Feds debate while states act on data privacy laws

Part of the federal government’s paralysis may be due to the fact that regulating big tech is complicated, Kreps said.

Breaking up big tech companies, something Sen. Elizabeth Warren (D-Mass.) called for during her 2020 presidential campaign, could have drastic economic impacts and Congress is right to tread lightly, according to Kreps.

“If Facebook does break up, and these different firms are then superseded That’s why Kreps believes states have a role to play when it comes to impacting the “interest, incentives and motivation” at the federal level for action related to big tech regulation. As more states write their own laws on consumer data, they create a new norm for what sort of regulation needs to happen — something that’s currently being debated at the federal level.

Kreps said state legislators are right to push forward on regulation, especially on the data privacy and consumer protection front. According to a 2019 Pew Research Center survey, 81% of Americans believe risks such as data security associated with consumer data collection far outweigh the benefits.

“There’s a lot of support for this and I think the fact that states are doing this both responds to that pressure, but also helps create this norm that there should be some action taken,” she said.

As states venture into something like data privacy, Kreps said their approaches will likely be slightly different, acting almost as pilot programs for the federal government. For example, given California’s Democratic leanings, CCPA alone might not garner bipartisan support, but a data privacy law enacted The momentum to regulate big tech at the state level could light a fire under Congress, said Braden Perry, a regulatory compliance attorney at Kennyhertz Perry Attorneys at Law in Kansas City, Mo.

“No one wants a 50-state system of anything, with differing standards in all 50 states,” Perry said. “Multiple states with multiple regimes would likely be the catalyst needed to embrace the inevitable and establish a federal legislative framework.”

Indeed, Erin Illman, a specialist in privacy and information security law and co-chair of the cybersecurity and privacy practice group at national law firm Bradley, said the more states that pass privacy legislation will influence what happens at the federal level. She believes federal privacy legislation is likely within the next four years — legislation that she thinks will become the “floor,” meaning a foundation upon which states can continue to build more restrictive data privacy laws.

Illman pointed to historical privacy laws like the Gramm-Leach-Bliley Act, a federal privacy law for financial institutions, as a possible example of what to expect from a federal framework on data privacy.

“That law does not preempt state-level action,” she said. “You see state laws like the California Financial Information Privacy Act, which actually has a stricter requirement for financial institutions. Financial institutions have to comply with both GLBA at the federal level and CalFIPA at the state level. I certainly see that trend continuing even if there is a federal level comprehensive privacy law.”