Maine May Join the State Privacy Law Club

Might the Pine Tree State in 2024 become the fourteenth state to pass a comprehensive data privacy law – and thereby further compound the problem of multiple, conflicting state statutes? It's possible. The Maine legislature's bicameral Judiciary Committee considered "An Act to Create the Data Privacy and Protection Act" (LD 1977) at a hearing two weeks ago.

LD 1977 is modeled on the American Data Privacy and Protection Act (ADPPA), a piece of federal legislation that easily cleared the House Commerce Committee back in August 2022 before losing forward momentum. That LD 1977 takes its lead from the ADPPA is somewhat ironic, as one of the primary motivating factors driving the ADPPA was the problem of a "patchwork" of state-specific laws, a problem that LD 1977 threatens to exacerbate.

To make matters worse, LD 1977 problematically diverges from the ADPPA by including an extremely broad private right of action. Specifically, Section 9620(2) states that:

A violation of this chapter or a rule adopted under this chapter with respect to the covered data of an individual constitutes an injury to that individual. The injured individual may bring a civil action against the party that commits the violation, except that an individual may not bring a civil action against a small business.

Possible remedies include actual damages or statutory damages starting at $5,000 per violation, whichever are greater; punitive damages; attorney's fees and costs; and injunctive and declaratory relief. A "small business" is a "covered entity" or "service provider" (but not a "data broker") that (1) generates less than $41 million in annual revenues, and (2) does not collect or process the personal data or more than 200,000 individuals.

Something else to consider: as I described in "Maine's ISP-Only Privacy Law Will Not Protect Consumers," an April 2020 Perspectives from FSF Scholars, Maine adopted a privacy law in June 2019 that singles out broadband Internet service providers (ISPs), requiring them – but not other participants in the broader online ecosystem, such as "edge providers" like Alphabet, Meta, and Amazon – to obtain "opt-in" consent from customers before using their personal information.

At an absolute minimum, any additional privacy legislation must acknowledge – and address – this disparate treatment of broadband ISPs.

Utah Becomes Fourth State to Pass a Privacy Law

On March 25, 2022, Beehive State Governor Spencer J. Cox signed the Utah Consumer Privacy Act (the Act), making Utah the fourth state to enact its own unique take on comprehensive data privacy legislation.

In a March 8, 2022, post to the Free State Foundation's blog, I reported that the Act had passed both state legislative chambers unanimously and was "nearly certain" to become law. I also provided a general overview of the consumer rights and corporate responsibilities set forth therein.

Yesterday, Utah officially joined California (the California Consumer Privacy Act and the California Privacy Rights Act), Virginia (the Virginia Consumer Data Protection Act), and Colorado (the Colorado Privacy Act) on the steadily expanding list of states occupying the vacuum created by the absence of a preempting federal privacy law.

Consequently, the logistic headaches for both consumers and businesses I described in "Inconsistent State Data Privacy Laws Increase Confusion and Costs," a March 2021 Perspectives from FSF Scholars, have become more intense.

On the bright side, the Act, which is based on the Virginia statute and appears to strike a workable balance between protecting the rights of individuals and allowing businesses to continue to innovate, potentially could serve as a promising model for the federal law we all eagerly await.

For one thing, it comes down on what I view as the right side regarding the contentious issue of a private right of action, leaving enforcement exclusively to the Office of the Attorney General.

Utah "Nearly Certain" to Become Fourth State to Pass a Privacy Law

Any day now, Utah almost certainly will become the fourth state to enact comprehensive data privacy legislation. As I have written previously, in a series of posts to the Free State Foundation's blog and Perspectives from FSF Scholars, Congress bears the increasingly urgent responsibility to pass a federal privacy statute, one that preempts state laws, rejects a private right of action, and establishes a single set of clear rules that businesses can abide and consumers can understand.

Even President Biden, in his State of the Union Address, acknowledged the need for Congress to break the privacy logjam.

The California Consumer Privacy Act and the California Privacy Rights Act. The Virginia Consumer Data Protection Act. The Colorado Privacy Act. Four laws in three states, each imposing a unique set of rights and responsibilities on the border-defying Internet.

In "Inconsistent State Data Privacy Laws Increase Confusion and Costs," a March 2021 Perspectives from FSF Scholars, I explained the headaches that result. Companies must either (1) take high-risk pains to associate accurately each customer interaction with the appropriate state, or (2) craft one-size-fits-all compliance programs that reflect the "greatest hits" imposed by the growing list of states taking steps to fill the federal void. Consumers, meanwhile, are left to try to make sense of these overlapping and contradictory state-specific regimes on their own.

