Federal Communications Law Journal: Preliminary Topic Statement

As one of my responsibilities with the Federal Communications Bar Association’s official law review, the Federal Communications Law Journal, I am writing a student note to be considered for inclusion in the 2014 edition of the Journal.


For a closer analysis before my note becomes available, be sure to watch TechFreedom, where I am coauthoring a piece with TF President Berin Szoka on the Dormant Commerce Clause in the context of state privacy legislation.


In the meantime, enjoy my topic statement. (All suggestions and criticisms welcome–the harsher the better! Please post in the comments.)


The United States Constitution allows Congress the power to regulate interstate commerce. U.S. Const. art. I, § 8, cl. 3. In general, this grant of federal power precludes the states from enacting regulations that substantially burden interstate commerce. However, courts have long recognized that states retain a residuum of power by which they may regulate in areas affecting the health and safety of their citizens. Southern Pacific Co. v. Arizona. ex rel. Sullivan, 325 U.S. 761 (1945). The implications of states’ residuum of power have come into focus in recent years with the advent of widespread internet use.


The federal government has enacted some laws regulating the internet. See, e.g., Computer Fraud and Abuse Act, 18 U.S.C. 1030 (1986). However, most of those laws deal with criminal concerns such as hacking and indecency. Other areas, including consumer data privacy protection, remain largely unexplored—even as the related questions grow increasingly more important as information gathering capabilities expand daily. Unlike most European countries, the United States has not enacted uniform data privacy standards. Paul M. Schwartz, The Eu-U.S. Privacy Collision: A Turn to Institutions and Procedures, 126 Harv. L. Rev. 1966 (2013). Instead, the United States tends toward spot-regulation, targeted at specific data privacy concerns or at-risk industries. The closest the United States has come to uniform standards is the Federal Trade Commission’s authority to prosecute “unfair” business practices, which the FTC has interpreted to allow regulation of data protection practices. See Plaintiff’s Response in Opposition to Wyndham Hotels and Resorts’ Motion to Dismiss, FTC v. Wyndham Worldwide Corp., 2012 WL 4766957 (D.Ariz.).


Some states, perceiving a gap in privacy protections, have attempted to enact regulations to address privacy threats themselves. Among these states, California has taken a lead role. In 2003, California enacted the Online Privacy Protection Act, which required that websites display a privacy policy, and inform users of any means that exist for viewing or modifying data tied to them. California Business & Professional Code § 22575 (West 2005).

Because website administrators usually cannot be sure where their users reside, they generally comply with regulations like OPPA by developing system-wide modifications that bring their entire structure into compliance for all users, rather than attempting to spot-comply for users that seem to be located within a given state. American Libraries Association v. Pataki, 969 F. Supp. 160, 183 (S.D.N.Y. 1997). The uniform approach is usually more economically efficient than maintaining two or more separate versions of their site and serving to users in a given state the version compliant with that state’s laws, at the risk of liability in the event that their location identification methods fail. In the case of OPPA, millions of websites complied by posting their privacy policies—including, for example, local news websites aimed at niche geographic markets thousands of miles from California. Jonathan I. Ezor, Privacy and Data Protection in Business: Laws and Practices, 45 (2012).


Despite its nationwide effects, Lexis and Westlaw searches fail to reveal any dormant commerce clause challenges to OPPA. However, California is set broadly to expand beyond existing online privacy laws with regulations that may not escape litigation. Governor Jerry Brown recently signed into law several pieces of legislation governing online privacy. Cynthia Larose & Jake Romero, Golden State Privacy Warriors: California Has Just Passed a Number of Data Privacy Laws; Here Are Your Next Steps, Mintz Levin Privacy & Security Blog, (10.08.2013), http://www.mintz.com/newsletter/2013/Advisories/3450-1013-NAT-PRIV/index.html. One law requires that websites develop an “eraser button” for information that minors have posted about themselves. California Business & Professional Code § 22580 (West 2013). Another adds login information to the scope of an existing data breach disclosure requirement, mandating that businesses notify consumers whose covered data may have been compromised by mistake or by hackers. California Civil Code §§ 1798.29 and 1798.82 (West 2013). California’s Attorney General just approved a 2014 ballot measure that would impose unprecedented restrictions on the sharing of personally identifying information between businesses. Julian D. Perlman, Opening The Flood Gates? California Voters May Create Presumption Of Harm In Privacy Breach Cases, Mondaq (Oct. 2, 2013), http://www.mondaq.com/unitedstates/x/266604/Data+Protection+Privacy/Opening+The+Flood+Gates+California+Voters+May+Create+Presumption+Of+Harm+In+Privacy+Breach+Cases. Additionally, one Forbes columnist points out that California lawmakers considered 215 bills containing the word “internet” this legislative session. Eric Goldman, California’s New ‘Online Eraser’ Law Should Be Erased, Forbes (Sept. 24, 2013), available at http://www.forbes.com/sites/ericgoldman/2013/09/24/californias-new-online-eraser-law-should-be-erased/2/.


As states begin to explore the data privacy space more over the coming years, the dormant commerce clause question will become more pressing. Although OPPA has escaped judicial review thus far, that is likely due to the ease with which a website can comply with its requirements—generally, a website needed only to copy-paste some boilerplate onto a new or existing webpage to be in compliance. Under the Pike balancing test for facially neutral laws with interstate commercial effects, that burden might be insufficient to render the law unconstitutional. See Pike v. Bruce Church, Inc., 397 U.S. 137 (1970). Even if that burden were sufficient to invalidate the law, it likely is cheaper for those affected by the law simply to comply than to spend money on a legal challenge. Much of California’s newer privacy legislation—perhaps representative of coming legislation in other states—presents a substantially higher burden than does OPPA. Consequently, these laws create a greater incentive for businesses to file suit, and face a more difficult battle in court when the challenge occurs.


In the context of state power to compel business with websites to develop new mechanisms to comply with state laws, an important question will be how Pike balancing applies to privacy regulations. This inquiry presents several issues, chief among them being whether privacy concerns lay within the residuum of state power under the commerce clause, and if so, whether courts will afford them as much weight as health and safety concerns. If privacy is a matter of local concern, a second important question will be the extent to which different models of internet regulation burden interstate commerce. Another question will be the effect that federal action on online privacy issues might affect state power. An analysis of these issues should allow a proposed standard by which a court might evaluate state internet privacy regulations. Initially, one underappreciated factor seems to be the distinction between regulations that fundamentally alter a given business model by forbidding existing practices or commanding development of new functions—like the eraser law—and regulations with which a business may readily comply through existing infrastructure—like posting an OPPA privacy policy on a webpage.

Leave a Reply

Your email address will not be published. Required fields are marked *