为美国制定国家数据隐私法

Cybaris®

Volume10

Issue1

Article2

2019

CreatingaNationalDataPrivacyLawfortheUnitedStates

ShaunG.Jamison

Followthisandadditionalworksat:

/cybaris

Partofthe

ComputerLawCommons

,

IntellectualPropertyLawCommons

,

InternationalLaw

Commons

,

InternetLawCommons

,andthe

ScienceandTechnologyLawCommons

RecommendedCitation

Jamison,ShaunG.(2019)"CreatingaNationalDataPrivacyLawfortheUnitedStates,"Cybaris®:Vol.10:Iss.1,Article2.

Availableat:

/cybaris/vol10/iss1/2

ThisArticleisbroughttoyouforfreeandopenaccessbytheLawReviewsandJournalsatMitchellHamlineOpenAccess.IthasbeenacceptedforinclusioninCybaris®byanauthorizedadministratorofMitchellHamlineOpenAccess.Formoreinformation,pleasecontact

sean.felhofer@

.

©MitchellHamlineSchoolofLaw

Cybaris®,AnIntellectualPropertyLawReview

PAGE

10

CREATINGANATIONALDATAPRIVACYLAWFORTHEUNITEDSTATES

BYSHAUNG.JAMISON1TABLEOFCONTENTS

Introduction 3

TheNeedforaNationalDataPrivacyLaw 5

WhatisDataPrivacy? 5

WhatistheDifferenceBetweenPrivacy&Cybersecurity? 6

PrivacyLawsareaPatchworkofState&FederalLaws 7

TheFTCAct 7

COPPA 8

GLBA 9

HIPPA 10

FERPA 10

PrivacyActof1974 11

WiretapAct 11

VideoPrivacyProtectionActof1988 12

StateLaws 12

SamplingofStateStatutes 12

StateCommonLaw 15

ConstantMajorBreaches 15

Cost&DifficultyinComplyingwithCurrentLaws 18

ComplexRegulatorySchemePromotesaCultureofCompliance 19

TheU.S.PublicisConcernedAboutPrivacy 19

CacophonyofVoicesarePushingforaNationalLaw 20

InternationalCompetitiveness 23

ChallengestoCreatingaNationalPrivacyLaw 24

TheCommoditizationofPersonalInformation 24

RightsReservedtoStates 26

WillBigTechSupportaFederalLawWithoutPreemption? 26

ResistancetoAdoptingE.U.Law 27

MajorEconomicPowersNotSigningOntoE.U.Standards 28

GDPRisUntested 28

RiskofStiflingInnovation 29

PoliticsasUsual 30

PossiblePathsForwardtoaNationalPrivacyLaw 30

1Theauthor’sbiographicalinformationcanbefoundonLinkedinat:https:/

/ww

w

./in/shaunjamison/.

ProcessforConsensus 31

Intel’sProposal:TheInnovative&EthicalDateUseAct 31

CongressionalHearings 31

AnalysisofMajorProvisions&Recommendations 32

DelayedImplementation 32

RighttoPrivacyasaFundamentalRight 32

ConstitutionalAmendmentwithRightofPrivacy 33

ChangestoFTCAuthority&Funding 33

Enforcement 34

CriminalPenaltiesforExecutives 34

CivilPenalties 35

EnforcementResponsibility 35

PrivateRightofAction 35

Scope 35

FederalMinimumwithAllowedStateEnforcementofStricterStandards 36

Geolocation 36

ArtificialIntelligence 36

Biometrics 37

RighttoAccess&Correct 38

RighttobeForgotten 38

Consent 38

Preemption 39

OverallRecommendations&Conclusion 40

Introduction

TheUnitedStates(U.S.)lacksacohesivedataprivacylaw.2Thisarticlewillexaminetheneedforanationaldataprivacylaw,challengestocreatinganationalprivacylaw,andpossiblepathsforwardtoanationalprivacylaw.Presently,U.S.lawisacombinationoffederalsectorallawsandstatelaws.Thismyriadoflawsmakescomplianceforinterstateandinternationalcompaniesdifficult,expensive,andarguably,unattainable.Further,withtheEuropeanUnion’s(E.U.)adoptionoftheGeneralDataProtectionRegulation(GDPR),3manyU.S.companiesalreadyhavetocomplywiththeGDPRduetodoingbusinessorhavingdataprocessedintheE.U.4JapanhasenteredintoanagreementwiththeE.U.recognizingtheequivalencyofeachother’sprivacylaws.5TheU.S.mustupdateitslawstoavoidriskinglimitingitsaccesstomarketswherecountrieshavemodernizedtheirprivacylaws.Indeed,Californiapassedasweepingprivacylawwhichwillbeeffectivein2020,creatingmoreurgencytotheissue.6ThesizeofCalifornia’seconomythreatenstomaketheirlawdefactonationallaw.7Becausethelawaffectscompanies’wishesto

