The Patchwork Paradox: Data Privacy Regulation and the Complications of Compliance

Lydia Bayley 

Associate Editor

Loyola University Chicago School of Law, JD 2022

This spring I had the pleasure of attending a conference entitled Digital Platforms: Innovation, Antitrust, Privacy & the Internet of Things hosted by the UIC John Marshall Law School Center for IP, Information & Privacy Law. Throughout the day, panelists spoke about various topics of intellectual property, including artificial intelligence antitrust issues, and more. But for me, the highlight of the afternoon was the session on privacy issues. Here is a bit of what I learned…

Photo by Glenn Carstens-Peters on Unsplash

Data privacy regulations in the U.S. and abroad

Contrary to what many may think, the Unites States provides a partial foundation for data privacy regulation at the federal level with legislation such as the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Online Privacy Protection Act (COPPA). While these laws target and combat specific issues related to consumer information, we have yet to see a comprehensive, nation-wide data privacy plan. As usual, the United States lags behind Europe in the realm of intellectual property, privacy rights, and consumer protection.

In 2016, the European Union approved the General Data Protection Regulation (GDPR). These regulations apply to any website that attracts European visitors, even if they do not specifically market goods or services to EU residents. This means that virtually all global companies are subject, at least in some ways, to GDPR requirements. While the GDPR has resulted in increased transparency and consumer consent measures among U.S. companies doing business in Europe, panelist Cameron Krieger, Senior Counsel at Mars Incorporated, noted that there remains “an appetite in the business world for federal legislation” due to the resulting patchwork of state and international laws.

50 different ways to regulate data

In the wake of federal ambiguity in the U.S., many states have stepped in to create their own framework for data protection, most notably resulting in the California Consumer Privacy Act (CCPA). The CCPA, or as some call it, “GDPR-lite,” was signed into law in 2018 and offers arguably the most comprehensive privacy regulation standards at the state level, and has since inspired a surge of state-wide legislation.

Despite the similarities in their basic foundations, most states have enacted their own variations on these laws. With 50 different definitions of what qualifies as personal information and what actually triggers a privacy violation, many of the panelists voiced their concerns that this patchwork model places unprecedented burdens on businesses to ensure compliance across the country. Furthermore, if compliance with these requirements is not carefully monitored, businesses have the potential to incur massive amounts of liability, such as what we have seen in Illinois under the Biometric Data Privacy Act (BIPA), which has brought about a flood of class action lawsuits in recent years.

All of these variations on data privacy across the United States leave many experts questioning how businesses can possibly ensure adherence to all of these laws without incurring massive compliance costs. But Robert Newman, Co‐Chair of Privacy, Security & Data Innovations at Loeb & Loeb, said that he believes we have gotten too bogged down in the idea that businesses will have 50 different standards to meet. He challenged that the majority of breach-notification statutes are, in fact, rather similar. And when there are discrepancies between states, he offered a solution to ensure compliance across the board: businesses should simply draw their policies to the most restrictive state, thereby meeting all standards at once. While Newman offered a perfectly viable solution to the state-by-state patchwork problem, the question remains as to whether or not federal data privacy regulations are yet to come.

The potential for a unifying federal regulation system

When asked if they believe some form of unifying federal legislation is on the horizon, many of the panelists were not so optimistic, and those that were still maintained that such legislation would not come to fruition anytime in the near future.

Panelist Liad Wagman, Senior Economics and Technology Advisor for the Federal Trade Commission, explained that there are concerns over the costs of implementing a GDPR-like system here in the United States. Even if legislation were adopted, the federal government would then need to provide some system of enforcement, the means of which at this stage are unclear.

What we can take away

While the panelists offered several potential solutions to the country’s current shortcomings on the front of data privacy regulation, the afternoon’s discussion only seemed to make one thing clear: we are far from agreeing on what the best course of action is for managing data privacy regulations. Regardless of these limitations, the data industry shows no signs of stalling growth, meaning that we need to come to some sort of consensus sooner rather than later.