The Utah Consumer Privacy Act is poised to further complicate this already untenable situation. Based upon, but by no means identical to, the Virginia Consumer Data Protection Act, it was passed unanimously by both the Utah Senate and House of Representatives. Last Friday, it landed on the desk of Governor Spencer Cox, who is "nearly certain" to sign it into law. Assuming he does, it will become effective at the end of next year.

Similar to the other state privacy laws already enacted, the Utah Consumer Privacy Act (Act) would establish rights for consumers (to know what personal data is collected, to access or delete that information, to opt out of the collection, use, and sale of personal data for certain purposes, and so on) and responsibilities for covered entities (such as obligations to provide adequate notice to consumers, to safeguard collected personal data, and to respond within a defined window to consumer requests).

However, and as is already the case regarding the laws passed in California, Virginia, and Colorado, the specifics of the Act in many instances are one of a kind.

For example, and subject to exceptions, the Act would apply to a "controller" (defined as "a person … who determines the purposes for which and the means by which personal data is processed") or "processor" (defined as "a person who processes personal data on behalf of a controller") who:

• Does business in Utah or targets state residents with a product or service;
• Generates at least $25 million in annual revenues; and
• Either (a) accesses the personal data of at least 100,000 consumers in a year or (b) derives more than half of its gross revenues from the sale of personal data and accesses the personal data of more than 25,000 consumers.

In the March 2021 Perspectives referenced above, I pointed out that applicability is one of the many ways in which the various state laws deviate from one another – and thereby complicate matters for all involved: "As an initial matter, these bills establish different minimum thresholds – including annual gross revenue amounts and number of individuals, or individuals, households, and devices, subject to data collection – for a business to be deemed covered."

Other ways in which the Act would differ from other state laws:

• The Act would create the consumer right to delete personal information – but only that data in fact provided by the consumer, not data the covered entity has obtained from other sources.
• It would define "sensitive data," a subset of personal data, to include information such as racial and ethnic origin, religious beliefs, sexual orientation, medical history, and genetic, biometric data, and geolocation data. Covered entities would be required to provide notice and an opportunity to opt-out of the collection and/or use of "sensitive data" – rather than requiring that consumers first opt-in.
• It would define "sale" in a manner that, unlike, say, the California Privacy Rights Act, does not include "other monetary consideration."

To be clear, I am not saying these variations are good or bad – just complicating.

Finally, I want to point out approvingly that the Act states unambiguously that "[a] violation of this chapter does not provide a basis for, nor is a violation of this chapter subject to, a private right of action under this chapter or any other law."

Instead, the Act would task the Department of Commerce's Division of Consumer Protection with investigating consumer complaints. The Office of the Attorney General, in turn, would have exclusive enforcement responsibility. Covered entities would be provided with a 30-day right to cure, after which penalties up to $7,500 per violation could be imposed.

FTC Commissioner Wilson Recruits Student Researchers to Inform and Inspire Efforts to Pass a Federal Data Privacy Law

Citing what she describes as "significant information asymmetries," Republican FTC Commissioner Christine Wilson long has advocated for a comprehensive federal data privacy law. In fact, she discussed that very issue in her keynote address at the Free State Foundation's Twelfth Annual Telecom Policy Conference in March 2020.

More recently, she partnered with Duke University on a research project designed to expedite the currently stalled legislative process.

To date, efforts to pass a federal privacy law have been stymied by partisan disagreements regarding two issues in particular.

One, whether a federal data privacy law should preempt similar state laws. As I have argued on numerous occasions, most recently in "Pressures Multiply for Congress to Act on Data Privacy," a Perspectives from FSF Scholars published earlier this month, it should.

The growing list of states with their own, inconsistent statutes – which currently includes California (both the California Consumer Privacy Act and the California Privacy Rights Act), Virginia (the Virginia Consumer Data Protection Act), and Colorado (the Colorado Privacy Act) – unreasonably complicates companies' compliance efforts and creates chaos for consumers.

Two, whether it should provide for a private right of action. It should not. Generally speaking, class-action lawsuits benefit attorneys, not consumers. Case-by-case enforcement by the FTC is the better approach.

Unable to find common ground on these questions, lawmakers have made no observable progress of late. However, the fact that the Senate Commerce Committee is holding a hearing today titled "Protecting Consumer Privacy," the first of its kind this year, perhaps offers a glimmer of hope.

Given the failure to date of Congress to pass privacy legislation, there have been repeated calls for the FTC to commence a rulemaking. On September 20, a group of Democratic Senators led by Richard Blumenthal (CT) wrote to FTC Chair Lina Khan urging her to do just that.

