- ABA Groups
- Resources for Lawyers
- Career Center
- About Us
Ganka Hadjipetrova is the principal at Hadjipetrova Law in Palo Alto, California. Her practice focuses on intellectual property, privacy, and corporate transactions law in the context of start-up businesses. Hannah G. Poteat is a solo practitioner in San Francisco, California. Her practice focuses on privacy and Internet law.
This article proposes that in the absence of a baseline federal privacy law, states are becoming primary legislative and policing authorities in the area of privacy and data security. The article offers a brief exploration of the factors behind the states’ rising importance for the law of privacy. An overview of recent state legislative plans, particularly of the so-called “California effect,” and of state attorneys general initiatives illustrates the leadership role states have assumed in privacy rulemaking and enforcement.
Unlike a growing number of countries across the globe, the United States does not currently have a comprehensive privacy law. Outside the few industry-specific laws that regulate the collection and protection of sensitive personal information, the Federal Trade Commission (FTC or Commission) has been the primary federal enforcement agency in the sphere of privacy and data security. The prominence of privacy issues in the public’s conscience as well as the increased occurrences and scale of privacy breaches are testing the FTC’s powers and resources. States are taking the initiative in privacy regulation and enforcement. Their initiative is particularly evident in the context of digital privacy.
In the absence of a federal privacy law, the federal government has policed companies’ handling of personal and sensitive information through the FTC. The source of the Commission’s authority is § 5 of the FTC Act, which grants powers to sanction unfair competition and deceptive practices.1 Recently, the FTC’s authority to regulate privacy is being met with more and more legal challenges and has suffered from doubts in Congress as well as within the Commission’s own rank and file.
The FTC was created at the beginning of the previous century with an antitrust mandate. A century later, the Commission’s § 5 authority has been stretched to encompass all sorts of claims under the unfair competition umbrella. The recently included privacy violation claims often sit uneasily under this umbrella. Last year, the Commission’s authority to prosecute data breaches was challenged in two high-profile cases, Wyndham Hotels v. FTC2 and LabMD v. FTC.3 In a congressional hearing last December, members of Congress as well as a member of the Commission expressed concern about potential vagueness in the FTC’s mandate to regulate privacy.4
The FTC has also been limited in its prosecution powers. The Commission cannot recover penalties for violations of the Act itself but only for a violation of an order or rule the Commission has issued. The FTC’s capacity is critically stretched while it struggles to tackle the exponentially growing privacy issues, which are only one of its enforcement areas.5 For this reason, as well as the limitations mentioned above, the Commission itself has advocated for states’ increased role in privacy regulation.6
The tension on the FTC’s original mandate, prosecution restrictions, and limited resources are all factors that account for the FTC’s challenges to regulating privacy alone. States are naturally taking a prominent role on privacy issues both as lawmakers and enforcers.
In the last two decades, more than two-thirds of the states have either passed or considered privacy laws in the Internet and social media context. Such legislation ranges from issues related to the ability of educational institutions to collect and communicate students’ data, to employers’ access to employees’ social media accounts, to the right of minors to erase personal information stored on social networks. Social media privacy is also subject to the different state data breach notification laws, which almost all states have enacted.
Ultimately, the roots of the United States’ privacy patchwork lie in the Tenth Amendment, which reserves all of “[t]he powers not delegated to the United States by the Constitution, nor prohibited by it . . . to the states respectively, or to the people.”7 In the absence of federal legislation, or the lack of federal constitutional authority, the states have the authority to govern themselves.8 Generally, this causes little external effect: a state may enact laws with little disruption.
However, the advent and growth of the Internet has added not just an interstate and national dimension to the power of state laws, but an international aspect as well. While there are a number of federal laws that touch on aspects of the Internet, the federal government has not chosen to create a comprehensive privacy statute. In the void, states have enacted their own policies, and because of the nature of complying with a single state’s laws on the Internet, these policies have—to varying degrees—changed the world.
