I’m very pleased to announce that my new paper, “Regulating the US Consumer Data Market: Comparing the Material Scope of US Consumer Data Privacy Laws and the GDPR” (with Nadya Purtova, Young Eun Moon, and Hugh Paterson) will be published in volume 45 of the University of Pennsylvania Journal of International Law in AY 2023-24. We are planning some revisions to the paper to make it read more clearly and a little more succinctly, and welcome feedback! The paper will also be workshopped at the Privacy Law Scholars Conference (PLSC) in Boulder, Colorado, in June.
You can access the draft manuscript here.
The abstract:
This article compares the material scope of all of the comprehensive consumer data privacy (or data protection) laws currently enacted in the United States [as of the end of 2022] with each other and with the European Union’s General Data Protection Regulation (GDPR). Our comparative analysis covers five broad state consumer data privacy laws, including those adopted in California, Virginia, Colorado, Utah, and Connecticut, and contrasts these against each other and the GDPR. We also include some comparative analysis of the American Data Privacy and Protection Act (ADPPA), which has been recently proposed in the US Congress, as well as model legislation promulgated by the American Law Institute (ALI), Uniform Law Commission (ULC), and Consumer Reports. We compare how each of these laws (and proposed or model laws) define and scope their subject matter (e.g., what constitutes “personal data”), how they define data subjects, what amounts to data processing, and which entities are obligated to respect the data subjects’ rights provided by these laws. We demonstrate how the existing state laws are more limited in most respects than the GDPR, and how their framing as consumer protection laws significantly limits their applicability and restricts their ability to adequately address the broad range of data privacy problems that confront contemporary society. Drawing on neorepublican political philosophy, we argue that most of these laws generally fail to adequately constrain commercial data markets in many contexts and that they also fail to address the problem of law enforcement agencies acquiring personal information from the commercial sector—ultimately raising concerns about domination and the potential for uncontrolled interference by both corporate and state interests in the private lives of the data subjects who ostensibly acquire rights under the these laws. In the end, most of these “comprehensive” consumer data privacy laws at the state level in the US do little to reign in corporate and state power to collect and use personal data in many contexts and represent a missed opportunity to provide much more significant protections for individual data privacy rights in the United States.