Notably, and in specific response to the lack of legislative momentum, at one point Commissioner Wilson herself reluctantly expressed her support for an FTC privacy rulemaking, a statement that I highlighted in a July 2021 post to the FSF Blog.

But in light of a pattern of agency actions that Commissioner Wilson troublingly regards as an "abrupt departure from regular order" – including, most recently, the September 15th decision along party lines to withdraw the Vertical Merger Guidelines that were issued in 2020, to which she and fellow Republican Commissioner Noah Phillips responded with a co-authored Dissenting Statement – she has had a change of heart.

In an Oral Statement submitted to the House Commerce Committee's Subcommittee on Consumer Protection and Commerce in July of this year, she wrote the following:

In recent months, I had become more receptive to a [Magnuson]-Moss rulemaking on privacy to address the information asymmetry between the providers of goods and services and their users. But the Commission recently voted along party lines to pare back procedural safeguards and limit opportunities for public input during agency rulemakings. Given these changes, I am less inclined to support a Mag-Moss rulemaking on privacy. Federal privacy legislation remains the optimal solution.

In an attempt to facilitate that "optimal solution," Commissioner Wilson several months ago partnered with Duke University's Professor David Hoffman, along with students from its law school and Sanford School of Public Policy, to produce "a resource for legislators" – specifically, research-driven insight into how other federal statutes have addressed these two sticking points.

The fruits of that effort, which focused on both federal statutes (ten on the topic of preemption, six regarding remedies) and the European Union's General Data Protection Regulation (GDPR), have been made available publicly here.

In a keynote address delivered at "Exploring Options: Overcoming Barriers to Comprehensive Federal Privacy Legislation," a related event held on September 21, 2021 (video available here), Commissioner Wilson offered her perspective on these findings.

While acknowledging that the research revealed that "federal statutes that preempt an entire field of law are rare," Commissioner Wilson argued that the more common approach — where Congress "establish[es] a federal floor and allow[s] states to pass more stringent laws" — is not well suited to "fields like … the Internet that transcend state and national borders."

Given that:

1. "[T]he very nature of the Internet makes it likely that the most stringent state standard will become the de facto national standard," and
2. A primary regulatory objective should be to ensure that businesses are subject to consistent obligations,

Commissioner Wilson suggested that a better way forward would be to ensure that those rights and responsibilities established at the federal level are sufficiently robust on their own: "If the [federal] law provides strong rights and imposes appropriate standards and obligations on businesses, as well as robust and accessible remedies, more stringent state laws should not be necessary."

She also indicated that, given the dynamic and constantly evolving nature of the online experience, she would support "vesting the FTC with carefully tailored rulemaking authority … to facilitate updating key definitions and provisions over time."

With respect to remedies, Commissioner Wilson began with the point that a strong privacy law, one that empowers and adequately funds the FTC's efforts, would undercut one of the primary arguments as to why a private right of action may be necessary – that is, the perception that current levels of enforcement are inadequate.

She also highlighted research demonstrating that "abusive class action practices increase costs for businesses – while providing little in the way of redress for consumers, changed business practices, and deterrence."

Stepping back, Commissioner Wilson then made the foundational recommendation that "we … broaden the conversation" beyond solely whether or not to include a private right of action to "focus on establishing a constructive remedial framework."

In that vein, she cited "Breaking the Privacy Gridlock: A Broader Look at Remedies" by Jim Dempsey, Chris Hoofnagle, Ira Rubinstein, and Katherine Strandburg, when making the following three points:

1. Remedies should be tied to policy goals,
2. No one remedy can successfully promote even a simple goal and therefore an effective law should include multiple remedies, and
3. Intermediaries and third parties play a powerful role.

Asserting that "an 'all or nothing' approach will not serve the goals of privacy legislation," Commissioner Wilson suggested that alternative enforcement proposals be given serious consideration, including those that involve:

• A supervisory authority and/or third-party intermediaries, or
• A private right of action "in limited circumstances [with] substantive and procedural limits," exclusively "for specific, highly sensitive types of data," or providing only for injunctive relief.

In conclusion, she stated the following: "Ideally, the remedies contained in privacy legislation will turn on the kinds of injuries consumers may suffer."

At the same time, she teed up the question as to how the standing test set forth by the Supreme Court in its 2021 Transunion, LLC v. Ramirez decision might impact the options available to Congress.

Privacy Recap: Biden Nominates Bedoya to FTC, House Commerce Committee Proposes $1B for New Privacy Bureau

It's not yet Wednesday, and already it's been an eventful week with respect to the FTC and data privacy.

First, President Biden on Monday nominated Alvaro Bedoya to be the third Democrat to serve as a Commissioner at the FTC. The official announcement by the White House states that "[h]is research and advocacy focus on the idea that privacy is for everyone" and touts his work on facial recognition technology.