2NualaO’Connor,ReformingtheU.S.ApproachtoDataProtectionandPrivacy,COUNCILONFOREIGNRELATIONS(January30,2018),https:/

/ww

w

./report/reforming-us-approach-data-protection.

3E.U.GeneralDataProtectionRegulation(GDPR):Regulation(E.U.)2016/679oftheEuropeanParliamentandoftheCouncilof27April2016ontheProtectionofNaturalPersonswithRegardtotheProcessingofPersonalDataandontheFreeMovementofSuchData,andRepealingDirective95/46/EC(GeneralDataProtectionRegulation),2009O.J.(L119)1.(hereinafterGDPR).

4MatthiasArtzt,TerritorialscopeoftheGDPRfromaUSperspective,IAPP:THEPRIVACYADVISOR(June26,2018),/news/a/territorial-scope-of-the-gdpr-from-a-us-perspective/.

5Internationaldataflows:CommissionlaunchestheadoptionofitsadequacydecisiononJapan,EUROPEANCOMMISSION(September5,2018),

http://europa.eu/rapid/press-release_IP-18-5433_en.htm.

6TalKopan,CalifornialawcouldbeCongress’modelfordataprivacy.Oritcouldbeerased,SANFRANCISCOCHRONICLE(Feb.10,2019),https:/

/ww

w

./politics/article/California-law-could-be-Congress-model-

for-13604213.php.

7DipayanGhosh,WhatYouNeedtoKnowAboutCalifornia’sNewDataPrivacyLaw,HARVARDBUSINESSREVIEW(July11,2018),/2018/07/what-you-need-to-know-about-californias-new-data-privacy-law.

dobusinesswithCaliforniaresidents,manynationalcompanieswilllikelychoosetocomplyratherthanforegoaccesstoCalifornia’slargepopulationandeconomy.

OneofthemainchallengestoanationaldataprivacylawistheUnitedStates’systemoffederalism.Stateshavebeenseenaslaboratoriesforpolicyexperimentation.8Powersnotgiventothefederalgovernmentarereservedtothestatesandthepeople.9FederallawmustrelyonexpressdelegationofauthoritybytheConstitutionorviaapplicationoftheCommerceClause.10AscivilcybersecurityandprivacyarenotaddressedintheU.S.Constitution,thefederalgovernmentmustrelyontheCommerceClause.WhiletheCommerceClausemayultimatelybesuccessfulasgroundsforanationallaw,onecananticipatestatestoresistanypreemptionoftheirexistingdataprivacylaws.Afurtherchallengeiscreatingthe“politicalwill”tocreateanationaldataprivacylaw.

TheWhiteHousesetforthitscybersecuritypolicy,11andwhileitdoesnotadvanceanationaldataprivacylaw,itdoesnotprecludeit.WhileauniformlawthroughouttheU.S.isappealingtoindustry,Congresscouldpassalawwhichdoesnotpreemptadditionalprotectionsbystates.Thiswouldremovethethreatoflawsuitsbystateswhichfeeltheirlawsdoabetterjobofprotectingconsumersthanaproposedfederallaw.However,anylawsufficientenoughtogainadequacyrulingfromtheE.U.canbearguedtoappropriatelyprotectconsumersandthusitisnot

8HarryN.Scheiber,FederalismandtheProcessofGovernanceinHurst'sLegalHistory,18LAW&HIST.REV.205,206(2000).

9U.S.Const.amend.Xstates:“ThepowersnotdelegatedtotheUnitedStatesbytheConstitution,norprohibitedbyittothestates,arereservedtothestatesrespectively,ortothepeople.”

10“TheCongressshallhavePower...ToregulateCommercewithforeignNations,andamongtheseveralStates,andwiththeIndianTribes.”U.S.Const.Art.I,§8,cl.3.

