The state of data privacy in 2023

In the face of growing momentum among consumers for data privacy regulation, state legislators should remain mindful of three things

The desire for privacy protections, as an overgeneralized concept, has been a consumer trend long before Apple started using the tagline “Privacy. That’s iPhone.” But our first step toward attaining privacy protections should have never been state-based regulation, especially since there is little agreement on what comprehensive privacy regulation should look like. Yet, state legislators have continued to work toward regulating the conduct of a whole host of companies online, stretching the states’ legal authority beyond state lines.

Since 2020, businesses across the nation have felt the far-reaching effect of the first state privacy bill, the California Consumer Privacy Act (CCPA). But by 2023, online businesses will have to comply with California’s new Consumer Privacy Rights Act (CPRA), Virginia’s Consumer Data Protection Act (CDPA), Colorado’s Colorado Privacy Act (CPA), and potentially five other state bills simultaneously.

If the states continue to pass privacy laws, data privacy regulation in 2023 will create a disjointed and dysfunctional online environment for everyone involved. What we need now, more than another state privacy approach, is a uniform federal standard to create certainty in the market.

California’s breakout privacy law

The regulatory outlook for online business in 2023 is a web of confusing standards. But California’s comprehensive data privacy law is an eye-opening example of the uncertainty a single state can create for businesses across the country.

California led the charge in 2018 with the passage of the nation’s first comprehensive data privacy law, the California Consumer Protection Act (CCPA). Among all other concerns, the primary issue with CCPA is that it applies to businesses even if they are physically located outside of the state.

To put that in context, a helpful analog in the offline world is state highway laws. For example, suppose a person from Texas is driving up the west coast highways of California and causes an accident. Because the Texan was driving on the highways maintained by California, the Texan would be liable for the accident under California law. The same is also generally true for companies that send a defective product to consumers in another state.

However, on the Internet, the analysis is flipped. Under CCPA, if a business receives enough traffic from California residents, they must comply with California’s law regardless of their physical location. This kind of extraterritorial application causes headaches for businesses all over the country because it means they must comply with a law enacted by legislators they never voted for simply because they do business online.

The impact of the states and their laws in 2023

By 2023, the issue with state data privacy legislation will no longer be the extraterritorial application of California’s law alone. Instead, the issue will be the extraterritorial application of many states’ laws governing the same businesses simultaneously.

In practice, contradictory opt-out standards, applicability thresholds, and conduct prohibitions will amplify the multi-state application issue. This regulatory outlook awaiting online businesses in 2023 should be top of mind for state legislators. Before leading bills through their state legislative process, state legislators should strongly consider the economic effect of adding to the web of state bills slated for 2023.

Looking at the effect of Europe’s GDPR on the global economy, for example, some U.S. businesses simply chose to block traffic from Europe rather than comply because it was more expensive to comply than to lose revenue in Europe. The effect of a web of state bills on the national economy may look similar. From a business perspective, the reason is that there are three possible strategies businesses could respond with, none of which are good for the consumers of a regulating state.

The first strategy is compliance, but that does not mean businesses must offer the same services. Under the state frameworks in the U.S., the businesses who wish to retain traffic from regulating states must comply with nondiscrimination clauses that prevent a reduction in quality and value of services rendered if the reason is merely because a user exercised a privacy right. However, if the reduction in quality or value is “reasonably related” to the value of the consumer’s data, a business can offer a watered-down version to balance out the costs. Under this first strategy, consumers within regulating states would lose access to the full scope of Internet services available to others.

The second strategy is to use geolocation data to block all visitors from California or other states with privacy laws. However, the economic impact of this second strategy will be severe, both for the businesses losing out on visitor traffic and for consumers within regulated states who will lose out on those online services.

The third strategy is to close up shop. If a business cannot afford contractors or consultants to bring their services into compliance, it also likely cannot afford to pay to monitor the imperfections of geolocation filtering. Even if a business were to block traffic through in-house technical expertise, the impact of lost revenue after blocking an entire state like California could be a financial disaster. The businesses that are forced to close up shop because of the web of state laws in 2023 will have an impact on consumers nationwide.

What happens next?

In the face of growing momentum among consumers for data privacy regulation, state legislators should remain mindful of three things.

First, what consumers want from a data privacy law is askew from what they want from online services. Consumer polling has been cited to show that constituents are strongly in favor of data privacy protections, but the same polling shows that 84% of registered voters believed regulation should prohibit the collection of full names — meaning they believed regulation should shutter basic online services like White Pages, Facebook, and many others.

Second, the impact of yet another comprehensive data privacy law will be more confusion in data privacy compliance, greater costs for online businesses large and small, and fewer options for consumers. The web of regulations created by California, Colorado, and Virginia that awaits businesses in 2023 will force businesses to decide between paying for compliance or closing up shop.

Finally, the best approach for state legislators now is to wait and see what happens in the tech industry and Congress. An objective look ahead reveals many reasons to be optimistic about data privacy that does not rely on state regulation. Industry innovations in privacy protections have already caught traction and become the driving force for increasing sales and gaining market share. In addition, Congress made headway in the previous session, working through cooperative solutions to a federal data privacy bill. Federal agencies like the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST) have also been developing privacy approaches and frameworks, each with diverse input from consumer advocates and industry participants.

The states will continue to work toward their own solutions to the data privacy problem. But before they pass yet another comprehensive data privacy bill that applies beyond state lines, we need a preemptive federal law to set a uniform standard, and we need it sooner rather than later.

CGO scholars and fellows frequently comment on a variety of topics for the popular press. The views expressed therein are those of the authors and do not necessarily reflect the views of the Center for Growth and Opportunity or the views of Utah State University.