Mr. Bedoya is a visiting law professor at Georgetown Law, where he serves as the founding director of the Center on Privacy & Technology.

Republican Commissioner Noah Phillips tweeted that "Alvaro would bring a bright and thoughtful voice and a depth of experience working across the aisle on privacy to the FTC."

Second, the House Committee on Energy & Commerce yesterday began a full committee markup of the so-called Build Back Better Act, a series of legislative recommendations for budget reconciliation.

Today, lawmakers are expected to consider Subtitle O, which would appropriate $1 billion over the next ten years to fund a new Privacy Bureau at the FTC "to accomplish the work of the Commission related to unfair or deceptive acts or practices relating to privacy, data security, identity theft, data abuses, and related matters."

News reports suggest Republican opposition to this proposal, including its hefty price tag, which totals nearly three times the agency's budget for fiscal year 2021: $351 million.

At the same time, politicians from both sides of the aisle continue to agree on the persistent and distinct need for federal privacy legislation.

In the Politico piece linked to above, a Republican committee aide speaking anonymously emphasized the importance "of passing actual legislation with real privacy protections for all Americans."

Likewise, Democratic Senator Maria Cantwell (WA) tweeted that the proposal is "an important step for protecting consumers," but also that she "will continue to fight for a federal privacy and data security law that protects consumers and creates certainty for businesses."

In a recent Perspectives from FSF Scholars, "Pressures Multiply for Congress to Act on Data Privacy," I listed the mounting pressures on Congress to adopt a comprehensive federal data privacy regime, which include the following:

• Three states (California twice, Virginia, and Colorado) so far have passed inconsistent laws that unnecessarily create costly headaches for businesses and confusion for consumers.
• The European Union (EU) has in place the General Data Protection Regulation (GDPR) and, in August, China adopted the Personal Information Protection Law.
• Cyberattacks, including one involving the information of over 50 million consumers discovered in August by T-Mobile, call out for a comprehensive data privacy regime.
• The lack of a federal data privacy law impedes efforts to reestablish a privacy shield for personal data transfers from the EU to the U.S.

I therefore suggested that legislation along the lines of the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act, reintroduced this session by Republican Senators Roger Wicker (MS) and Marsha Blackburn (TN), might serve as a promising starting place.

Relatedly, in a December 2019 piece for the Free State Foundation entitled "Federal Privacy Legislation: Bipartisan Discussions Devolve into Dueling Drafts." I compared an earlier iteration of the SAFE DATA Act favorably to the Consumer Online Privacy Rights Act, rival legislation cosponsored by Senator Cantwell.

Privacy Recap: Senate Commerce Committee Holds Hearing, Republican Members Introduce SAFE DATA Act

There have been two recent developments of note on the topic of privacy at the federal level, specifically before the Senate Committee on Commerce, Science, & Transportation.

First, on September 17, Committee Chair Roger Wicker (MS), along with three fellow Republican members (John Thune (SD), Deb Fisher (NE), and Marsha Blackburn (TN)), introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act.

The SAFE DATA Act is a revised and expanded version of a November 2019 staff discussion draft that I summarized in a Perspectives from FSF Scholars, "Federal Privacy Legislation: Bipartisan Discussions Devolve into Dueling Drafts."

The bill formerly known as the United States Consumer Data Privacy Act "has been updated to clarify definitions, expand the scope of data that is covered under the bill, and protect consumers from being manipulated by algorithms used by online platforms."

With respect to this last point, it incorporates language from the Filter Bubble Transparency Act introduced by Senator Thune and the Deceptive Experiences To Online Users Reduction (DETOUR) Act introduced by Senator Mark Warner (D VA).

It also appropriates $100 million to the FTC to carry out its provisions and authorizes the agency to obtain monetary relief on behalf of consumers for violations of the FTC Act.

Second, the Commerce Committee on September 23 held a hearing on the topic of privacy. Witnesses at "Revisiting the Need for Federal Data Privacy Legislation" included:

• Julie Brill, former FTC Commissioner and current Corporate Vice President, Chief Privacy Officer, and Deputy General Counsel for Global Privacy and Regulatory Affairs at Microsoft Corporation;
• William Kovacic, former FTC Chairman and Commissioner and current Director of the George Washington University Competition Law Center;
• Jon Leibowitz, former FTC Chairman and Commissioner, now an attorney at Davis Polk & Wardwell LLP and co-chair of the 21st Century Privacy Coalition;
• Maureen Ohlhausen, former FTC Commissioner and Acting Chairman, now a partner at Baker Botts L.L.P.; and
• Xavier Becerra, California Attorney General.