The “California effect” is a spread of consumer protections outside their originating jurisdiction.9 This effect begins with an influential state imposing a regulation on an industry; a gradual, overall change in the industry as it must conform with the rules of the most restrictive state in which it operates;10 a shift in consumer expectations; and, often, federal regulatory changes. While the effect is named for California due to California’s national impact on environmental regulations in the 1970s,11 the effect is not unique to the state. Any state with sufficient impact on an industry could generate the same California effect.12
The California effect is felt not just throughout the United States but also internationally, as Europe learned in drafting its 2009 ePrivacy Directive.22 The ePrivacy Directive’s breach notification provisions derive from SB 1386, and are becoming a global standard as more and more countries model their privacy statutes after European standards.
In September 2013, California passed several new laws intended to further strengthen consumer protections on the Internet. The impact of these laws on both a local and a national scale remains to be seen,23 but they all received some amount of criticism when they were passed.
California’s “Do Not Track” legislation, AB 370,24 updates CalOPPA by adding two new required elements to the privacy policies that all commercial websites must post. Do Not Track (DNT), a technology that allows website visitors to opt out of third-party tracking across sites, had support from Congress and the FTC, but an uneasy alliance of industry groups assembled to implement the technology imploded after two years of inability to reach fundamental understandings about its limitations.25 Despite a lack of definitions or clear industry standard, California forged ahead. In addition to CalOPPA’s original requirements, website privacy policies now must disclose how they respond to a visitor’s DNT and other opt-out requests, and must disclose whether third parties may be tracking the user’s activities on the service.
Even more controversial was California’s SB 568,26 commonly known as the “eraser button law.” The law requires websites to allow minors (defined as users under age 18, not only those under age 13) to access and delete information that they themselves posted. In addition, providers are prohibited from marketing certain products (including alcoholic beverages, firearms, ammunition, spray paint, cigarettes, fireworks, tanning devices, lottery tickets, tattoos, drug paraphernalia, and obscene materials) to minors. This law has been criticized by many as being ineffective at actually protecting minors’ privacy due to unclear definitions and applicability only to original postings and not reposted copies; preempted by 47 U.S.C. § 230, which protects online service providers from liability for content third parties publish; and possibly even unconstitutional as imposing itself on other states in violation of the U.S. Constitution’s dormant commerce clause.27
At the same time, California passed a law banning certain forms of “revenge porn,” or the posting online of private sexually explicit images as a form of vengeance.28 The law has been criticized for being vastly underinclusive, as it does not cover self-portrait pictures (“selfies”), which comprise approximately 80 percent of revenge porn victims.29 Additionally, some groups have criticized the law and others like it for its potential First Amendment implications: Florida had considered enacting a law criminalizing revenge porn, but could not reconcile the many concerns legislators had over free speech.30 California is now one of three states that ban sharing revenge porn online, and a House representative is preparing to introduce federal legislation to Congress.31
Finally, California passed an update to its famed data breach notification law, SB 1386. The new update expands the definition of “personal information” to include user names and e-mail addresses, “in combination with a password or security question and answer that would permit access to an online account.”32 In the event of a breach of this sort of information, the law now addresses ways to notify users. California is not alone in updating its data breach notification law; 19 states are amending or creating data breach notification statutes in 2014.33
California is not the only state that has passed privacy laws—many other states have some form of legislation that impacts Internet privacy. However, in most cases the state either passes legislation that is narrowly tailored to only impact its own residents, as in Maryland’s 2012 law prohibiting employers from requiring that any employee provide access to his or her social media accounts (a law that was quickly adopted in 13 other states, including California);34 is already controlled by either California or federal law, as in Pennsylvania and Nebraska’s state laws prohibiting false statements in privacy policies;35 or simply doesn’t have enough influence on the industry to spur the same California effect throughout the Internet. It is rare for a state with less industry impact to generate a wide-ranging California effect, but it can happen. When Massachusetts and Nevada passed data privacy and encryption laws that were are among the most burdensome in the country, requiring businesses to take extensive proactive measures to safeguard user data,36 the impact was mostly on large companies rather than one provoking an industry-wide sea change.37 However, two states mandating encryption of user data has surely been a factor in the overall increase of encryption.
