ICYMI: I recently published a new paper with my colleague, Aubrey Kirchhoff, titled "The Political Economy of the CHIPS and Science Act." Here is the nutgraf: “Chip fabrication faces unique economic conditions that tend to push out supply lines to Taiwan, South Korea, and China. When COVID hit, the reliance on Chinese and East Asian production became clear as supply chain issues arose, creating the crucible for the CHIPS and Science Act.”  

The year is about to close out, and still, a federal privacy law remains out of reach of Congress. Twelve states now have privacy bills, seven of which passed this year.

Earlier this semester, I talked with a student fellow about this stalemate between the states and Congress on privacy, and to help him understand the friction, I gamed out the scenarios. 

There are two scenarios, option A and option B. Option A is the baseline; it's what is happening right now. In option A, privacy bills are passed in each state house, expanding from the current 12 states to all 50 states. Option B involves a negotiated federal privacy bill in Congress.

There is precedent for option A in the development of data breach notification law in the United States. Back in 2002, there were zero data breach laws. These laws force companies to announce when they have been breached. Slowly, one by one, states started adopting data breach notification laws. Now, every state has one.   

Option B is a negotiated agreement in Congress, a federal privacy bill. There have been calls for privacy legislation going back decades now. Still, the fact that Congress hasn’t passed anything underscores how much political capital would have to be spent to achieve an agreement. 

The most recent vehicle for privacy has been the American Data Privacy and Protection Act or ADPPA. (Find the text of the bill here.) A brief history of the bill is helpful to understand the tensions.

Sometime in January 2022, Democrats in Congress reached out to the Republicans on privacy. What came from this discussion was ADPPA, which was jointly released on June 3, 2023, by key members of the House and Senate Commerce Committees. It would establish a comprehensive consumer data privacy framework. 

Democrats had control of both chambers in 2022 with a slim majority in the Senate, and still, they couldn’t get privacy passed. By all accounts, Senator Cantwell is the holdup on privacy.

As explained in Axios, 

The so-called four corners discussion between Pallone, Rogers, Wicker and Senate Commerce Committee Chairwoman Maria Cantwell (D-Wash.) broke down over concerns Cantwell had about enforcement and preemption, according to an aide.

Preemption has always been a sticking point. Under ADPPA's preemption, Illinois could keep its biometric privacy law, but every other state and city statute would be struck down, including California’s privacy bills. Option B would prevent option A. In other words, the two choices create a binary.

So why not just let it ride and allow states to create a patchwork of privacy bills? What’s the harm in option A?

If anything is clear about this space, it is that privacy bills impose costs, which I compiled here.

Given that every bill is slightly different in construction, being unique in breadth and specificity,  compliance will differ from state to state. Each state privacy bill means additional costs for firms that must comply with the law, like Meta and Google. It also means additional litigation risk. Complying with 50 versions of a privacy regime is costly and risky, so the litigation risk simplifies by forcing this onto the federal level. 

I remember talking to one person in a big tech legal team, and they said something I will never forget about the patchwork of state privacy bills.

We will be defensible, but I am not sure we could ever be technically compliant. 

Their quip, however, speaks to a more fundamental feature of privacy bills. Any firm getting caught up in the scope of a bill will need to pursue technical compliance. But, it is an elusive target for even the best-paid and most legal teams.