to find different states not just enforcing the — emphasizing different parts of the law but creating requirements that explicitly conflict with each other.
And we should definitely talk about what’s happening in Washington state with the Washington Privacy Act. But when you match the Washington Privacy Act up against what California’s doing, there might be two different laws with two different points of emphasis but a company that looks at both should be able to comply with both. And as a result, I think that’s going to undermine this idea that we keep having about a patchwork. Though, certainly, I hope a patchwork could emerge that would actually force congressional action. But until that time, again, I’m not holding my breath on Congress.
Jennifer Huddleston: Well, and if I can jump in, I think actually that’s a good segue to kind of what some other states other than California are doing and to talk about what Washington’s doing as well as why I at least think that the potential for patchwork is more than just a kind of abstract legal theory. And I will jump in on this innovation disruption point a little bit and point out that post-GDPR investment in startups and small and micro firms has been shown to go down. So at a time when a lot of people are expressing concerns about the potential size and concentration in the technology sector, it is worth considering the impact that this could have, not just on large companies but on small and innovative companies that may grow to be that next generation disrupter.
The Washington proposal is modeled almost exactly on the GDPR with a couple of differences because the GDPR actually would, at least in my opinion and in the opinion of some other people, raise potential concerns when it comes to certain U.S. speech and First Amendment concerns, as well as just differences in the European and U.S. approach means that it doesn’t map over exactly. Whereas CCPA was modeled on the GDPR, but it’s much more modeled as opposed to the Washington bill that seems to be practically analogous in many ways.
When it comes to that, though, it’s interesting because we have seen some companies choose to enforce GDPR globally. And we’ve seen some large companies say effectively what they will do in the U.S. is enforce the most restrictive privacy law, regardless of if that’s California or Washington or somewhere else. And I think there is a question of is that fair to consumers to have their preferences limited based on the voters of a state that they’re not a resident of.
If there’s a different state that wants to take a different approach to privacy, it’s very difficult to have two options available without having to disrupt a lot of platforms and a lot of online activity in the process. I will note I think — and correct me if I’m wrong, Joe. But I believe there already is a bit of a conflict with Maine’s law that is opt-in versus opt-out. And that is certainly a conflict we could see evolve more as more states may be considering data privacy laws and very easily lead to this case where you cannot comply with both state laws with a single version.
If one state says that consumers must opt-in and another state says consumers must opt-out, you’re going to have to have at least two different versions of a product, if not more. And I think that’s the type of thing that quite easily could end up evolving. And the question is then what happens. And like Joe, if there is an actual patchwork, I think you see two things potentially happen depending on the enforcement, which we have not, somewhat surprisingly I would actually say, seen enforcement really of the CCPA yet but that you would end up either with a court case about this disruption and the inability to comply, particularly given the Dormant Commerce Clause concerns, or that that would be the kind of driving force behind federal action.
Joseph Jerome: Well, I guess obviously I would push back on a whole lot of that. There’s been a lot of — everything good and bad about privacy gets attributed to the GDPR. Oftentimes, we’ve got privacy advocates saying the GDPR’s a privacy gold standard. You’re attributing declines in investment to the GDPR when I think there’s a whole lot of other interesting regulator actions in Europe that are worth consideration.
I also would be curious to know what studies you’re referring to if we’re discussing things about ad tech. I know there was some initial economic studies that looked at the initial impact of the GDPR. But I certainly haven’t seen anything that suggested the GDPR’s been responsible for any long-term trends in EU.
The Maine law is interesting, although I would highlight that when you referenced to that that is a broadband privacy law that sort of reinstates regulations that were put in place by the Obama era Federal Communications Commission. Again, I don’t think that there’s a tension there. That’s a law that applies to ISPs. If you’re Comcast, you know who your Maine residents are, and you know who your customers are that you get an opt-in to. That’s not really going to impact folks that are in California.
But that’s all to say that it is a complicated landscape. The Washington law — I do think — to sort of put us back on track, I think the Washington law is worth everyone’s attention regardless of the good and bad in it simply because this is the third time that this law has been introduced in Washington state. The Senate sponsor of that law has been able to get it through the Senate pretty easily. And really where there’s been a huge fight over things like enforcement of the law — it ultimately always comes down to sort of whether we want to have AG or private rights of action.
It’s sort of been bogged down in the House. But the election has actually completely changed the legislative landscape in Washington. The Chair of the House Information Technology and Economic Development Committee lost his race. So you’re going to have a new chair. A number of the members of that committee have also sort of bounced off. So I’ve been sort of struggling to figure out whether that makes the law more likely to pass or less likely to pass.