11GrantSchneider,PresidentTrumpUnveilsAmerica’sFirstCybersecurityStrategyin15Years,WHITEHOUSE.GOV(September20,2018),https:/

/ww

w

./articles/president-trump-unveils-americas-

first-cybersecurity-strategy-15-years/.

necessarytoretainalloftheprovisionsofexistingstatelaws.Naturally,thisisnotanuncontestedviewpoint.Afurtherchallengeisthattechnologycompanieswouldbereticenttothrowtheirsupportbehindanationallawthatdoesnotpreemptstatelawasitleavesthemexposedtocomplyingwithacomplexwebofstatelaws.12Despitetheobstacles,thereismoretogainwithacohesiveregulatorystructurethantheobstaclesandriskstoenactingone.

TheNeedForANationalDataPrivacyLaw

WhatisDataPrivacy?

Dataprivacy,otherwiseknownasinformationprivacy,istherighttohavecontrol13andknowledgeaboutanypersonallyidentifiableinformation(PII)whichiscollectedaboutanindividual.DefinitionsofwhatconstitutesPIIvary.Sometimesacombinationofbitsofinformationcanmakeitpersonallyidentifiable.Certainly,thecombinationofyournamewithyoursocialsecuritynumberorbankaccountnumberfitsthedefinition.Withaccesstoinformationsuchasthis,someonecouldopenaccountsinyournameandaccessevenmoreinformationaboutyouthantheyalreadyhad.NIST,theNationalInstituteofScienceandTechnology,definesPIIas:

Informationwhichcanbeusedtodistinguishortracetheidentityofanindividual(e.g.,name,socialsecuritynumber,biometricrecords,etc.)alone,orwhencombinedwithotherpersonaloridentifyinginformationwhichislinkedorlinkabletoaspecificindividual(e.g.,dateandplaceofbirth,mother’smaidenname,etc.).14

12DavidShepardson,TechcompaniesbackU.S.privacylawifitpreemptsCalifornia's,REUTERS(September26,2018),https:/

/ww

w

./article/us-usa-tech-congress/tech-companies-back-u-s-privacy-law-if-it-preempts-

californias-idUSKCN1M62TE.

13NeilM.Richards,TheInformationPrivacyLawProject,94GEO.L.J.1087,1089(2006).

14NationalInstituteofStandardsandTechnologyGlossary(RetrievedMarch12,2019from/glossary/term/PII).

Medicaldiagnosesarerightlyconsideredprivateinformationandcanleadtoseriousconsequencesifrevealedsuchasadverseemploymentactions,damagetoreputation,andconflictwithfamilymembers.PersonalHealthInformationisknownasPHI.PHIisdefinedas:

Allindividuallyidentifiablehealthinformationthatistransmittedelectronically,maintainedinanyelectronicmedium,ortransmittedormaintainedinanyotherformormedium.Thisinformationhasbeencreatedorreceivedbyahealthcareprovider,healthplan,publichealthauthority,employer,lifeinsurer,schooloruniversity,orhealthcareclearinghousethatrelatestothepast,presentandfuturephysicalandmentalhealth,provisionofhealthcaretothepatientandpaymentforthepatient'shealthcare.15

WhatistheDifferenceBetweenPrivacy&Cybersecurity?

Itisimportanttonoteherethatitiseasytoconflateprivacywithcybersecuritybecausethetwoaresocloselylinked.Privacyhastodowiththecollection,storage,anddisseminationofpersonalinformation.Cybersecurityistheprotectionofsystemsfromintrusion.Thismayinvolvepersonaldata,proprietarydata,andcontrolofsystemsorconnecteddevices.Howtheyinterconnectisthatineffectivecybersecuritypracticescanexposepersonaldataandallowaccessbyunauthorizedpersonstothatdata.Further,properprivacypoliciesandproceduresmayeliminatetheriskbymakingsurethatunneededsensitivepersonalinformationiseithernevercollectedinthefirstplaceorthatitiseffectivelydestroyedwhennolongerneeded.Youcannothaveaprivacybreachforinformationyoudonothave.Finally,thereisathirdaspectofthediscussionwhichisbreachnotification.Despitebestefforts,anorganizationmayhaveaprivacyorcybersecuritybreach.Ifso,therearepresentlymanydifferentlawstheypotentiallyneedtocomplywithasfarasnotifyingpotentiallyaffectedparties,regulators,andsometimesthemediaofthebreach.Thispaperwillfocusonprivacyandbreachnotification.

