Over the last several years, there has been a monumental shift in how regulators, companies and consumers think about data privacy and security. Companies face an untenable and growing number of state privacy, cybersecurity and data breach laws that offer significant enforcement authority to federal and state regulators while opening the door for opportunistic plaintiffs’ lawyers to seek large settlements, even when there is no apparent harm. Read More...
State privacy laws impose different (and sometimes contradictory) standards, including what types of notice and consent are required for what types of information, and when and how victims of data breaches must notify their customers. Customers may also not be required to demonstrate monetary or property losses in order to seek damages for an alleged violation. Even a technical violation of certain laws could be grounds for a private action.
A standard federal data privacy law would provide much-needed certainty for businesses and protect them from abusive and overlapping enforcement. The Federal Trade Commission should be the sole authority of data privacy enforcement, and should work to prevent and punish behavior that actually harms consumers. Finally, a federally enforced privacy framework should not create a private right of action, which would only add to the tremendous lawsuit cost Americans already pay, while enriching lawyers and providing very little value for consumers.
Emerging technologies also suffer from outdated or poorly-conceived laws and regulations. This leaves the door open for plaintiffs’ lawyers attempting to create regulation through litigation, bogging down the economy with lawsuits. Instead, lawmakers and regulators should implement rational policy changes that strike the right balance between innovation and consumer protection, so that we have a legal environment that supports—not stifles—the creative potential of the American economy.