The power a single state can potentially wield may sound impressive, when viewing the impact of a (mostly) beneficial law such as California’s data breach notification law. However, in light of the California effect—when a state with tremendous influence over an industry can potentially dictate law in that industry on a national and even global scale—a flawed law can have tremendously damaging consequences far beyond the state’s boundaries.
State attorneys general (AGs) have been taking the lead in privacy enforcement and have often been the initiators of new legislation in their states. Many state AGs believe that states are better positioned to regulate and police data security than the federal government. In the words of Maryland AG Doug Gansler: “States have been the leaders, the cops on the beat defining what is reasonable and not reasonable for their own states and heading up investigations on data breach cases . . . .”38
The emerging awareness of the state enforcers as primary policymakers and enforcers in the privacy area is evident in their public statements and initiatives. Last year, Gansler, the 2013 president of the National Association of Attorneys General (NAAG), made privacy a central issue for the state enforcers through the NAAG’s Presidential Initiative “Data Privacy in the Digital Age.”39 The participation of 23 state AGs, high-ranking federal enforcers, and consumer and business advocates signaled the reality that states and their AGs have taken a central role in privacy. Energetic enforcement and strategic actions, including in cooperation with the FTC and across state borders, reflect this newly augmented role.
Cooperation among AG offices across state borders has also been growing. Particularly in the case of online and social media privacy, where state borders are easily traversed with the click of a button, state enforcers are increasingly embracing joint action. In November 2013, the offices of 38 state AGs signed a $17 million settlement with Google in relation to its circumventing Safari’s default privacy setting and allowing third parties to track the browsers users without their knowledge or consent.42 In another multistate settlement last year, Google agreed to pay $7 million for improper collection of personal information through its Street View project.43 Notably, the settlements include long-term positive effects on privacy protection, such as Google’s commitment to educate employees on privacy protection and proactive monitoring of employees’ actions. Others of similar magnitude and effect will likely follow these settlements as multistate actions become more and more common.
The determined focus of state AGs on privacy, specifically online and social media privacy, is evident in a comprehensive approach to privacy issues. State AG offices are progressively more active in legislative initiatives, public education and awareness campaigns, collaboration with businesses, and enforcement in the digital privacy context. Several offices have created units specifically dedicated to privacy issues, such as California’s Office of Privacy Protection, Connecticut’s Task Force on Victim Privacy, and Maryland’s Internet Privacy Unit.
On the legislative front, Maryland’s AG Gansler asked state legislators to make violation of the federal Children’s Online Privacy Protection Act (COPPA) enforceable in state courts.44 California AG Kamala Harris has been a major driving force behind the 2013 changes in the CalOPPA, particularly the DNT and the “eraser button” amendments.45 Prominent AGs such as Harris also have a hefty influence on interpreting privacy laws. Harris’s public pronouncement that the CalOPPA extends to mobile apps and her agreement with six leading providers to that effect has set the standard in the industry.46 In January 2013, Harris released Privacy on the Go, a best practices guide for mobile app developers that encourages a long-term view on privacy since the initial phases of an app’s development.47 The California AG office also issued the first of its kind report on data breaches affecting California residents in 2012, including guidelines for the healthcare industry and recommendations for consumers on privacy protection.48 The office also announced the soon-to-come publication of California’s DNT compliance guidelines.49
The California AG is not alone in taking privacy cases to court. In July 2013, New Jersey AG John Jay finalized a $1 million settlement with PulsePoint, an online advertiser that allegedly collected information and targeted advertising after bypassing consumers’ browser privacy settings.53 In September 2013, Vermont AG Bill Sorrell settled with Natural Provisions, a grocery retailer, for its delayed data breach notifications to consumers and required the company to strengthen its security.54
The rising prominence of state law and state enforcement in the privacy arena, particularly in the dynamic online and social media world, is not surprising. States are oftentimes more agile and better positioned to take quick action than the federal government. The prospects for a comprehensive federal law being still distant, states and their attorneys general will continue to have center stage in online privacy protection.
Questions about the future of state privacy regulation abound, however. The patchwork of state laws and regulations present a serious challenge to online and mobile service providers. While the Internet does not know state boundaries, state laws operate strictly within the borders of the state. It is encouraging to see common enforcement action among state regulators, but such initiatives are voluntary and discrete. Unless and until states forge a consensus on main principles of privacy online, the laudable efforts to protect users’ private data may not quite work.