15D'ArcyGuerinGueandStevenJ.Fox,GuidetoMedicalPrivacyandHIPAAAppendixIII.(ThompsonInformationServices2015).

PrivacyLawsareaPatchworkofState&FederalLaws

Abriefoverviewofsomeofthecurrentlawsinplacewillhelpputtheproblemincontext.Thefactthatsomeareasofdataprivacymayhavefifty-onelawsmakesitchallengingtocomplyandconfusingforconsumers.Additionally,manywillarguetherearegapsinthecurrentframework.Further,the“U.S.isoneofthefewcountriesinthedevelopedworldwithoutanationalprivacylaworawatchdogdedicatedtoconsumerdata.”16

THEFTCACT

TheFederalTradeCommission(FTC)istheleadingfederalagencyaddressingprivacyissuesintheU.S.TheFTCderivesitsauthorityinthisareafromtheFTCAct,inparticularsection45(a)whichaddressesunfairordeceptivetradepractices.17Unfairpracticesareunlawful:“unfairordeceptiveactsorpracticesinoraffectingcommerce,areherebydeclaredunlawful.”18Inordertoact,theFTCmustshowthattheunfairactivity:

Iscausingorlikelywillcausesubstantialharmtoconsumers,

Isnotreasonablyavoidablebytheconsumers,and

Isnotoutweighedbytheneedtocompeteorthebenefitstocustomers.19

16EmilyBirnbaum&HarperNeidig,StateRulesComplicatePushforFederalDataPrivacyLaw,THEHILL(March5,2019),/policy/technology/432564-state-rules-complicate-push-for-federal-data-privacy-law.

1715U.S.C.§45.

18Id.at(a)(1).

19Id.at(n).

TheFTC’sauthoritytoactonprivacywasunsuccessfullychallengedinF.T.C.v.WyndhamWorldwideCorp.20TheFTC’sauthorityisbroadandflexibleandappliestobothcybersecurityandmisleadingprivacypolicies.21

TheFTCcurrentlydoesnotusebroadrulemakingauthorityandorganizationsrelyonacommonlawofFTCenforcementactionsasguidelines.22TheFTCalsopublishesguides,suchasStartwithSecurity:AGuideforBusiness.23Further,theFTCdoesnotlevyfinesimmediatelyonprivacyenforcementactions.Theyfirstnegotiateaconsentorder,andiftheyareunabletodoso,thenlitigateagainstanorganization.24Theabilitytofineanorganizationatthebeginningcouldbeaneffectivedeterrent.

COPPA

TheChildren’sOnlinePrivacyProtectionAct(COPPA)waspassedin1998.25COPPArequiresthatsiteswhichgatherprivateinformationonchildrenundertheageofthirteenmustfollowcertainrules.Forexample,anygatheringofpersonallyidentifiableinformation(PII)ofachildunderthirteenyearsofagerequires“verifiableparentalconsent.”26Nomoreinformationwillbegatheredthannecessaryandthechild’sparticipationinagamewillnotbeconditioned

20F.T.C.v.WyndhamWorldwideCorp.,799F.3d236,249(3dCir.2015).

21SeeId.

22SeeMichaelScully&CobunKeegan,IAPPGuidetoFTCPrivacyEnforcement,IAPP,/media/pdf/resource_center/Scully-FTC-Remedies2017.pdf(lastvisitedMar.12,2019).

23StartwithSecurity:AGuideforBusiness,FTC(June2015),https:/

/ww

w

./system/files/documents/plain-

language/pdf0205-startwithsecurity.pdf.

24SeeMichaelScully&CobunKeegan,IAPPGuidetoFTCPrivacyEnforcement,IAPP,/media/pdf/resource_center/Scully-FTC-Remedies2017.pdf(lastvisitedMar.12,2019).

2515U.S.C.§6501.

