Encouraged by big tech companies seeking clarity and uniformity, the United States is finally dipping its collective toe into the development of privacy and data security law. This is a momentous advance—the U.S. has long lagged behind the rest of the developed world in data protection from both the privacy and security standpoints. It is, however, barely a beginning. And worse, our entry into the field is fraught with the same kinds of problems that plague U.S. regulation in so many other areas.
Outsiders tend to think of the U.S. as a gigantic monolith, but nothing could be further from the truth. Each of the states wields considerable power in its own right, particularly in areas where the federal government has chosen not to legislate, or is simply unable to so due to constitutional limitations. The states are jealously protective of their rights and wield them aggressively. Thus, in a great many areas—insurance, banking and healthcare, for example—each state has its own set of rules and its own processes to administer them. A business that operates nationwide has to comply with 50 sets of rules (actually more, when you count territories and sovereign Native American nations) that may differ considerably. It may also have to get 50 operating licenses, 50 sales tax licenses and so on. You get the picture.
Over the years, this situation has created a wide assortment of problems. At best, it adds significant costs to doing business. At worst, it impairs the ability of a business to conduct commercial affairs and hurts consumers and the public at large. Is insurance in the state next door cheaper? Too bad—an insurance commission sets rates within your state, and an insurance company across the border couldn’t sell you cheaper insurance if it wanted to. This patchwork of rules and regulations injects uncertainty into the business climate due to its unpredictability.
The states have attempted over the years to address this situation by creating “uniform laws.” Something called the Uniform Law Commission (which, of course, has counterparts in each state) promulgates model laws, on the theory that every state will adopt the same law, and so for that particular topic the landscape will be consistent across the land. Adopted examples of such laws include the Uniform Commercial Code and the Uniform Child Custody Jurisdiction Act.
Except that they aren’t uniform. States just can’t resist tinkering with the model law prior to adoption, with the net result that the laws may be similar, but not quite the same. That’s an improvement, I suppose, but those differences may be significant where it counts, so while the problem is reduced it isn’t eliminated.
So, in the case of privacy and data security, we have started down a very long road toward something that looks like uniformity and predictability. But we’re not even at the “uniform law” stage yet, not by a long shot. Right now, the states are coming up with unique, and often poorly received, definitions of what constitutes “personal information,” what counts as a “data breach” and so on… and on. Plus all have unique notions as to what you’re supposed to be doing to protect information in the first place, and what you’re supposed to do if it’s compromised.
And the coronavirus pandemic may change the landscape once again. Concerns about the use of personal data to track the spread of the virus has led both lawmakers and big tech to urge Congress to put in place a national consumer privacy law. But for the time being, as long as the current state of affairs prevails, the road to uniformity is a long and winding one. Be prepared to spend the next decade or so puzzling through the usual legal maze, or otherwise find a solution that tracks a lot of the changes in privacy law for you.
For more on the ever-evolving realm of privacy and data security law, check out our recent webcast: Privacy Impact Assessments – Why You Need Them, What You Need to Know