1. 15 U.S.C. § 45.
2. Motion to Dismiss by Defendant Wyndham Hotels & Resorts LLC, Fed. Trade Comm’n v. Wyndham Worldwide Corp., No. 2:13-cv-01887-ES-SCM (D.N.J. Apr. 26, 2013) (arguing that FTC lacks jurisdiction to pursue a case for data breaches); see Fed. Trade Comm’n v. Wyndham Worldwide Corp., No. 2:12-cv-01365-SPL (D. Ariz. June 26, 2012). On April 7, 2014, the district court rejected Wyndham’s request to dismiss the FTC’s case.
3. LabMD, Inc. v. Fed. Trade Comm’n, No. 13-15267 (11th Cir. Nov. 18, 2013) (seeking review of FTC’s authority to regulate patient-information data security in underlying administrative action, In re LabMD, Inc., FTC Docket No. 9357, File No. 102 3099 (Aug. 29, 2013)); LabMD, Inc. v. Fed. Trade Comm’n, No. 1:13-cv-01787-CKK (D.D.C. Nov. 14, 2013) (seeking declaration that FTC does not have jurisdiction over patient-information data-security breaches). The Eleventh Circuit dismissed LabMD’s petition for review on February 18, 2014, finding it lacked jurisdiction to hear the case. The following day, LabMD voluntarily dismissed its district court case without prejudice. On March 20, 2014, LabMD refiled its complaint for declaratory relief in Georgia where it is headquartered. LabMD, Inc. v. Fed. Trade Comm’n, No. 1:14-cv-00810-WSD (N.D. Ga. Mar. 20, 2014).
4. See Ruling Delayed in FTC v. Wyndham (Updated), Off. Inadequate Security (Jan. 13, 2014), http://www.databreaches.net/ruling-delayed-in-ftc-v-wyndham/.
5. Douglas Gansler, NAAG Summit Highlights Critical Role of Attorneys General in Protecting Privacy Online, Nat’l Ass’n Att’ys Gen., http://www.naag.org/naag-summit-highlights-critical-role-of-attorneys-general-in-protecting-privacy-online.php (last visited Apr. 23, 2014); see also Divonne Smoyer & Aaron Lancaster, State AGs: The Most Important Regulators in the U.S.?, Privacy Advisor, Nov. 26, 2013, https://www.privacyassociation.org/publications/state_ags_the_most_important_regulators_in_the_us.
6. Smoyer & Lancaster, supra note 5.
7. U.S. Const. amend. X.
8. See, e.g., Garcia v. San Antonio Metro. Transit Auth., 469 U.S. 528, 549 (1985).
9. See David Vogel, Trading Up: Consumer and Environmental Regulation in a Global Economy 556–71 (Harvard Univ. Press 1997).
10. Dillon Klepetar, Am. Univ. Sch. of Pub. Affairs, Paper Presented at the Annual Meeting of the Western Political Science Association: Technology-Forcing and Law-Forcing: The California Effect in Environmental Regulatory Policy 9 (Mar. 22–24, 2012), http://wpsa.research.pdx.edu/meet/2012/klepetar.pdf.
11. Following the 1970 Clean Air Act, California chose to enact stricter environmental regulations than the national standard. Because they were creating a uniform product, auto manufacturers gradually had to adopt the California standard rather than the lower national standard, and California law became the de facto national law. Consumer expectation followed, and eventually Congress followed the California standard.
12. Klepetar, supra note 10, at 18.
13. For more in-depth discussion of the California effect on privacy legislation, see Balancing Privacy and Opportunity in the Internet Age: An Informational Hearing of the Assemb. Judiciary Comm., the Assemb. Bus., Professions & Consumer Prot. Comm., and the Assemb. Select Comm. on Privacy (Cal. Dec. 12, 2013) (testimony of Paul M. Schwartz, Jefferson E. Peyser Professor, Berkeley Law School), http://op.bna.com/pl.nsf/id/kjon-9eclws/$File/Schwartz%20Testimony%20Cal%20Assembly2%20(Dec%202013).pdf; Paul M. Schwartz, In Practice: The “California Effect” on Privacy Law, Recorder (Jan. 2, 2014), http://www.therecorder.com/id=1202635738034?slreturn=20140229192354.