Among other things, the hearing focused on the heightened need for federal privacy legislation in light of the COVID-19 pandemic and the effectiveness of the California Consumer Privacy Act (CCPA) and its implementing rules.

Press reports indicate that, while a private right of action and preemption of state laws continue to serve as sticking points, lawmakers instead emphasized those areas upon which they agree. Nevertheless, it remains to be seen whether Congress will act this year.

Rules Implementing California's Privacy Law Now in Effect

In an August 14 press release, California Attorney General Xavier Becerra announced that, at long last, final rules implementing the California Consumer Privacy Act (CCPA) had been approved, with some "unexpected" revisions, by the Office of Administrative Law (OAL). They became effective immediately.

As I wrote previously on the Free State Foundation blog, at one point it seemed likely, at another conceivable, that administrative hurdles would delay those rules until October 1.

January 1 was the effective date of the CCPA, but the AG was barred from enforcing its provisions until July 1. Press reports indicate that his office began notifying businesses of non-compliance on day one.

The CCPA affords businesses receiving such notices 30 days to cure alleged violations before formal enforcement activity, whether a confidential investigation or a lawsuit, can commence. Dozens of such investigations reportedly are underway. To my knowledge, however, to date no suits have been filed.

According to Stacey Schesser, Supervising Deputy AG, that first round of notices was driven by complaints received from consumers, targeted online businesses operating across a range of industries, and focused on those that allegedly either (a) had not made available mandatory disclosures, or (b) had failed to add a "Do Not Sell My Personal Information" link to their websites.

Previously, the Attorney General had indicated his intention to prioritize violations impacting minors and other vulnerable groups.

Now that the implementing rules are in effect, we should expect the AG's office to begin enforcing them, as well.

In an April 30 Perspectives from FSF Scholars, I noted that a group of over 60 affected businesses in March wrote to AG Becerra requesting that he forbear from enforcement until next January in light of the serious economic fallout from the COVID-19 public health crisis. He declined, and in the press release announcing OAL's approval of the rules, argued instead that "[a]s we face a pandemic of historic proportions, it is particularly critical to be mindful of personal data security."

Privacy Roundup: CPRA Qualifies for CA Ballot, Comcast Enables Encrypted DNS

Two quick updates on privacy topics I've addressed recently:

First, California Secretary of State Alex Padilla announced on June 25 that the California Privacy Rights Act (CPRA) will appear on the ballot this November.

According to Californians for Consumer Privacy, the organization behind the ballot initiative, polling indicates that voters are likely to approve the CPRA.

For a critique of what many refer to as the CCPA 2.0, please check out my May 27 Perspective from FSF Scholars, "California Privacy Regulation Must Account for the COVID-19 Crisis."

Second, that same day Mozilla and Comcast announced that the latter will be the first ISP to provide Domain Name System (DNS) over Hypertext Transfer Protocol Secure (HTTS) (DoH) encryption to users of the Firefox browser.

According to the Press Release, "DoH helps to protect browsing activity from interception, manipulation, and collection in the middle of the network by encrypting the DNS data."

In an April 9 Free State Foundation Perspectives, "Maine's ISP-Only Privacy Law Will Not Protect Consumers," I explained how the increasing use of DoH, and HTTPS encryption generally, limit ISPs' ability to "see" what subscribers do online – and how edge providers, by contrast, have far greater access to online personal information.

This voluntary action by Comcast not only enhances subscriber privacy, it also undermines further the proffered justifications for the Maine statute.

Will Enforcement of California's Privacy Law Precede Final Rules?

Between Easter and quarantine baking, eggs are trending. But do they – or chickens – come first? No one knows for certain. By contrast, the sequential order of rules and enforcement is, or at least should be, noncontroversial. Step one, establish the do’s and don’ts. Step two, target the violators. Not when it comes to the California Consumer Privacy Act (CCPA), however.

The CCPA, which became effective on the first of January, includes language that, on its face, appears to defer the commencement of enforcement. Except that it does no such thing. California Attorney General Xavier Becerra may not initiate enforcement “until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.”

No, that’s not a typo. The statute contemplates that the AG might bring action before his office has provided those subject to the CCPA with the necessary clarity that only finalized rules can afford. This is particularly problematic given that those rules will spell out actions that businesses must take in order to be in compliance. Specifically, they will define, among other things, the categories of personal information covered, the processes for submitting and responding to opt-out requests, and the manner in which notices must be provided.

Making matters worse, the AG’s office has indicated that it will consider taking retroactive action – that is, pursuing companies for alleged violations that occur prior to July 1.