2615U.S.C.§6502(b)(1)(A)(ii).

upongivingpersonalinformation.27Further,thewebsitemustgivenotice“ofwhatinformationiscollectedfromchildrenbytheoperator,howtheoperatorusessuchinformation,andtheoperator'sdisclosurepracticesforsuchinformation.”28

GLBA

TheGrammLeachBlileyAct(GLBA)specificallyaddressesprivacywithinfinancialinstitutions.29Thepolicybehindthisis:“thateachfinancialinstitutionhasanaffirmativeandcontinuingobligationtorespecttheprivacyofitscustomersandtoprotectthesecurityandconfidentialityofthosecustomers'nonpublicpersonalinformation.”30OneofthegoalsoftheGLBAistoaddresstheissueofidentitytheftwhichhasbeendescribedabove.31

TheGLBAreliesonan“optout”procedurefornonpublicpersonalinformation.Thefinancialinstitutionmaydisclosetheywillshareinformation32andthentheconsumerhastheoptiontonotifythefinancialinstitutionthattheydonotwishtohavetheirinformationshared.33Despitetheheightenedattentionthatprivacyhasreceivedoflate,peoplegenerallydonotreadthesenoticesandthusarenotlikelytoprotecttheirrightsbyoptingout.34

2715U.S.C.§6502(b)(1)(C).Requiringconsentpriortogatheringinformationisreferredtoas“optin.”“Optout”meaninganorganizationcanactuntilconsentiswithdrawn.

2815U.S.C.§6502(b)(1)(A)(i).

2915U.S.C.§6801.

3015U.S.C.§6801(a).

31R.BradleyMcMahon,AfterBillionsSpenttoComplywithHIPAAandGLBAPrivacyProvisions,WhyIsIdentityThefttheMostPrevalentCrimeinAmerica?,49VILL.L.REV.625,627(2004).

3215U.S.C.§6802(b)(1)(A).

3315U.S.C.§6802(b)(1)(B).

34Oftherespondentstoonesurveyabouthowoftentheyreadaprivacynotice,theresultswere:“never(16.2%)orrarely(43%)readprivacypolicies.Another32.1%suggestthatthey“sometimes”readprivacynotices.Fewerthan9%ofrespondentsdoso“always”or“often.”AriEzraWaldman,AStatisticalAnalysisofPrivacyPolicyDesign,93NOTREDAMEL.REV.ONLINE159,166(2018).

HIPAA

LiketheGLBA,theHealthInsurancePortabilityandAccountabilityActof1996(HIPAA)35isasectorallaw.However,itisfocusedonthehealthcareindustryratherthanthefinancial.HIPAAprovidesguidanceonprovidingnotice,protectingpersonalhealthinformation(PHI),andproperreleaseofPHI.ReleaseofPHIinformationnototherwiseauthorizedmustbeauthorizedbythepatientinwriting.36Asyoucanimagine,healthinformationisconsideredhighlysensitive.HIPAAalsoprovidespatientswithabroadrightofaccesstotheirinformationwithcertainexceptions.37CourtshaveruledthereisnoprivaterightofactionforviolationofHIPAA.38

FERPA

TheFamilyEducationalRightsandPrivacyAct(FERPA)39addressestheprivacyofstudentrecords.Unlikesomeoftheotherlaws,itdoesnotaddresscybersecuritylawdirectly.Itprotectsstudentrecordsagainstdisclosure.40Onceastudentturnseighteenyearsofage,theparentsloseaccesstotherecordsandneedareleasefromthestudenttoaccessthem.41Certainstudentinformationcanbeprovidedfordirectorypurposesunlessthestudentoptsout.42Parentsandeligiblestudentshavetherighttoreviewstudentrecordsandtohaveincorrectormisleading

35Pub.L.No.104-191(Aug.21,1996).

3645CFR164.508.

3745CFR164.524.

38Acarav.Banks,470F.3d569,571(5thCir.2006).

3920U.S.C.§1232g.

4020U.S.C.§1232g(b)(1).

4120U.S.C.§1232g(d).

4220U.S.C.§1232g(a)(5)(B).

informationcorrected.43FERPAdoesnotcreateaprivaterightofactionwhichmeansprivatecitizenscannotsuefordamagesunderFERPA.44

PrivacyActof1974

“ThewrongwhichCongresshopedtorightbythePrivacyActwasthethreattoanindividual'srighttoprivacybythecollection,maintenance,useanddisseminationofpersonalinformationbythefederalgovernment.”45ThePrivacyActincludedtherighttoaccessandcorrectrecords46andrequiredconsenttoreleaseinformationaboutindividualsfromthatindividual.47Naturally,thereareexceptionstothisrequirementtoallowthegovernmenttodonecessarywork.48ThePrivacyActwasanimportantstepforward,butitonlyaddressesprivacyastoinformationgatheredbythefederalgovernment.

