Data privacy in our federalist system: toward an evaluative framework for state privacy laws.

Author:Glosson, Tony

TABLE OF CONTENTS I. INTRODUCTION A. Overview of Note II. BACKGROUND III. THE DORMANT COMMERCE CLAUSE AND THE EARLY APPROACH TO THE INTERNET: AMERICAN LIBRARY ASSOCIATION V. PATAKI A. Extraterritoriality: New York's Law Was Invalid Because It Necessarily Governed Wholly Out-of-State Transactions B. Pike Balancing: New York's Law Was Unconstitutional Because It Substantially Chilled Interstate Commerce with Few Countervailing Local Benefits. C. Inconsistent Regulations: New York's Law Was Unconstitutional Because Permitting States to Govern the Internet Would Result in Interlocking Regulatory Schemes that Would Stifle Interstate Commerce. IV. GEOLOCATION TECHNOLOGY CHANGES THE DORMANT COMMERCE CLAUSE ANALYSIS, BUT NOT NECESSARILY THE RESULT A. Extraterritoriality: Geolocation Mandates Are On Constitutionally Questionably Ground Because They Directly Regulate Wholly Out-of-State Transactions B. Pike Balancing: Common State Data Privacy Laws Are Unconstitutional Because Their Underwhelming Local Benefits Cannot Justify the Burden of Location-Based User Filtering. V. CONCLUSION I. Introduction

In 2013, Target drew fire for mailing pregnancy-themed advertisements to a teenage girl who had not yet revealed her pregnancy to her parents. (1) Drawing from myriad data points including age, income, address, ethnicity, spending patterns, and more, Target's analytics algorithm identified the girl as likely to be pregnant. (2) In other words, Target knew before her parents did--ultimately forcing her hand in the timing of her announcement to her family. (3)

Even as privacy advocates increasingly express concern, the demand for consumer data is exploding. One industry study projects that consumer data collection--or colloquially, "big data"--will be a $16.9 billion industry in 2015, up from $3.2 billion in 2010. (4) Simultaneously, it is becoming cheaper to gather information. consulting firm McKinsey & co. has estimated a growth rate of roughly 40% in consumer data collected year over year, with a mere 5% corresponding increase in IT spending. (5) In fact, the growth in data collection may force major changes in technological infrastructure: according to some reports, over half of the surveyed c-level executives acknowledge that their infrastructure lacks the capacity to handle the demands of modern data collection. (6)

But the story does not end with the collection of traditional demographic data by previously disinterested players. Instead, wholly new data points emerge daily, each with its own set of privacy implications. The so-called Internet of Things--geek-speak for network connectivity built into traditionally "dumb" apparatus like refrigerators or thermostats--allows collection of personal data in the unlikeliest of places. (7)

But what role should the law play in guarding privacy during the data revolution? More fundamentally, whose law should play which roles in our federalist system? The allocation of regulatory authority over data collection may be as consequential as the substantive regulations imposed. (8) On the one hand, technology firms view the prospect of a medley of fifty assorted state privacy regimes as economically unworkable, and have already begun to object that recent state laws are "impossible to implement" and "extremely burdensome for start-up [companies]." (9) These firms assert that, if data collection is to be regulated, it is the role of the federal government to implement a single, coherent set of laws that apply nationwide. (10) Some state attorneys general, meanwhile, argue that the federal government might not act as quickly or as sweepingly as they would like. (11)

This Note offers a constitutional framework for analyzing the distribution of regulatory authority over data privacy, and ultimately concludes that the Dormant Commerce Clause precludes most state data privacy legislation. (12)

  1. Overview of Note

    When assessing state data privacy law, the challenge is to apply traditional principles of federalism to a revolutionary industry. The academic literature in this emerging field is somewhat sparse. Nonetheless, established constitutional doctrines guide this inquiry and this Note proffers a methodical application of those principles to the growing body of state data privacy laws.

    This Note begins by reviewing a seminal district court decision on state Internet regulation, American Library Association v. Pataki. (13) Pataki demonstrates how courts have traditionally applied the Dormant Commerce Clause doctrine in the Internet context. Next, the Note addresses the ways in which modern technology has altered the applicability of the Pataki analysis. Finally, this Note concludes that geolocation changes the Dormant Commerce Clause analysis, but leaves several problems with state data privacy laws unresolved.