But every year, it has gotten, I think, closer and closer to the finish line as — initially the law had really broad discussions of facial recognition. And it was discussing both commercial and government use. And each year, they’ve carved off fewer things. And I do think if you pass that law it creates a nicer model because, as Jennifer points out, it is echoing a lot of what’s in the GDPR, not just both in terms of requirements but also in terms of language.
But if I can sort of throw back one final prompt to Jennifer, you were discussing whether it’s fair that certain states could restrict the opportunities of other states. As a practical matter, what are the privacy rights in these laws that you don’t like and would think would be too restrictive? You highlighted the loyalty program issue, which was a huge fight in California. But Prop 24 actually sort of affirmatively says loyalty programs are the law of the land and good to go. So what is the issue per se?
Jennifer Huddleston: I think it depends on the particular state, and there are a lot of different elements that can come into play. I worry that in some cases we are going to limit the choices that consumers have with these laws. I think if the goal is merely to promote transparency and education so that consumers are making the choices for themselves that’s one thing. But what we’ve seen is that there are tradeoffs in terms of privacy and security at times when it comes to some of the requests under GDPR and what we’ve seen happen there.
We’ve also seen that there are potential cases where there may be hesitancy to use data in ways that could be beneficial if there’s concern that it’s going to be a compliance issue or what not. So I think there’s the question more broadly, which is where you and I disagree, about whether the better option is to be less restrictive and perhaps have higher risk or to be more restrictive and perhaps lose out on a potentially beneficial option. Because my question back would always be to point to the harm in some of these cases, which at times seems to be rather a tenuous — or very hard to calculate.
That being said, I do think one area where we can potentially agree and that this might be a good place to kind of take this next is that in a lot of states we are seeing a shift away from some of these broader privacy bills that had almost included everything and the kitchen sink. You mentioned the Washington bill that seemed to get a lot of things tacked on to it in the process. And instead seeing much more targeted issues that let us discuss what some of those actual tradeoffs are with particular technologies and let policymakers and citizens come to the conclusion of when they find some level of intervention to be necessary.
So we’ve seen separate bills on facial recognition. We’ve seen separate bills on this kind of government privacy element when it comes to data. And we’ve now seen the consumer privacy element at times be separated completely. And I think we should look at that states and policymakers are learning more about how to address what their particular concerns are rather than trying to address everything broadly in one go with the potential tradeoffs and ramifications that could come with that.
Matthew Heiman: Let me just chime in on that. So what you’re articulating, Jennifer — and I’m not suggesting that there is a grand plan happening with state legislatures necessarily thinking this way — but this approach of a more targeted approach is somewhat consistent with the way the federal government has approached data privacy in a lot of respects where they’ve identified certain financial sectors or other places where they want to take specific action, whether it’s the financial sector or it’s the healthcare sector where there certainly are data protection provisions that those industries need to be mindful of.
Just playing that theme out a little further, I was wondering if you two could comment — since we talked about the East Coast and the West Coast, I’m thinking about the Midwest and Michigan’s ballot initiative on warrants for electronic data. Now, that’s a very specific data privacy issue that the voters were asked to consider. And I was just wondering maybe, Joe, if we could start with you. Do you have any thoughts on that and what the consequences of it are? And then I’ll turn to Jennifer for the same.
Joseph Jerome: I think Jennifer and I are in complete agreement here. It’s about damn time. I’ve primarily worked on consumer privacy issues, but I do think we haven’t exactly — I guess the thinking is, if you’ve been interested in privacy since law school, the Fourth Amendment hasn’t exactly kept up with the pace of technology, despite the best efforts of the Supreme Court to occasionally try and pontificate new doctrine to explain what is expected of law enforcement when it’s searching and seizing digital data. And so you really have seen states step into that vacuum all over the place.
And the practical reality is, when you have things like location data, device data — I think it was Chief Justice Roberts that highlighted just the sheer volume of contents and intimate information that can be held in a person’s phone. That’s all information that probably should be subject to some form of legal process. Usually, civil liberties advocates are calling for warrant requirements. And that’s what we saw in Michigan.