14. Cal. Civ. Code §§ 1798.29, .82.
15. Kentucky passed House Bill 5 on March 28, 2014, which makes Kentucky the 47th state with a data breach notification statute. See H.R. 5, 2014 Leg., Reg. Sess. (Ky. 2014), available at http://www.lrc.ky.gov/record/14RS/HB5.htm.
16. See 42 U.S.C. § 17937; 45 C.F.R. §§ 164.400–.414.
17. Cal. Bus. & Prof. Code §§ 22575–79.
18. Fed. Trade Comm’n, Privacy Online: A Report to Congress 27 (1998), http://www.ftc.gov/sites/default/files/documents/reports/privacy-online-report-congress/priv-23a.pdf.
19. 2011 Privacy Index, Website Edition, TRUSTe (Dec. 8, 2011), http://www.truste.com/privacy-index-2011-websites/.
20. More Consumers Say Privacy—over Security—Is Biggest Concern When Using Mobile Applications on Smartphones, TRUSTe (Apr. 27, 2011), https://www.truste.com/about-TRUSTe/press-room/news_truste_mobile_privacy_survey_results_2011.
22. Directive 2009/136/EC, of the European Parliament and of the Council of 25 November 2009 Amending Directive 2002/58/EC, 2009 O.J. (L 337).
23. At least one bill, the Markey-sponsored “Do Not Track Kids Act of 2013,” has been proposed that would incorporate the first two California privacy laws on a national scale. It has not gained traction. See S. 1700, 113th Cong., 1st Sess. (2013), available at http://www.markey.senate.gov/documents/2013-11-14_Markey_DNTK.pdf.
24. Assemb. 370, 2013–2014 Leg. Sess. (Cal. 2013) (amending Cal. Bus. & Prof. Code § 22575), available at http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140AB370.
25. Jeff Blagdon, Do Not Track: An Uncertain Future for the Web’s Most Ambitious Privacy Initiative, Verge (Oct. 12, 2012), http://www.theverge.com/2012/10/12/3485590/do-not-track-explained.
26. S. 568, 2013–2014 Leg. Sess. (Cal. 2013) (codified at Cal. Bus. & Prof. Code §§ 22580–82), available at http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140SB568.
27. See, e.g., Eric Goldman, California’s Latest Effort to “Protect Kids Online” Is Misguided and Unconstitutional, Forbes (Sept. 30, 2013), http://www.forbes.com/sites/ericgoldman/2013/09/30/californias-latest-effort-to-protect-kids-online-is-misguided-and-unconstitutional/; Teri Karobonik, Why California’s New Online Privacy Bill Will Cause More Problems Than It Solves, New Media Rights (Sept. 25, 2013, http://www.newmediarights.org/that%E2%80%99s_great_idea%E2%80%A6_pity_it_won%E2%80%99t_work_look_why_california%E2%80%99s_new_online_privacy_bill_will_cause_more.
28. S. 255, 2013–2014 Leg. Sess. (Cal. 2013) (codified at Cal. Penal Code § 647(j)(4)), available at http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140SB255.
30. Heather Kelly, New California “Revenge Porn” Law May Miss Some Victims, CNN (Oct. 3, 2013), http://www.cnn.com/2013/10/03/tech/web/revenge-porn-law-california/.
31. Steven Nelson, Federal “Revenge Porn” Bill Will Seek to Shrivel Booming Internet Fad, U.S. News & World Rep. (Mar. 26, 2014), http://www.usnews.com/news/articles/2014/03/26/federal-revenge-porn-bill-will-seek-to-shrivel-booming-internet-fad.
32. Cal. Civ. Code § 1798.82.
33. See 2014 Security Breach Legislation, Nat’l Conf. St. Legislatures (Apr. 11, 2014), http://www.ncsl.org/research/telecommunications-and-information-technology/2014-security-breach-legislation.aspx.