WiretapAct

TheWiretapAct49provideslimitstotheinterception,disclosure,orintentionaluseof“wire,oral,orelectroniccommunication.”50TheWiretapActdoesprovideforaprivaterightof

4320U.S.C.§1232g(a)(2).

44GonzagaUniv.v.Doe,536U.S.273,287(2002).

45CaptainRobertE.Gregg,ThePrivacyActof1974,ARMYLAW.,JULY1975,at25,25–26.

465U.S.C.§552a(d).

475U.S.C.§552a(b).

485U.S.C.§552a(b)(1)-(11).

49TitleIIIofTheOmnibusCrimeControlandSafeStreetsActof1968(WiretapAct)18U.S.C.§§2510-22,asamendedbytheElectronicCommunicationsPrivacyAct(ECPA).

50164A.L.R.Fed.139(Originallypublishedin2000).

action51aswellascriminalpenalties.52TheWiretapActappliesto“anyperson”committingaviolation,soitisverybroadinapplication.53

VideoPrivacyProtectionActof1988

TheVideoPrivacyProtectionAct(VPPA)of1988prohibitsthedisclosureofwhataudioorvisualrecordingsyoumayhavewatched.54TheVPPAwaspassedastheresultofareporterfindingoutwhatvideosSupremeCourtnomineeRobertBorkhadbeenwatching.55TheVPPAprovidesforaprivaterightofactionforviolations.56

StateLaws

SAMPLINGOFSTATESTATUTES

Stateshavebeenveryactiveinprotectingtheprivacyoftheirresidents.Allfiftystatesnowhavebreachnotificationlaws.57Somestateshaveenacteduniquelawswhichmayserveasaguidetodeterminewhatthefuturemayholdforthelawandwhatthestatesseeasprioritiesfordataprivacy.

CaliforniarecentlypassedasweepingprivacyactknownastheCaliforniaConsumerPrivacyAct(CCPA).Keyportionsoftheactincludetherighttoaccessinformationcollected

5118U.S.C.§2520.

5218U.S.C.§2511(4)(a).

5318U.S.C.§2511(1).

5418U.S.C.§2710.

55SeeS.Rep.No.100-599,at5(1988),reprintedin1988U.S.C.C.A.N.4342-1(“SenateReport”),alsoavailable

at1988WL243503.CitedbyInreNickelodeonConsumerPrivacyLitig.,827F.3d262,278(3dCir.2016).

5618U.S.C.§2710(c).

57SecurityBreachNotificationLaws,NATIONALCONFERENCEOFSTATELEGISLATURES(September29,2018),

/research/telecommunications-and-information-technology/security-breach-notification-

laws.aspx.

aboutone’sself,tofindoutwhatinformationhasbeensoldoraccessed,tooptoutofthesaleofinformation,andtorequestdeletionofpersonalinformation.58ItissettogointoenforcementasofJanuary1,2020,butcompaniesmust“lookback”oneyear.59Ifacompanyreceivedarequestonthefirstdaythelawiseffective,theywouldneedtolookbackintotheirrecordstoJanuary1,2019.Essentially,companieshavetobeabletotrackdatasufficientlytoadequatelycomplyin2020.

Californiaisinstructiveforseveralreasons.Significantly,California’slawwastheproductofanegotiationbetweenanadvocacygroupwhichwasontracktogetenoughsignaturestogettheirversionofanaggressivenewdataprivacylawonthebooksthroughareferendum.60Thelegislativeversionpassedatpracticallythelastmomenttoavoidthereferendumversionfromgoingontheballot.61Thistellsusthatpeopleareinterestedinstrongerdataprivacythanwehavepreviouslyhad.Italsotellsusthatpeople’sinterestcanbeorganizedintopoliticalpressure.Stateswithreferendumsmaybesubjecttosimilarprocessesofcitizenoradvocacygroup-drivenlaws.Anystate,regardlessoflegislativeprocess,maybesubjecttoaconcertedefforttopassnewlawsexpandingprivacyorperhapseffortsbylargetechcompaniestopasslawstocurtailagreatexpansionofconsumerrights.AnotherconcernwithCaliforniaisthatitisoneofthelargesteconomiesintheworld.62Companiesthatwanttodobusinesstherewillhavetocomplywiththe

58Dataprotectionprinciples—CaliforniaConsumerPrivacyAct—Consumerprivacyrights,1InformationLaw§8:82.54.