And I think you’re going to see that — you want to talk about a patchwork of different warrant requirements whether we’re talking about digital information or geolocation specifically, you really are sort of seeing this slow creep of states trying to put controls in place there. And I think it has huge ramifications for how technology’s going to impact our society. This is probably further afield from this conversation, but I’ve always been very interested in CalECPA, which is the California Electronic Communications Privacy Act, which again puts in place certain warrant requirements and puts in place consent requirements when any government entity is trying to collect information.
That’s having huge ramifications and debates as cities deploy smart technology and smart infrastructure. There’s some really interesting litigation going on right now between Uber and the City of Los Angeles over a mobility data specification. And I think all of that is highly useful. The reality is — and as a consumer privacy advocate, I’m well aware of the huge quantities of information that private companies are collecting.
To the extent that that information is easily accessible to law enforcement, it raises just the overarching spectra of surveillance. But it also sort of makes us ask questions about how should government entities responsibly collect and use and understand the information of its citizens.
Jennifer Huddleston: Well, and I think this is always fun because Joe and I, who spend our time on the opposite side of most of the consumer privacy debate, can agree on this. And I want to actually expound a little bit on why we can agree on this as well. And Joe, you brought up the LA — and you know scooters are one of my other favorite things to talk about.
Joseph Jerome: Mine too.
Jennifer Huddleston: But I think that in some ways that has provided a unique example in that consumers, I think, get that — to use the scooter example, I can choose whether to use a Lime or a Bird scooter. And if I’m a privacy sensitive consumer, I can go in and read what data they’re collecting and whatnot and make my choice based on my own privacy preferences. On the other hand, I, as a consumer, can’t necessarily choose in the same way what data the company is forced to hand over to law enforcement or city officials with a request or a warrant. So this has been an interesting case in that we have seen states respond to what was a relatively narrow ruling in Carpenter that only applied to cellphone location information and really reevaluate if they needed to update their own requirements when it comes to warrant requirements for electronic data.
Another reason that this is a little bit different than the — or is quite different than the state level broad consumer privacy approach is this is basically the state restraining itself and restraining its own use of data and placing an additional civil liberties protection on there. Now, there are certainly times when this information may be critical to solving a case, but just like with other information, we have warrant requirements to ensure that there is some sort of balance between the civil liberties concerns and the possible use of this in a court of law or in some sort of criminal case.
So I think with that in mind, it’s important to note that what we’ve seen in Michigan — before Michigan, Utah was probably the first state to really pass this kind of legislation. And they did it via a bill rather than a ballot initiative — is that this is state’s going ahead of the federal government but in such a way that that patchwork doesn’t really emerge in the same disruptive sense because it is the state limiting itself and its own law enforcement as opposed to the state limiting consumers or limiting the companies that may be engaged in using data.
Matthew Heiman: Thank you. And I’m just being mindful of the time and want to give our audience a chance to answer some questions. So Colton, I’m going to turn it over to you. I don’t know if there’s a procedure you need to go through to open it up for audience member participation.
Colton Graub: Sure. Thank you, Matthew. While we wait for our first audience question, Matthew, is there anything else you’d like to ask Jennifer or Joe?
Matthew Heiman: Yes, there are. I’m just wondering, based on the commentary thus far, we do have a new president coming in in late January. And I heard you both briefly comment on prospects for federal legislation. And I’m just wondering if you could expand on your thoughts. And I’m particularly interested to know, if there was to be federal data privacy legislation in the works, do you think it would be a more comprehensive approach? Or do you think it would be more targeted or piecemeal items to address particular needs? I’m just wondering — maybe we’ll start with Joe and then turn to Jennifer on that one.
Joseph Jerome: So I worry that my answer to this gets too in the weeds of political how the sausage gets made and the dysfunction in D.C. So first as a practical matter, as someone that’s working on state privacy legislation and monitoring what’s going on at the federal level, I think there’s just a tremendous amount of disconnect. Again, as a political reality, the Speaker of the House is from California. There’s a huge California congressional delegation.
So you’re going to have to have a federal law because I think we all agree that the goal would be to preempt something like the CCPA, which means it’s going to have to duplicate the CCPA. And I sometimes don’t think lawmakers quite understand what that means. So that’s just a political challenge.
As a matter of policy, there are a number of legislative proposals on the table. The Senate Commerce Committees have gone really far with consumer privacy legislation. And again, aside from figuring out how those laws will be enforced and what they’re going to do to different state laws, there’s quite a bit of overlap.
My concern as a privacy advocate and, Matthew, to your point, these are really broad privacy laws. But the problem is they’re focused on the Commerce Committee, so you have situation where they might not be able to sort of scope in health privacy laws or financial privacy laws. There’s certainly going to be a tension in terms of law enforcement access and what that means for a federal consumer privacy law.