Businesses cannot comply with rules that do not yet exist. Nevertheless, and even though the CCPA was adopted back in 2018, the AG’s office did not publish proposed rules until October 11, 2019 – virtually assuring that they would not be finalized by this July. Since then, it has issued two sets of modified rules, on February 10 and March 11. Comments on the latter were due just over two weeks ago. What the next steps are (yet another round of edits?), and how long they might take, currently are not known.

Then, on March 30, California Governor Gavin Newsom issued Executive Order N-40-20, which, in light of the impact of the Coronavirus-related State of Emergency that he declared on March 4, extends “deadlines …related to the filing, refiling, certification and/or review of regulations and emergency regulations … for a period of 60 calendar days to allow state agencies additional time to finalize regulatory changes pursuant to the Administrative Procedure Act.”

As a practical matter, this effectively ensures that, come July 1, entities covered by the CCPA will find themselves in regulatory no-man’s land.

On March 20, a group of 66 trade associations, companies and other organizations wrote to Attorney General Becerra asking that he forbear from enforcing the CCPA until January 1, 2021. They based their request on both the incomplete status of the rules and the general impact of the COVID-19 pandemic.

An advisor to the AG, responding to a request for comment by Forbes, wrote in an email that “‘[r]ight now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first…. We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”

As Dan Jaffe, Executive Vice President of Government Relations for the Association of National Advertisers (one of the signatories to the forbearance letter mentioned above) recently blogged, “[e]nforcing last minute regulations without giving companies time to adapt their practices accordingly is not right. It is not fair for consumers who expect standard, legally compliant responses from business. It is not fair for businesses who deserve clarity in regard to their obligations under the CCPA.”

California's Privacy Law: Recent Developments Underscore the Need for Preemptive Federal Law

In an October 2019 Perspectives, I argue that the California Consumer Privacy Act of 2018 (the "CCPA") violates sound principles of online consumer privacy regulation and threatens to reduce consumer welfare – and not just within that state's borders. Given the size of California's economy and the prominent role it plays in the tech and information services sectors, the harmful impact of the CCPA could be felt across the country, if not the world. It is therefore incumbent upon Congress to adopt a federal privacy law that preempts California's attempt to establish de facto rules of the road for the nationwide digital services marketplace.

A recent announcement by a major technology company highlights my concerns.

In a blog post on November 11, 2019, Julie Brill, Microsoft's Corporate Vice President for Global Privacy and Regulatory Affairs and Chief Privacy Officer, announced that it "will extend CCPA’s core rights for people to control their data to all our customers in the U.S." Other companies undoubtedly will follow suit, for a number of reasons.

First, it may be more cost efficient to establish and maintain a single, national compliance program than one for the state of California and another for the rest of the country.

Second, consumers reasonably expect that a single set of online protections will apply regardless of where they, or the company with which they are transacting, happen to be.

Third, online traffic flows inherently are interstate in nature. By design, the route that an Internet Protocol data packet travels is influenced by real-time network congestion levels. Even between the same two end points, that path – and the state(s) that it passes through – can vary from one moment to the next. To the extent that targeted compliance requires the accurate identification of a consumer's location, companies may choose to apply the CCPA nationwide rather than risk a violation solely due to technical error.

A new federal privacy law could sidestep these issues – but only if it preempts state action. Not all lawmakers agree, however. In fact, two Democratic members of the House introduced legislation on November 5, 2019 that would make the situation far worse.

The Online Privacy Act, drafted by Silicon Valley Representatives Zoe Lofgren and Anna Eshoo, proposes its own highly proscriptive set of privacy rules. Among other things, it would: create consumer rights that are similar, but not identical, to those found in the CCPA; require companies to obtain explicit consent (i.e., "opt-in") before disclosing or selling personal information; prohibit the use of web traffic information as the basis for ads; create a new federal bureaucracy – the 1,600-employee-strong Digital Privacy Agency – rather than leverage the experience and expertise of the Federal Trade Commission; and establish a private right of action for individuals.

The most significant problem with the Online Privacy Act, however, is that it would impose requirements at the federal level – but would fail to preempt state laws. De facto regulation of the nationwide digital services marketplace pursuant to the California model would be bad. The "patchwork" that could result if other states enact their own laws would be worse. Worst of all, however, would be an additional layer of burdensome federal regulation on top of (likely inconsistent, and certainly problematic) state law(s).

The effective date of the CCPA is right around the corner. Absent congressional action, on January 1, 2020, California's ill-conceived approach as a practical matter may become the privacy law of the land. Those members of Congress who recognize the need for a coherent, nationwide approach to online privacy oversight should act promptly to preempt not just this inconsistent state law, but also rival proposals at the federal level that threaten to exacerbate the situation.

