The Federalist Regulation of Privacy: The Happy Incidents of State Regulatory Activity and Costs of Preemptive Federal Action.

• Author: Adams, Henry

1. INTRODUCTION

   The impact of society's digital integration is difficult to articulate. It suffices to say much of our lives are now digitized, and digital technologies have yielded immeasurable benefits to the individual and society at large. Change heralds challenge, and the digital paradigm-shift has brought challenges of comparable numerosity and magnitude. Privacy is at the forefront of those challenges. In recent years, the digital industry has been subject to increased scrutiny over the rising number of privacy scandals and perceived market failures related to the collection and use of individuals' personal information. (1) New technologies, market developments, and increases in public attention have culminated in widespread perceptions of privacy threats and abuses. (2) Governments around the globe are responding by revamping their regulation of privacy and the digital industry. (3) In stark contrast, the United States federal government has maintained its rudimental self-regulatory approach. (4) A handful of states, spearheaded by California's enaction of the California Consumer Privacy Act of 2018 ("CCPA"), have moved to fill the gap left by federal inaction. (5) The scope of the CCPA is unrivalled by any previous United States privacy regulation, and with its activation date quickly approaching, industry actors have focused their lobbying efforts in Washington D.C. to the increasing reception of federal legislators. (6) Any congressional action could have major repercussions for state and federal regulators' ability to police the collection and use of citizens' personal information, and accordingly, such action may redefine privacy in the United States. The present scenario raises important questions about federalism and novel informational privacy regulations. Few commentators have addressed the issue directly, (7) and no one has done so recently. What role should the federal government and states play in addressing the privacy concerns of Americans? Should the federal government preempt the CCPA and its progeny in favor of active federal regulation of the digital industry's collection and use of personal information? What are the consequences of allowing the CCPA and similar state laws to regulate the control of their citizens' personal information? This Comment will explore such questions.

   Section II briefly introduces contemporary understandings of privacy to contextualize the privacy challenges United States regulators currently face. Section III focuses on the federal government's approach to regulating privacy issues. Section IV focuses on privacy regulation at the state-level, emphasizing the complex relationship between federal and state regulators in national responses to emerging privacy issues. Section V then explains the history and structure of the CCPA before Section VI assesses the implications of the CCPA's enaction and the likely response of federal regulators, concluding with the assertion that strict preemptive action could result in less effective national regulation and prohibit state government attempts to address harm to their constituents. If Congress genuinely wishes to address widespread privacy concerns, it should do so carefully in a way that preserves the ability of states to regulate freely in the area.

2. PRIVACY: BACKGROUND AND LEGAL PERSPECTIVES

   The interesting thing about privacy is "nobody seems to have any very clear idea what it is." (8) Labeling privacy as a coherent and consistent right, rather than an evolving conception of social necessity subject to change, simplifies the reality of this "messy and complex subject." (9) Concise, holistic definitions of privacy have evaded scholars since Justice Louis Brandeis and Samuel Warren proffered "The Right of Privacy" to American law. (10) Brandeis and Warren were concerned that new technologies, specifically cameras, would enable private actors to intrude on the privacy of other individuals. (11) As "perhaps the most famous and certainly the most influential law review article ever written," (12) their work went on to inspire a century of scholarship which has culminated in the irreconcilable "divergent strands" of theory that comprise modern privacy law. (13) The strand of "informational privacy" provides a foundation for understanding privacy in our digital era.

   1. INTRODUCTION TO INFORMATIONAL PRIVACY IN THE DIGITAL AGE

   At the emergence of computer technologies in the 1960s, Alan Westin described "informational privacy" as the power of "individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others." (14) Westin's concept of informational privacy began the "privacy-control" paradigm that forms the basis of modern informational privacy law. (15) Privacy-control emphasizes individuals' ability to control and limit access to information about themselves. (16) In the modern digital era, privacy scholars and legislative frameworks have "gravitated towards the idea of privacy as a personal right to control the use of one's data." (17)

   The era of "big data" has revived the subject of informational privacy. (18) Emerging technologies have created "novel forms of data flow," (19) much of which consists of "personal information" relating to individuals. (20) The digital industry recognized the profit-potential of collecting, processing, and selling personal information decades ago. (21) As the market has developed, that value has incentivized the proliferation of practices and technologies that "preserve the current status quo of maximum information disclosure." (22) That trend has only intensified as new technologies and the "Internet of Things" (23) integrate consumer products into the digital ecosystem, exacerbating privacy concerns by exponentially increasing the volume, quality, and value of personal information collected from individuals. (24) The result is "some of our most sensitive information ends up amassed in giant, unstructured pools of information kept by tech industry giants." (25) The United States' current informational privacy predicament was anticipated and reported to federal lawmakers nearly four decades ago:

   [N]ongovernmental invasions of privacy are not limited to individual efforts. Corporations, financial institutions, and other large organizations all seek to compile information on individuals and employ that information to their own benefit. Often the information is obtained, directly or indirectly, from an individual who agreed to permit collection of the data for a particular reason; but the data is frequently centrally compiled and used for other purposes, ultimately giving the entity holding the information tremendous economic, social and even political leverage over the individual. In effect, private institutions have acquired some of the coercive capability which hitherto had been an exclusive power of government. We face a future where information will play a central role, where control of information about a person could be tantamount to controlling that person. (26) While there are benefits to the digital industry's expansion, (27) there are also great harms. (28) Privacy harms, like the definition of privacy itself, are subject to continuous discussion. (29) Whether you characterize privacy harms as objective or subjective, (30) the increased concerns of individuals are evidence of some harm occurring. (31) Advancements in consumer technologies exacerbate privacy concerns and increase the already widespread calls for protective legislation. (32) However, United States regulators, particularly at the federal level, "have lagged in grappling with the new problems raised by the digital revolution." (33)

3. OVERVIEW OF THE FEDERAL GOVERNMENT'S REGULATION OF PRIVACY IN THE DIGITAL ERA

   The United States "famously does not have omnibus federal data privacy law." (34) Rather than regulate the digital industry's collection and use of personal information in a cohesive framework, Congress has selected certain industries and "sensitive" information types to receive heightened regulation, resulting in a legislative patchwork of sectorial federal regulations. Within those expressly regulated areas, federal agencies actively promulgate rules and police the collection of digital information with civil actions. Outside of that patchwork, the collection and use of personal information is not regulated through codified rules, and industry entities can self-regulate their data practices with minimal policing from federal regulators. The Federal Trade Commission ("FTC") is the primary regulator of the federal scheme, and as the de facto digital specialist for the past two decades, the agency has garnished the informal title of the "Federal Technology Commission." (35)

   1. The Sectorial Patchwork of Federal Privacy Regulations: The FTC's Active Regulation by Rulemaking and Enforcement in Limited Areas

      In the words of the current FTC commissioner Noah Phillips, it "is not an accident of history" that federal regulation "focuses privacy and security rules on the sectors of the economy where Congress has determined such rules are most needed." (36) As noted by Phillips, federal lawmakers have deemed certain types of information "sensitive" enough to warrant formal federal regulation, (37) and the result is the handful of narrow privacy laws tailored to specific sectors of the economy. (38) The sectorial framework regulates "limited types of information, in limited situations," (39) and each statute empowers a federal agency, commonly the FTC, to promulgate rules and police entity compliance. (40)

      The Children's Online Privacy Protection Act of 1998 ("COPPA") is one law in the patchwork that empowers the FTC to protect children's personal information. (41) COPPA requires the FTC to promulgate and enforce rules to give the parents of children "under the age of 13" (42) the ability to control private entities'...