The Virginia House of Delegates and Senate recently passed consumer privacy legislation, the Virginia Consumer Protection Act. The bill has elements similar to its online privacy predecessors in California (CCPA) and the European Union (GDPR), but is blessedly free from a private right of action. Perhaps the lack of consumer class action lawsuits is what made the bill palatable for some who voted for it, but even with this laudable litigious restraint, the law is still bad policy and perhaps even unconstitutional.
The Virginia law takes effect in 2023 and it gives Commonwealth residents rights to access, correct, delete and obtain a copy of personal data, and to opt out of the processing of personal data for targeted advertising. It obligates companies to new standards of transparency, data minimization and data-security, among other requirements.
There are differences between the Virginia law and those in California and Europe, but the similarities are sufficient to predict the same bad outcomes. As researcher Roslyn Layton chronicles, the GDPR in the EU strengthened the industry’s largest players. Google, Facebook, and Amazon have increased their market share in the EU since the regulations went into effect. Consequently, small advertising firms have lost approximately one-third of their market share. Larger firms can bear the high cost of compliance, while small and medium forms are less able to do so. The same will be true in Virginia.
In California, looming questions about which firms meet the qualifications for being regulated by the CCPA created opaqueness such that the California State Attorney General’s office delayed its enforcement by months. That sort of regulatory confusion is the dead opposite of good public policy.
The CCPA, like the Virginia law, brings the predictable consequences of chilling research and innovation in the tech sector, creating a false sense of security for online users, and inadvertently increasing cybersecurity risks. For example, how are firms to verify a customer asking for their personal information is, in fact, that customer and not a nefarious actor involved in identity theft?
This growing patchwork of varied state regulatory regimes means that eventually the most stringent set of online privacy regulations will become the default regime for the entire nation, lest firms have to navigate 50 distinct sets of rules. Some state laws will contradict each other, which is even worse.
CEI has long advocated for federal preemption when the free flow of interstate commerce is at risk. Big government-loving, high-population states should not impose their regulatory preferences on the entire country. This is especially true when their laws ignore and stunt the role of consumer education and the promise of emerging privacy-enhancing technologies. If the Internet doesn’t qualify as interstate commerce, it’s hard to imagine what does. That means the burdens these state laws impose on out-of-state actors may very well violate the dormant Commerce Clause and could be declared unconstitutional if challenged in court.
Congress should act to preempt these state laws, but resist the temptation to regulate online privacy in the same harmful way that California and Virginia have done.