States Could Play a Vital Role in Enforcement

Currently, there is no comprehensive federal privacy law in the United States. To fill that void, states are actively proposing and enacting privacy laws. California recently passed the California Consumer Privacy Act,¹ Vermont passed a data broker registry bill,² and Illinois has long had a biometric privacy law.³

This situation raises two important questions regarding state authority: whether state AGs can enforce a federal privacy law, and whether state legislatures have the freedom to enact their own privacy laws. A federal privacy law could change the state-federal dynamic by either strengthening or curtailing states’ enforcement power. Congress could, for instance, allow states to build on a federal law or preempt states from taking any action on privacy at the state level. Congress could also refuse to allow states to enforce a federal privacy law, scaling back on the number of privacy enforcers. Alternatively, Congress could empower state AGs to enforce a privacy law (along with whatever state privacy laws exist). The options in-between are many. Where on this spectrum Congress should land is a subject of much debate.

State enforcement provides several benefits. As Bee of the National Association of Attorneys General noted, states are “a hedge against industry capture, they're a hedge against political pressure that could be applied to any federal agency. Since our members are diverse, our members are multi-party, they have the ability to step in if one industry has taken a policy position or political position one way or the other.” In addition, because of the variety in leadership among state governments, states can adopt different approaches that can complement one another. State enforcement could also help provide a more thorough enforcement regime than a single agency, which could be too partisan in its enforcement and/or lack sufficient resources. Further, states can take action that affects local constituents that a federal agency may overlook. As Getachew argued, “states are seeing that some of these practices [that violate people’s privacy] are being abused in their communities and they want to do something about it, which is not being addressed at the federal level.” Essentially, more privacy enforcement—particularly at the state level—would better protect consumer privacy overall, because “privacy is too big for one agency to handle,” as Getachew said.

On the other hand, states acting on their own by passing legislation and enforcing their own laws or a federal privacy law could create various problems. From a company perspective, having to address different laws in different states could cause burdensome compliance challenges. At the very least, it could raise compliance costs, which companies could then pass onto advertisers or consumers. States may also interpret particular aspects of a federal law differently, creating inconsistencies throughout the country in how the law is interpreted and enforced. However, as Bee pointed out, “companies and industries [navigate multiple state laws] every single day. If you're going to do business in a state, you're agreeing to abide by all of their laws.” He later stated that the Uniform Law Commission is working on model legislation,⁴ which may help create uniformity among state privacy laws.

Nonetheless, Banker argued that consumers could be confused if Congress allowed states to act on their own, because consumers would not know when certain companies are bound by a particular state’s laws:

as you travel around and stay in different hotels and buy from different vendors, or you find some unique supplier of something you want in a far-off state, that seller may not have sufficient contacts with California to be subject to [California] law, and the California law has carve-outs [such as for small businesses]. So do consumers need to know what the size of the business is that they're dealing with, to understand whether they have rights to access and deletion?

These issues could be alleviated by a single, federal privacy law. If the substantive privacy protections at the federal level are strong, consumers and civil society may be more amenable to preemption, though there are no such protections yet. Ultimately, whether Congress should preempt state laws and whether it should give state attorneys general enforcement authority will depend on its answers to many of these competing concerns and questions.

If states end up playing an active role in the enforcement of a federal privacy law, Bee argued that giving states the ability to bring lawsuits in state court, rather than in federal court exclusively, could encourage state enforcement. State AGs regularly bring challenges in their own state courts, and they may be more familiar with the operations of their state courts than with federal courts. The ramifications of this policy choice are demonstrated by the enforcement of the Children’s Online Privacy Protection Act (COPPA); states have been reticent to bring COPPA enforcement cases because the law requires states to bring cases in federal court, not state courts. State court enforcement authority would help improve state privacy enforcement.