Internet Privacy: The Case For Pre-emption

Shane Ham, Senior Policy Analyst, Technology and New Economy Project
Progressive Policy Institute

Internet Privacy: The Case For Pre-emption [pdf]

The battle over legislation to regulate privacy on the Internet has raged for years without resolution in Congress. Privacy advocates, giving voice to consumer fears about the use of computers to track their online behavior, have argued for tight controls over what may be done with personal information with explicit permission from consumers. Internet companies and other businesses with a presence on the World Wide Web have argued for greater flexibility in using personal information and a presumption that those uses are allowed unless consumers specify otherwise. This stalemate has brought increasing pressure on state legislators to pass laws regulating Internet privacy. No matter how the specific issues of Internet privacy are resolved, one thing is certain: any law governing Internet privacy must be passed by Congress, not the states.[1]

This categorical statement is not driven by skepticism toward state legislators or regulators. Quite the contrary � state governments are vital to our federalist system, and states frequently act as laboratories of democracy in which governing practices are tested and the best adopted by other states and the federal government. Moreover, the important role of consumer protection � which arguably covers the issue of Internet privacy � is by tradition primarily a state responsibility, a responsibility that state attorneys general and other officials take very seriously. Still, the Internet presents a special case.

The Internet � which includes uses as diverse as the World Wide Web, e-mail, instant messaging, voice over IP, interactive gaming, videoconferencing, and countless others � is fundamentally a cross-border technology.[2] The packet switching architecture for moving data is designed to seek the easiest route across the network, without regard to legal boundaries. Even under a regulatory regime that does not trigger jurisdiction because a packet of data traveled through a state on a dumb pipe, cross-border transactions are the norm.[3] In any given web page visit, for example, the odds are slim that the visitor, the web site operator, the visitor's Internet Service Provider (ISP), and the operator's servers will all be located in the same state. This simple fact is what makes the Internet a powerful information tool, and what makes it necessary to take a federal approach to regulation.

Just as it is indisputable that Congress has the authority to regulate Internet privacy, it is equally clear that state-by-state regulation of Internet privacy would do more harm than good, for several reasons:

Compliance with a patchwork quilt of state privacy laws is an unnecessary burden on Internet operators. One of the most important changes the Internet has brought to the economy is the ability of entrepreneurs and activists to reach a large market or audience with very low barriers to entry. Anyone with access to a personal computer can start an Internet newspaper. Add a bank account and some encryption and anyone can start an Internet-based business. Though the dot.com bubble took this potential to an optimistic extreme, it nevertheless represents an important economic and technological innovation.

State-by-state regulation of privacy, however, could tear it down. While it is possible for large banks and retail chains with physical presence in every state to keep track of 51 different regulatory regimes, doing so is virtually impossible for a company that is just starting up. It becomes even more difficult for political activists, who could find themselves the targets of state governments eager to shut them down (through ruinous legal liability, if not directly) on the basis of a technical violation of a privacy law. Having a single federal privacy law makes it much easier for small Internet operators to operate with regulatory certainty, free of the fear that they are violating laws they don't have the resources to track.

State-by-state regulation of Internet privacy is effectively one-state regulation. When faced with a myriad of differing laws and rules, an Internet operator that wants to reach users in every state has two choices: either invest the resources to learn the rules of each state and structure the Internet services to comply with each set of rules depending on the location of the user, or simply comply with the strictest set of rules. Because it is so much easier to follow one set of rules, most Internet operators will simply comply with whichever set of rules is the toughest, even if that means over complying with state laws that are not so restrictive. This tendency, an outgrowth of the essential cross-border nature of the Internet, negates both the purpose and the advantages of state-by-state regulation. It effectively imposes a nationwide set of rules, but allows the legislature in only one state to set the rules for the rest of the country.

Many people think the likelihood of such a scenario is slim, and that fears of one state setting the laws for an entire country are exaggerated, but experience shows it to be a legitimate concern. In Europe, where concern for personal privacy is much stronger than in the United States, the European Union has issued Internet privacy rules that are far more restrictive than any seriously contemplated in the U.S. To help ensure that data would continue to flow across the Atlantic, the U.S. and the EU negotiated a safe harbor agreement that, while not as restrictive as the EU rules, was more restrictive than anything the U.S. is likely to enact. To gain the benefits of deemed compliance that the safe harbor agreement provides, scores of companies that do business in Europe have structured their privacy policies to comply with the terms of the safe harbor agreement, effectively allowing the EU to play a role in setting privacy regulations for U.S. companies. The very same process is likely to play out if Internet privacy is regulated by the states.

State-by-state privacy regulation risks balkanizing the Internet. Of course, it is possible that a state could write an Internet privacy law that is so restrictive that no Internet operators located outside that state would want to comply with it. The only alternative, then, is to refuse transactions with residents of that state.[4] A state that sets out with the best of intentions to protect its citizens from privacy violations could end up cutting its citizens off from the Internet entirely, or restricting them to a subset of the Internet made up of operators who are willing to comply with that state's restrictive law. This partitioning of the Internet � You may not access this part of the Internet because of your physical location � utterly undercuts the fundamental power of the medium.