Prepared Remarks of FTC Chairman Joseph Simons at FSF's Telecom Policy Conference

The Free State Foundation's Eleventh Annual Telecom Policy Conference was on March 26. This year's conference included a keynote address by Federal Trade Commission Chairman Joseph Simons. His remarks focused on "how the FTC's two missions—competition and consumer protection—apply to the internet ecosystem."

Chairman Simons offered an overview of how the FTC can reach broadband Internet service provider behavior such as blocking, throttling, and paid prioritization under its antitrust and consumer protection jurisdiction. He also discussed the FTC's authority to address alleged deceptive and unfair privacy and security practices by ISPs. According to Chairman Simons, "the FTC will remain active in Internet commerce… we will be able to protect consumers from anticompetitive and unfair or deceptive conduct by ISPs and other firms in this fast-paced industry."

The prepared version of Chairman Simons' remarks is available at the FTC's website here.

Prepared Remarks of NTIA's David Redl at FSF's Telecom Policy Conference

The Free State Foundation's Eleventh Annual Telecom Policy Conference was held at the National Press Club on March 26. The Conference included a keynote address by Assistant Secretary of Commerce and NTIA Administrator David Redl. His remarks addressed data privacy, spectrum policy, and expanding broadband. They are available at NTIA's website. 

Regarding data privacy, Assistant Secretary Redl discussed NTIA's request for public comments on the matter. Based on the comments received, Assistant Secretary Redle observed "a sense of urgency, and a desire for Americaion leadership on privacy," along with a "broad industry consensus that we can't have a patchwork regulatory landscape with the U.S." 

In his remarks, Assistant Secretary Redl acknowledged comments submitted to NTIA by Free State Foundation scholars, including President Randolph May and I:

In the comments from Free State, we heard various ways to improve the Federal Trade Commission’s jurisdiction over consumer privacy. You called the FTC the "preferred agency to enforce privacy protections across all digital platforms." 

We agree that it is important to take steps to ensure that the FTC has the necessary resources, clear statutory authority, and direction to enforce consumer privacy laws.

Assistant Secretary Redl also thanked Free State Foundation for comments its scholars submitted to NTIA as part of its process for developing and implementing a comprehensive National Spectrum Strategy by late July. 

The prepared version of Assistant Secretary Redl's remarks are available here.

Senator Rubio Introduced New Privacy Bill

On January 16, 2019, Senator Marco Rubio (R-FL) introduced the "American Data Dissemination (ADD) Act." This legislation would require the Federal Trade Commission (FTC) to submit recommendations for privacy requirements to Congress using the Privacy Act of 1974 as a framework. 

The bill also would require the FTC to submit to the appropriate committees of Congress proposed regulations to impose privacy rules on "covered providers," which include Internet service providers and edge providers. Within two years of the bill's passage, if Congress does not enact a law based on the FTC's recommendations, the legislation would give the FTC the authority to promulgate a final privacy rule.

In 2018, Free State Foundation scholars submitted two sets of privacy-related comments to federal agencies: 

• "The Intersection between Privacy, Big Data, and Competition," Submitted to the FTC, August 20, 2018.

• "Developing the Administration's Approach to Consumer Privacy," Submitted to NTIA, November 9, 2018.

FSF Comments to FTC: The Intersection Between Privacy, Big Data, and Competition

On August 20, 2018, Free State Foundation President Randolph J. May and I submitted comments in connection with the FTC's "Hearings on Competition and Consumer Protection in the 21st Century." These particular comments are submitted on the topic of "The Intersection Between Privacy, Big Data, and Competition."

Here is an excerpt from our comments:

The exchange of non-sensitive consumer information enables companies to sell targeted advertising, which covers the costs of offering “free” content and services to consumers. Substantial evidence shows that the overwhelming majority of consumers are willing to exchange personal information for “free” content and services. However, it is important that firms provide consumers with adequate disclosure regarding the collection and use of their personally identifiable data. This way, as part of the bargain, consumers are empowered to make informed choices that reflect their preferences.

Because the functioning of much of the Internet ecosystem involves the exchange of non-sensitive consumer information, as a default, "opt-out" rules, as opposed to "opt-in" rules, spur the development of additional Internet content and services. This enables the monetization of a greater pool of consumer information, while still empowering consumers with a choice about if they want their data collected and used. For certain clearly sensitive information, for example relating to health or financial services, the default should be opt-in rather than opt-out.

