First the good: Federal preemption of a inevitably thorny patchwork of state privacy laws is critical for the continued health of the online economy. Navigating potentially 50 distinct regulatory environments would be costly for large firms and lethal for small ones. Preventing that type of chaos and stopping the most restrictive regime from becoming the default regime is precisely why the Interstate Commerce Clause exists. Congress should act to assert its constitutional authority; if online commerce isn’t interstate commerce, its hard to imagine what is.
And now the bad: The bill creates a right with its “Individual Consumer Data Rights” section. Policy should not create new “rights” that exist at the expense of the rights and resources of other private entities. Rights enumerated under the Bill of Rights of the United States Constitution are restrictions on government, not on individuals or private businesses. The legislation is a flawed application of natural rights and a violation of the online firm’s property rights and freedom to set its own terms of dealing with customers. Republicans especially should be respectful of the distinction between positive and negative rights.
The bill also includes all the usual harmful regulatory suspects: It creates a false sense of security for consumers while the unpreventable risks persist; it unintentionally erects barriers to entry for new competitors; it creates a “one-size fits all” floor for privacy standards, even though consumers’ privacy preferences likely vary widely; it risks introducing regulatory capture; and it creates burdensome obligations for firms that will almost certainly pass those costs on to consumers.
Federal privacy legislation should include broad field preemption of state privacy laws with complimentary restrictions on private rights of action, but it should not increase government meddling in one of the most vibrant sectors of the U.S. economy. Consumers will be inadvertently harmed by heavy-handed federal regulation, but would be helped by Congress protecting strong encryption. eliminating the threat of antitrust actions when coordination among firms could advance privacy protections, and supporting efforts to punish fraud.