59Cal.Civ.Code§1798.130(a)(2)(West).

60LotharDetermann,NewCaliforniaLawAgainstDataSharing,35COMPUTERINTERNETLAW.,Sept.2018,at1.

61id.(Thelegislatureonlydebatedthebillforsixdays).

62AssociatedPress,Californiaisnowtheworld'sfifth-largesteconomy,surpassingUnitedKingdom,LATIMES(May04,2018),https:/

/ww

w

./business/la-fi-california-economy-gdp-20180504-story.html.

lawbytheyear2020.Thus,forcompanieswithanationalpresence,California’slawwillbecomeadefactonationallaw.63Finally,theapplicationofthelawinCaliforniamaybecloselywatchedbyotherstatesdesiringtoprovidebetterprivacyprotectionfortheirresidents.

Illinois’BiometricLawisdiscussedunderalatersection.Thislawisanotherexampleofstatestakingtheleadonprivacyissues.

Asofthedateofthispaper,WashingtonstateisintheprocessofbringingforthalawcalledtheWashingtonPrivacyAct.64ThecurrentversiondistinguishesbetweendatacontrollersanddataprocessorssimilarlytotheGDPR.65IthassimilarprovisionstotheCCPA,addressesspecificde-identificationandfacial-recognition,butpresentlyhasnoprivaterightofaction.66

Vermont’sdatabrokerlawaddressedthelackofregulationofthosecompanieswhobuyandsellaccesstoconsumerdata.67DatabrokerslistedasaresultofthenewlawincludeExperianandSpokeo.6869Thelawrequiresdatabrokerstospecifytoconsumerswhetherthereisa

63TonyRomm,InsidethelobbyingwaroverCalifornia’slandmarkprivacylaw,WASH.POST(February9,2019),https:/

/ww

w

./2019/02/09/californias-landmark-privacy-law-sparks-lobbying-war-that-could-

water-it-down/.

64MitchellNoordyke,ThestateSenateversionoftheWashingtonPrivacyAct:Asummary,IAPP(March26,2019),/news/a/the-state-senate-version-of-the-washington-privacy-act-a-summary/?mkt_tok=eyJpIjoiTjJRd01tWTBNall6TkdKaCIsInQiOiJDWklNWE9vbzJya2ZaTmJlQm1YQWUxNWJpWUNaTURHaE5CVGwxS1VZZld2TUhUQnduVEpvTDRMdWhvM2dXdEhnWnRCdko2YUE3NXVSRjg0MUR5djJSaWJjYmtPRFhCcGthUGE5XC9xV21uc1F0cFV0K1JlT2owXC9wYWswQTgzNlwvdSJ9.

65id.

66id.

67StevenMelendez,AlandmarkVermontlawnudgesover120databrokersoutoftheshadows,FASTCOMPANY(March2,2019),https:/

/ww

w

./90302036/over-120-data-brokers-inch-out-of-the-shadows-under-

landmark-vermont-law.

68id.

69Spokeoisacompanywhichaggregatesinformationtopowertheirpeoplesearchengine.ThelawsuitagainstthembyanindividualwhoclaimedtheydisseminatedincorrectinformationabouthimsetthestandardforthelevelofharmthatneedstobedemonstratedforArticleIIIstandingindatabreachcases.Spokeo,Inc.v.Robins,136S.Ct.1540(2016).

mechanismtooptoutoforrestrictdatacollection.70Italsorequiresdisclosureofdatabreacheswithinthelastyearandmandatesminimumsecurityprocedures.71However,itdoesnotmandateanoptoutprocedure,rightofaccessandreviewofdata,informationabouthowitwasobtained,oraprivaterightofaction.72

STATECOMMONLAW

Thoseharmedbydataprivacybreachesmaybeabletorecoverdamagesundercommonlawclaimssuchasnegligenceandinvasionofprivacy.

Therearefourtypesofinvasionofprivacytorts.Publicdisclosureofprivatefactsismostcommonwithdataprivacybreaches.73

Thetroublewithrelyingoncommonlawclaimsisthemultitudeoflawsuitswhichmayariseinamassivebreach,theburdenofproofontheclaimants,andthefactthattheharmhasalreadybeendone.Oncethereisapublicbreachofdataprivacy,itcannotbeundone.Further,theremaybeconstitutionallimitationsontheuseofcommonlawprivacyclaims.74Thefocusshouldbeonlawswhich