Consumers expect the application of consistent privacy rules throughout the entire United States. Therefore, privacy regulation in the U.S. should reflect those expectations, whether consumers are doing business with an Internet service provider (ISP) or an edge provider. Internet communications do not stop or change at state borders and neither should privacy laws. To the extent state-by-state privacy regulations differ, this creates a "patchwork problem" for service providers that, at a minimum, imposes additional costs but also is likely to stifle investment and innovation. The FTC should regulate the privacy practices of both edge providers and ISPs in a consistent manner, and to the extent that a "patchwork" of state laws and regulations develop that impose more stringent requirements on service providers than those imposed at the federal level, then those state laws and regulations that conflict with federal policy should be preempted.

Internet Giants Aim to Preserve Their Regulatory Advantage

Internet giants Google, Amazon, and Facebook, among others, announced, through their trade association, the Internet Association, that they plan to join legal challenges to the FCC’s recent Restoring Internet Freedom Order (RIF Order). Internet Association President & CEO Michael Beckerman issued the following statement in conjunction with the announcement:

The final version of Chairman Pai’s rule, as expected, dismantles popular net neutrality protections for consumers. This rule defies the will of a bipartisan majority of Americans and fails to preserve a free and open internet. IA intends to act as an intervenor in judicial action against this order and, along with our member companies, will continue our push to restore strong, enforceable net neutrality protections through a legislative solution.

The recently-repealed 2015 Open Internet Order approach is not so neutral at all, however, in its practical effect. The Order had the effect of supporting the imposition of stringent privacy restrictions on Internet service providers (ISPs), like Comcast and Verizon Wireless, which did not apply to Google, Amazon, and other major Internet companies that are among the largest collectors of personal consumer data. This approach, under which the largest Internet giants are subject to less stringent privacy regulation, attracted strong bipartisan criticism, as former Federal Trade Commission Chairman Jon Leibowitz, a Democrat appointee, explained in April 2017:

By creating a separate set of regulations that bind only internet service providers — but not other companies that collect as much or more consumer data — with heightened restrictions on the use and sharing of data that are out of sync with consumer expectations, the FCC rejected the bedrock principle of technology-neutral privacy rules recognized by the FTC, the Obama administration, and consumer advocates alike. Protecting privacy is about putting limits on what data is collected and how it is being used, not who is doing the collecting, and for that reason, a unanimous FTC — that is, both Democratic and Republican commissioners — actually criticized the FCC’s proposed rule in a bipartisan and unanimous comment letter as “not optimal,” among 27 other specific criticisms of the rule (emphasis added).

The 2015 Order also imposed several strict conduct regulations on ISPs like Comcast and Verizon Wireless. These public utility-like neutrality limitations were not applied to system administrators for business networks, to cloud backup services during uploads of data from customers, or to online gaming services that may throttle bandwidth at certain times to prevent their services from overloading and crashing. It also does not apply to traffic on private networks operated by “edge providers” like Google and Amazon.

And we’ve now learned that it did not apply to Apple’s sub rosa throttling of iPhones in what Apple now claims – when the throttling was discovered – was an attempt to preserve the battery life of phones. While Apple argues that this undisclosed throttling was needed as a measure to protect iPhone owners, it could also have the effect of encouraging more iPhone owners to pay to upgrade from their older devices instead of replacing their batteries. In any event, Apple did not disclose the practice to its consumers.

Tom Evslin, former chief technology officer for the state of Vermont and former chief executive of VoIP provider ITXC Corp, described in August 2017 how Google and Amazon engage in the same throttling and prioritization behavior that they seek to prohibit ISPs from doing:

In fact, however, web giants like Google and Amazon have private networks that connect to the internet in many locations. They have data caches (think of them as content warehouses) around the world. Their websites do pop up faster than yours because their bits travel mostly on their private networks and avoid internet backbone and interchange congestion. In other words, they have their own private fast lanes. You can’t achieve this speed for your website unless you build a private network of your own (unlikely) or host your website on Amazon or Google, in which case they may share some of their private access network. I have hosted services on Amazon, and they charge me more depending on how many locations from which I want my data served. In other words, faster is more expensive on their network.

Conveniently these private fast lanes are specifically exempt from the 2015 Federal Communications Commission’s Open Internet (aka “net neutrality”) regulations, which reclassified basic internet access service in a way that lets the FCC micromanage it and prohibit public “fast lanes.” The members of the Internet Association are “edge services,” so they are unregulated by this rule.

Regardless of how much Internet Association members like Google and Amazon may claim they want to bring back “net neutrality” to protect consumers, a significant impact of their actions is to try to re-impose regulation to protect themselves from ISP competition. If they succeed, the result will be to keep more stringent regulations on their ISP competitors. To the extent that regulation of providers of services in the Internet ecosystem is needed, it at least should be a somewhat uniform enforcement regime, not one so disparate that ISPs are regulated in a much more heavy-handed manner than Internet web giants like Google and Amazon.