Perversely, state-by-state privacy regulation causes privacy invasions. Even under a best-case scenario � every Internet operator chooses to comply individually with every state law on Internet privacy � compliance can only come at the risk of losing privacy for one simple reason: the operator must know the physical location of the user before delivering content or services. Only by knowing the user's location in advance can an Internet operator deliver the proper notifications of privacy policies, place compliant browser cookies (or refrain from doing so), and so on.

Moreover, because records would need to be maintained to defend against enforcement actions or lawsuits, each Internet operator would have to resort to de facto tracking of users. For example, a business traveler with a laptop might dial into his ISP from a different state every week.[5] To ensure compliance with the privacy laws where the traveler is currently located, the ISP would have to determine where the user is physically located, either by asking or by some automated means (such as Caller ID on the phone line used to connect). The user would, in effect, be giving his ISP detailed records of his travels, which the ISP would dutifully record. This is exactly what privacy advocates want to avoid: gathering information that is not technologically necessary to facilitate the transaction.

Of course, some states might choose to regulate only the hosts that are located in their jurisdictions; in the international context this is known as the country of origin vs. country of destination debate. Basing privacy regulations only on state of origin is certainly less burdensome than basing them on the user's location, but it still creates a muddle of conflicting laws that itself constitutes an unnecessary burden on the Internet. Moreover, unlike the physical world � where customers of a store located in Ohio presume that the store is subject to Ohio's laws � users generally aren't aware of the state laws under which hosts operate. Without certainty, the origin-based privacy regulations would not meet their goal of adding to the environment of trust for Internet transactions, and would therefore constitute a useless burden. It should also be noted that state of origin privacy laws are likely to be the exception rather than the rule; privacy laws are designed to protect consumers and users, which makes state of destination regulation very tempting for state officials.

State-by-state privacy laws make third party enforcement and consumer education more difficult. Writing a privacy law is easy, but ensuring that Internet operators comply with the law is far more difficult. If lawmakers assume that their privacy laws are a necessary condition for an environment of trust, then effective enforcement will also be a necessary condition. Because it is difficult to monitor every Internet operator and their back-end data practices, third parties such as seal programs will be necessary.

Ideally, a seal program or other third party enforcer would operate to insure and ensure the privacy practices of an Internet operator. The enforcer would insure the operator by assuming financial (but not criminal) liability for privacy violations, giving the operator both regulatory certainty and a safe harbor for government or private actions. In exchange for assuming such liability, the enforcer would ensure that the operator's practices do in fact meet the requirements established by the enforcer and/or the law. This puts more cops on the Internet privacy beat, and it will be the Internet operators that pay for the privilege. This will only work, however, if there is a single set of privacy laws for which the enforcers must insure and ensure. A patchwork quilt of laws makes such programs cumbersome (just as it does for individual operators) and sets the bar at the strictest rules (just as it does for individual operators).

More importantly, a patchwork of laws works against non-regulatory efforts to protect privacy. Over the past decade, experience has shown that the best way for Internet users to protect their privacy is self-help � learning about the dangers of the Internet, their rights, and the available privacy tools. Conflicting state laws only add to user confusion and make nationwide education efforts (by private organizations or government agencies like the Federal Trade Commission) more difficult.

The debate over whether a privacy law should be passed, and what it should contain if it does, will go on. The debate over whether states should pass their own laws should end, even if states are tempted to take action because Congress seems unable to gain consensus on the issue. To do otherwise is to risk doing far more harm than good, both to user privacy and to the Internet itself.

Notes

[1] Though such details are beyond the scope of this paper, the Progressive Policy Institute has offered a detailed list of provisions that any good Internet privacy law should contain. The report, Online Privacy and a Free Internet: Striking a Balance, can be found at http://www.ndol.org/documents/e-privacy2.pdf.

[2] Because of its cross-border nature, the Internet is not only an interstate phenomenon, but also an international one. However, there are numerous obstacles to regulating the Internet on an international basis the way the United States could regulate it on an interstate basis. For more information, please see the PPI report, A Third Way Framework for Global E-Commerce, at http://www.ndol.org/documents/global_ecommerce.pdf.

[3] As used here, the term transaction does not apply merely to the exchange of money for goods or services, but to any interaction between an Internet user and an operator that might trigger a privacy regulation. This can include merely logging on to an ISP, or accidentally visiting a web site by mistyping a web address in a browser.

[4] The deciding factor between a one-state regulatory scenario and a balkanization scenario is the relative size and market power of the state in question. If California were to pass a very restrictive privacy law, most Internet operators would probably obey it, however grudgingly. If the very same restrictive law were passed in North Dakota, Internet operators would be more willing to forego transactions with users who declare themselves to be residents of North Dakota.

[5] The only way to avoid this conundrum would be to write a state privacy law that applies only to residents of a state and only when those residents are physically present in the state, but such a law would be impractical and virtually useless.