As people’s lives increasingly take place in the digital realm, concern is growing about how private companies and government entities store and use sensitive data. These anxieties have led to demands that state legislatures pass data privacy laws. In 2021, a Morning Consult poll showed 86% of Democrats and 81% of Republicans said passing a federal data privacy standard should be a priority for Congress.
House Speaker Nancy Pelosi (D-CA) refused to bring the bill to the floor because it did “not guarantee the same essential consumer protections” as California’s California Consumer Privacy Act (CCPA), the state’s 2018 harmful data privacy law. The ADPPA would not solve the developing state patchwork issue because it only acts as a floor for minimum required regulations where states could add additional regulations. California’s law is an example where the state regulations are heavier than the federal standard would be if ADPPA is passed. The federal standard for data privacy should instead act as a ceiling and should not be as extensive as the CCPA.
In the Senate, the ADPPA faced an equally hostile reception, with Sen. Maria Cantwell (D-WA), chair of the powerful commerce committee, refusing to hold a hearing because of her concerns surrounding “enforcement holes.” The ADPPA would require annual algorithmic assessments, which would create recurring compliance costs for firms and would also require considerable federal resources to enforce. These enforcement difficulties suggest that an entity like the government may not be in the best position to regulate something as dynamic and technical as algorithmic decision-making.
This begs the question of whether a data privacy law is needed at all. If it is, it would ideally be a bill that would address all these issues and create a reasonable data privacy standard for the country that solves the patchwork problem. But without that standard, more states may feel compelled to address privacy concerns and should be aware of pitfalls to avoid.
Since the implementation of California’s Consumer Privacy Act in 2020, four states—Colorado, Connecticut, Utah, and Virginia—have enacted their own privacy laws. Complying with a regulatory system in which data laws vary from state to state is the least efficient method for the economy. Most businesses have an online presence and more and more operate in all 50 states. The costs of regulatory compliance in this type of environment stifle competition—only businesses with sufficient capital can comply, and many smaller upstarts can’t.
For several years, it looked like Florida would join the growing number of states passing data privacy laws. Florida Gov. Ron DeSantis supported a data privacy bill in 2021, but the state legislature was split over a private right of action, which would have granted Floridians the right to sue and receive financial compensation for violations. With Florida’s 2023 legislative session approaching, it’s time to consider what a data privacy bill in Florida should look like, especially if Florida lawmakers want to avoid the mistakes of CCPA and Europe’s General Data Protection Regulation.
The most serious mistake would be including a private right of action in legislation. On the surface, allowing individuals to bring lawsuits against violators may seem like it would help hold firms accountable, but the unanticipated reality is much different. Even laws that govern more serious and personal information, such as the Health Insurance Portability and Accountability Act (HIPAA), do not include a private right of action. In other laws, like the Americans with Disabilities Act (ADA), a private right of action exists but has been significantly curtailed to reduce the number of “serial” cases abusing the ADA. If Florida passes a data privacy law with a private right of action, it would inevitably feed a cottage industry of frivolous lawsuits that trap businesses in litigation cycles, suppressing innovation and raising costs.
Burdensome data privacy regulations also stagnate innovation. For example, a Cato Institute study of the Fair Credit Reporting Act (FCRA), which regulates how credit bureaus manage consumer data, argues that because of data privacy requirements, the industry has become so tightly regulated and costly that innovation has stagnated and new entrants cannot enter the market. It is likely that only large and resource-rich firms will have the continued ability to comply with complex laws like data privacy.
Evidence from the European Union (EU) may support this claim. Two months after the EU implemented the General Data Protection Regulation (GDPR), 30% of US news sites blocked EU access due to an inability to comply. An HEC Paris study of 6,286 EU websites found a general 10 percent reduction in internet traffic, resulting in millions of lost dollars. The study also found that GDPR’s rules hurt smaller websites (10-21% drop) more than larger ones (2-9% drop), suggesting that similar to credit score regulation, data privacy regulation may help entrench current large websites while deterring entrants.
Policymakers may also consider that many consumers’ ‘rights’ commonly included in data privacy bills could eventually become regulations that negatively impact consumers. For example, the right to opt-out of the sale and sharing of data sounds simple but becomes a prescription for how websites earn revenue and handle data. Websites share consumer data with advertisers and data processing companies to generate revenue. Florida lawmakers should note that allowing users to opt-out of this transaction, the primary form of revenue for many websites, would alter the fundamental business model at the internet’s core. Some websites may shut down if forced to accept users but cannot monetize their data through advertising because users have opted out. In other cases, they may have to charge these users for previously free websites to keep servers running. Policymakers should consider these downstream impacts on consumers as they decide what data rights consumers may have.
In addition, there is certain to be confusion around what constitutes the sharing of data. For example, if a website provides a temporary interface for advertisers to determine which data segment they want to market, that could reasonably be considered sharing. However, there is no industry-accepted definition of sharing data. Therefore, when considering data privacy legislation, Florida policymakers must provide clear guidelines for what constitutes data sharing.
Data privacy can happen without such burdensome regulations. Other rights, such as the right to correction and deletion, as long as they are given appropriate curing periods, such as 90 days, can be of minimal impact. Privacy notices with continued opt-in, which prevent users from having to accept cookies every time they visit a site, can smooth the experience while providing consumers with a transparent and understandable privacy contract available at any time. Distinguishing between personally identifiable data and de-identified data can also prevent needless regulations on non-personal data.
As people increasingly move their lives into the digital world, demands will inevitably grow for greater data protection rules and more restrictions on what private companies can do with this information. However, crafting data privacy rules that balance individuals’ demands and the needs of businesses is a perilous task that either risks providing too few protections or overregulating the digital space, ultimately harming Floridians. While perilous, if the Florida state legislature pushes forward on a data privacy law, it can start to strike this balance by excluding a private right of action, limiting the right to opt-out, and providing clear guidelines for data sharing with an open and transparent privacy agreement.
Florida can do better than California and Europe’s data privacy laws, but only if lawmakers recognize the promise and perils.