    It bears mention that there are a number of constitutional grounds on which an entity might challenge state Internet regulations. Although this Note focuses on one, the Dormant Commerce Clause, state Internet regulations may implicate constitutional doctrines like preemption and personal jurisdiction as well.


      The federal government has enacted a number of laws regulating elements of Internet activity and commerce. (14) However, many of those laws deal with criminal concerns such as hacking or gambling, or particular sets of data such as health records or information about children. Unlike most European countries, (15) and the European Union as a whole, (16) the United States has not enacted an overarching set of data privacy standards. (17) Instead, the United States tends toward spot-regulation, targeting specific data privacy issues or high-risk industries. (18) The closest the United States has come to enacting a uniform standard is the Federal Trade Commission's ("FTC") authority to prosecute "unfair or deceptive" business acts or practices, (19) which the FTC has interpreted to include regulation of data protection practices. (20) Some states, perceiving a gap in privacy protections, have passed their own privacy regulations. (21) For example, several states have enacted data breach disclosure obligations, which mandate that businesses inform their customers when private information may have been compromised in a data breach. (22) More aggressive examples include California's "Online Eraser" law, which requires websites to implement a mechanism for registered users who are minors to take down any embarrassing past posts, (23) and California's "Do Not Track" law, which requires website operators to explain how they respond to data collection opt-out signals sent by users' browsers. (24) This patchwork of state laws can be particularly onerous for Internet-based companies because, in addition to tracking the developments in fifty-one jurisdictions, they must also tailor their products to comply with sometimes-conflicting demands under state laws. These state laws also raise questions regarding the constitutional allocation of regulatory authority over the Internet.

      Under the U.S. Constitution, state authority is limited by several provisions, including the so-called "Dormant Commerce Clause." The Commerce Clause grants to Congress the power "[t]o regulate commerce ... among the several states...." (25) Over time, the courts have recognized that this grant of federal power precludes the states from enacting regulations that unjustifiably burden interstate commerce. (26) Nevertheless, states retain a residuum of power by which they may regulate matters affecting their citizens' health and safety, even if those regulations have an incidental effect on interstate commerce. (27) Accordingly, the constitutional analysis of a state data privacy law examines whether the law's effects on interstate commerce adequately respect the sovereignty of the coequal states over their own economies.


      American Library Association v. Pataki, decided in 1997, was one of the first cases to apply the Dormant Commerce Clause to a state Internet regulation. (28) Since that decision, three circuit courts have adopted the Pataki court's reasoning to invalidate other state legislation regulating the Internet. (29) In Pataki, the law at issue was a New York statute that prohibited transmitting obscene content to minors. (30) Because libraries often provide content through their websites that could be considered obscene, the American Library Association ("ALA") sued to enjoin New York from enforcing the law. The ALA explained that its members generally did not know the ages or locations of their website visitors, and were therefore concerned that they would need to censor content that was perfectly legal in other states to guard against prosecution under New York law. (31)

      The court agreed, and issued an injunction. (32) Judge Preska began her analysis by noting that laws governing the Internet inherently regulate interstate commerce. (33) She observed that "Internet protocols were designed to ignore rather than document geographic location;" (34) that the Internet itself is an instrument of interstate commerce because it "serves as a conduit for transporting digitized goods;" (35) and that "the novelty of the technology should not obscure the fact that regulation of the Internet impels traditional Commerce Clause considerations." (36) Having established that Dormant Commerce Clause principles apply to Internet regulations, Judge Preska worked through three independent modes of Dormant Commerce Clause doctrine: (a) extraterritoriality; (b) Pike balancing; and (c) susceptibility to inconsistent regulations. (37)

  2. Extraterritoriality: New York's Law Was Invalid Because It Necessarily Governed Wholly Out-of-State Transactions.

    Extraterritoriality doctrine holds that a state law is invalid if it regulates transactions outside the borders of the regulating state. (38) Judge...

To continue reading