And then as a practical matter, I think the goal is to have something very broad, but then as you start wheeling and dealing and slicing and dicing, you end up with something that ultimately gets to be pretty basic and noncomprehensive. And then we’re back to where we started where that doesn’t solve the problem we’ve identified.
Matthew Heiman: Thanks, Joe. Jennifer, thoughts on federal activity during the next Congress?
Jennifer Huddleston: Similar to what Joe was saying, I do think the Commerce Committee has tried throughout the last Congress to potentially arrive at a federal bill and that there are just various political reasons that nothing has fully emerged that could serve that role. I think two of the areas where there is quite a bit of dispute still is on the preemption question and whether a federal bill would serve as a floor or a ceiling. Given the concerns about the potential patchwork, I would suggest that it does need to be preemptive of state and local laws.
And I do think there is also still a lot of disagreement over the enforcement mechanism when it comes to whether it would be enforced by a new agency, by the Federal Trade Commission, which has done a good deal of privacy enforcement. I’m guessing Joe may disagree with me about the zealousness of some of that enforcement. But I think that you can look at examples like the Facebook consent decree to see that they do have tools with quite a bit of bite when necessary to redress potential consumer harm and that they do have quite a bit of experience at the FTC when it comes to data privacy. And there have been various other proposals with who could be a potential enforcer, as well as the potential use of state AGs there.
So I think that those two big picture elements have to have some sort of agreement before any kind of specific federal data privacy bill could truly gain the traction that was necessary. In terms of updates to industry specific bills, I think it will be interesting to see, as well as any federal bill will have to determine how it interacts with the sector specific privacy laws, with things like educational privacy rights, with things like health privacy, with things like financial privacy that already have their own regulatory regime and what this may mean for those.
I will say with regards to the Biden administration, I think there is, from some statements that I have read, an awareness of federal privacy law. But there’s been an awareness on both sides of the aisle of a federal framework being better than a state by state approach. I would also suggest that we are likely to see a more prescriptive approach given the current makeup of Congress and the incoming Biden administration as opposed to an approach that may have been more preemptive and less — a lower standard than the current California standard.
Joseph Jerome: And I’d like to jump in and just say quickly that the preemption question is really difficult, not just as a matter of whether it’s good or bad but as a legal question. And let me give you an example of this. So at Common Sense, we’ve done a lot of work on state student privacy laws, which are enforced by state AGs. There hasn’t been a lot of consideration of whether those types of laws would be covered by a federal privacy law.
So if you had a federal privacy law that preempted state student privacy laws — and state education stuff tends to be a pretty local consideration — you then go back to a baseline of FERPA, which is the federal privacy law, which doesn’t apply to, say, education technology companies. It applies directly to schools and doesn’t involve consumer protection really at all. And so that’s a really tough question.
And how you slice and dice what should be preempted is incredibly difficult because we might all agree that we want to preempt things like the CCPA or some of the state biometric laws. But what about some of the state health confidentiality laws or state consumer protection laws? So far in the proposals that we’ve seen at the federal level, I think Congress — you’ve got Republicans saying, “Let’s preempt as much as we can,” and Democrats saying, “Let’s preempt nothing.” And that sort of binary all or nothing approach really doesn’t get into the legal complexities of preemption.
Jennifer Huddleston: I will say I think something that we can both agree on is how complex privacy law is and how any solution is going to need to be equally complex in the sense of this is not an easy A or B answer, that there’re going to be compromises that are needed to provide certainty at times but at the same time that we have to be aware of the tradeoffs inherently involved in a lot of these conversations.
Matthew Heiman: Let me ask one more question in the remaining minutes we have. And it’s one I’m going to put to both of you. And this is where I’m asking both of you to pull out your crystal balls. And I want you to look at those crystal balls, and I want you to tell me what is the sleeper data privacy issue that’s going to get talked about in 2021 that you don’t think people are really focused on today? So Jennifer, we’ll start with you, and then we’ll finish with Joe.
Jennifer Huddleston: I don’t know if it’s that people are not focused on it today, but I think contact tracing apps are going to be a big point of conversation. There is a lot of potential to do a lot of good with particularly these Bluetooth enabled contact tracing apps as an approach to notifying people that have been exposed to COVID. But there’s been some consumer hesitancy to adopt them in some cases out of what are stated to be privacy concerns.