34. Md. Code Ann., Lab. & Empl. § 3-712 (2012).
35. Neb. Rev. Stat. § 87-302(a)(14); 18 Pa. Cons. Stat. § 4107(a)(10).
36. See generally Mass. Gen. Laws ch. 93H; Nev. Rev. Stat. §§ 603A.010 et seq. (2010). While the Nevada statute is extremely burdensome, it provides a safe harbor from liability for companies that take reasonable efforts to comply—a step that allows businesses to make all good faith efforts with less risk.
37. David M. Governo & Corey M. Dennis, Businesses Nationwide Continue to Grapple with Massachusetts Data Privacy Laws, Privacy Advisor, Nov. 1, 2012, https://www.privacyassociation.org/publications/2012_11_01_businesses_nationwide_continue_to_grapple_with_massachusetts.
38. Jessica Meyers, States Defend Turf from Feds on Data Breach Rules, Politico (Feb. 19, 2014), http://www.politico.com/story/2014/02/states-defend-turf-from-feds-on-data-breach-rules-103647.html. “It’s almost always a local issue. . . . We actually get things done,” continues Gansler. Id.
39. Gansler, supra note 5.
40. Divonne Smoyer, State Attorneys General as U.S. Privacy Regulators—Q&A with Maryland AG Doug Gansler, Privacy Advisor, Jan. 28, 2014, https://www.privacyassociation.org/publications/state_attorneys_general_as_u.s._privacy_regulators_q_a_with_maryland_attorney.
42. Press Release, Attorney Gen. Eric T. Schneiderman, A.G. Schneiderman Announces $17 Million Multistate Settlement with Google over Tracking of Consumers (Nov. 18, 2013), http://www.ag.ny.gov/press-release/ag-schneiderman-announces-17-million-multistate-settlement-google-over-tracking.
43. Chris Dolmetsch, Google to Pay $7 Million to End State Street View Claims, Bloomberg (Mar. 13, 2013), http://www.bloomberg.com/news/2013-03-12/google-to-pay-7-million-to-end-state-street-view-claims.html.
44. Smoyer & Lancaster, supra note 5.
45. Client Update: New California Advertising and Privacy Laws: What’s Your Compliance Plan?, Perkins Coie (Dec. 9, 2013), http://www.perkinscoie.com/files/upload/12_09_2013_P&S_Update.PDF.
46. Amendments to CalOPPA Enter into Force Imposing New Requirements for Online Privacy Policies, Goodwin Procter (Jan. 10, 2014), http://www.goodwinprocter.com/Publications/Newsletters/Client-Alert/2014/01_10-Amendments-to-CalOPPA-Enter-Into-Force-Imposing-New-Requirements-for-Online-Privacy.aspx?article=1.
47. Kamala D. Harris, Attorney Gen., Cal. Dep’t of Justice, Privacy on the Go: Recommendations for the Mobile Ecosystem (2013), http://oag.ca.gov/sites/all/files/pdfs/privacy/privacy_on_the_go.pdf?.
48. Smoyer & Lancaster, supra note 5.
49. CA AG to Release Best Practices for DNT Compliance, IAPP Daily Dashboard (Feb. 3, 2014), https://www.privacyassociation.org/publications/ca_ag_to_release_best_practices_for_dnt_compliance.
50. Divonne Smoyer, Aaron R. Lancaster & Alison K. Gary, California Lawmakers Propose Legislation Addressing Internet Privacy, St. AG Monitor (Mar. 5, 2013), http://www.stateagmonitor.com/2013/03/05/california-lawmakers-propose-legislation-addressing-internet-privacy/.
51. See Press Release, State of Cal. Dep’t of Justice, Office of the Attorney Gen., Attorney General Kamala D. Harris Files Suit against Delta Airlines for Failure to Comply with California Privacy Law (Dec. 6, 2012), http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-files-suit-against-delta-airlines-failure.
52. Karen Gullo, Delta Wins Dismissal of California App Privacy Lawsuit, Bloomberg (May 9, 2013), http://www.bloomberg.com/news/2013-05-09/delta-wins-dismissal-of-california-app-privacy-lawsuit.html.
53. Smoyer & Lancaster, supra note 5.