I think that there are a lot of ways to alleviate some of those privacy concerns by putting guardrails on what the government could use this data collected for, better education about how the anonymity elements of these apps work because I do think that they are — that the companies that have created these apps have effectively gone out of their way to make them as privacy sensitive as reasonably possible. So I think that that could be kind of a small part of the conversation that could actually lead to a lot of good pretty immediately in increasing consumer trust in a technology that could assist a lot in response to the pandemic.
Joseph Jerome: I absolutely agree with that. I would point out that I think a lot of the technology we’re seeing deployed in response to the pandemic actually highlights why we need a consumer privacy law. It’s not just that I think folks are concerned about governments looking at this information. But frankly with a lot of the mobile health apps it’s “How is my health status going to be used for commercial purposes? How is it going to be used for eligibility determinations? What’s it going to mean if it gets into my employer’s hands?” And those are all things that I think a consumer privacy law should do.
To piggyback on that a little bit, I think the sleeper issue that isn’t being considered at the state level nearly enough or at the federal level is employment privacy concerns. Prop 24 actually delays consideration of how that law should impact employees until, again, 2023. The prospects of employer surveillance of their employees for, I think, legitimate public health purposes — but then, you know, there’s plenty of other creepy, inappropriate chilling ways that employers can use information about their employees. That is something that has been woefully under addressed by existing legislation and, frankly, the privacy debate at large.
Matthew Heiman: Great. Well, I’m not sure that I’m going to pass both of you calling COVID related privacy a sleeper issue but fair enough. Fair enough. There will inevitably be some debate around these tools and employers’ use of these tools. I think it’s just important we remember that I think to Jennifer’s point a lot of these companies sort of went out of their way to create these tools to do some good in the world.
And I think employers, to the extent they’re using them, are doing them primarily not to spy on their employees but to simply keep employees safe from furthering the contagion. But that being said, there are always issues around these things. Any last words before we close out this hour, Joe or Jennifer?
Joseph Jerome: I would just echo that in 2021, just as a matter of where the political action will be, the Washington Privacy Act is worth paying attention to. Prop 24 has taken a lot of the oxygen out of the room. And again, regulations for that law won’t even begin to be created until the middle of the year. But for the first six months, it’s a long legislative session in Olympia this year. And the passage of that law, I think, again, maybe give some credence to Jennifer’s patchwork effect but I think would further necessitate Congress becoming more awake to the fact that states are moving.
Jennifer Huddleston: I will add, I think, that the Washington bill, which is probably the one that we can almost certainly agree will come back — it will be interesting to see if other states that had privacy bills that then had legislative sessions disrupted bring those back or not. But I think given what we’ve seen in the last two attempts with the Washington bill it’s also interesting to watch for this question of is there really momentum at a state level where states are trying to act in this vacuum or has there been a decision that this is going to be end up being a federal issue with the exception of what has happened in California?
Joseph Jerome: Well, I think states are taking a wait and see approach.
Jennifer Huddleston: And it’s not necessarily an either/or. But I mean in the sense of are we going to see many states passing this bill, or has this momentum at even a state level to do something on privacy kind of died down?
Joseph Jerome: Well, in 2020 we did see Texas actually put together a privacy protection advisory council that put out a report saying, “We might need more legislation here.” So I think there’s interest. Whether that gets anything across the finish line I think you’re probably right to be skeptical.
Matthew Heiman: Well, on that note of I’ll call it marginal agreement, I want to thank both Joe Jerome and Jennifer Huddleston for the conversation today. Appreciate you being available to talk about these important issues. And with that, I will turn it over to Colton to close us out.
Colton Graub: I would like to join with Matthew in thanking Jennifer and Joe for their time today. We’re very grateful for everyone for joining us. We welcome listener feedback by email at [email protected]. If you would like to listen to the recording of this teleforum, you can do so at regproject.org. And you can follow us on social media at @fedsocrtp. Thank you for joining us. This concludes today’s call.
Conclusion: On behalf of The Federalist Society’s Regulatory Transparency Project, thanks for tuning in to the Fourth Branch podcast. To catch every new episode when it’s released, you can subscribe on Apple Podcasts, Google Play, and Spreaker. For the latest from RTP, please visit our website at www.regproject.org.
This has been a FedSoc audio production.
Technology Policy Research Fellow
Multistate Policy Director
Common Sense Media
General Counsel & Corporate Secretary, Waystar Health and
Senior Fellow and Director of Planning, National Security Institute