Why New U.S. Privacy Data Protection Law Will Preempt State Privacy Laws

Just like there is a strong inevitability case that it is a matter of when and not if U.S. online privacy/data protection legislation will pass, there is also a compelling common-sense case why U.S. Federal privacy and data protection legislation should and will effectively preempt or supersede state Internet-related privacy laws.   

California’s June passage of an EU “GDPR-light” privacy bill, has teed up the reality that states can and will fill the vacuum left by Congress’ long inaction in addressing consumer privacy protection in the 21st century – until Congress legislates.  

The fact that California is taking the lead in filling a Federal vacuum, does not mean that pending state Internet-related privacy laws will survive or be determinative long term when Congress ultimately fills the gaping vacuum.

What is happening now in the states on privacy and data protection is tactical and opportunistic, not a strategic and lasting legal or power shift.  

Let’s look at some numbers for perspective here.

After almost twenty years of the world following America’s lead in minimizing Internet privacy rights for consumers to minimize “friction” for Internet platforms’ maximal scaling and scoping of its products and services globally, that privacy pendulum began to reverse direction and gain momentum when two plus years ago the EU passed its popular General Data Protection Regulation, “GDPR,” for the EU’s 512m citizens, 411m Internet users, and 28 nations.

Importantly and tellingly the EU figured out that what was best for EU consumers and businesses, and foreign firms doing business in the EU as well, was one comprehensive and consistent EU GDPR standard rather than 28 EU countries’ partial and inconsistent rules protecting different nations.

The EU understood the core implementation math here.

In rejecting nationally covering an average of just 18m EU citizens, (i.e. 512m citizens/28 countries = 18m), the EU chose the maximal EU implementation scale, 512m EU citizens, to create optimum comprehensiveness, clarity, consistency, and economies/efficiencies of scale to best serve the EU.

Consider how the U.S. apparently does not understand this evident implementation math -- yet.    

In rejecting nationally covering 327m Americans federally, to pursue haphazard, piecemeal individual state privacy regimes that would cover an average of 6m Americans, (i.e. 327m citizens/50 states + D.C. = 6m citizens), the U.S., via state actions, is currently implicitly pursuing a U.S. approach that is 85 times less efficient than the EU! (512/6 = 85) This is obviously the wrong implementation direction.    

This tactical, inefficient, and inequitable state privacy legislation trajectory gets worse with a closer look.

California is a huge outlier state not a viable implementation template for other states to follow well.

If California was a country it would have the world’s 5th largest economy and it comprises 1/7th of U.S. GDP. As a state, California’s population is 1/8th of U.S. population and larger than all of the 21 smallest states combined, and a third larger than #2 Texas and ~twice as large as #3 Florida or #4 New York.

California even has three counties that each have larger populations than the twenty smallest States combined. Overall there are 50 U.S. counties that are larger than each of the 5 smallest states.

Think this wrongheaded trajectory through. If a state does not pass a comprehensive Internet law, should or could counties step into the State and Federal void to protect their consumers on the local level? One can now better see the fleeting nonsensical dysfunction of this state privacy legislative dynamic caused only by Congress’ extended inaction.

In addition to this unhelpful state privacy dynamic, the international dynamic, trajectory, and math augurs for U.S. Federal privacy and data protection legislative action soonest too.  

Already countries comprising almost half the world’s population and over half of the world’s Internet users, are moving away from America’s implicit industrial policy approach of protecting Internet platform interests first and foremost to the exclusion of more reasonable consumer privacy choice, transparency, and control that Americans broadly enjoyed before the Internet and want now. 

Since the EU filled a void and asserted global consumer privacy protection leadership a couple of years ago, Brazil has passed an EU GDPR-like privacy bill, China implemented cybersecurity consumer data privacy regulations last year, and India has proposed data protection laws like the GDPR.

Just like America had the first-mover advantage in Internet adoption and innovation, apparently twenty years later the EU has established a counter first-mover data-protection regulation advantage in reasonably asserting that EU Internet users warrant more control over their personal data to protect their interests, than dominant U.S. Internet platform interests have been willing to yield to date.  

Just like America invented and then propagated adoption of the Internet on American terms in relatively short order 15 to 20 years ago, now almost half of the world’s population and over half of the world’s 3.5b users have or will soon have more control over their personal data. The impact is greater than these big numbers indicate because these countries, China, India, and Brazil probably represent >90% of Internet platforms’ user growth potential. 

As long as the rest of the world sees little U.S. leadership and tangible action in protecting their citizens personal data online or enforcing antitrust/unfair and deceptive competition laws vis-à-vis U.S Internet platforms, the apparent national interests of the rest of the world’s nations is to follow the EU’s lead on these issues until the U.S. can muster a workable alternative in law that provides consumers some reasonable control over their personal data that they do not have now.    

The problem in the U.S. is the system is organized completely for the convenience of Internet platforms and not American consumers.

How is any American consumer to know which company’s part of the ecosystem’s terms-of-service apply where, for what, in what instance, when few people understand how data packets actually flow through various companies’ interstate and international commingled infrastructures, equipment, devices, software, apps, or ecosystems, or read terms-of-service, or understand them if they miraculously read them at all.

In sum, the overriding reason why new U.S. privacy and data protection law is inevitable, (and likely in the next Congress), and that states will inevitably be federally-preempted concerning data protection, is that Americans, and also consumers all over the world, overwhelming would like more control over their personal data and privacy, and overwhelming assume (incorrectly) that all parts of the Internet experience are subject to the same consumer privacy protection rules and accountability when the cold reality is the exact opposite of that collective heroic assumption.

While there is uncertainty about when the U.S. legislation will pass, and how much control Internet platforms will concede to consumers to prevent the avoidable and unworkable alternative of disastrously inefficient U.S. state data protection legislation for both consumers and businesses, it is clear U.S. Federal privacy legislation is inevitable, and that that legislation will preempt or effectively supersede State Internet related privacy laws.

If quadrillions of Internet data packet transmissions that naturally are unpredictably-routed annually over thousands of networks, platforms, clouds, apps, etc. are not “interstate commerce” jurisdiction, it is hard to imagine what would be considered interstate commerce that remains Federal not State legal jurisdiction. 

This U.S. state privacy legislation boomlet is a temporary not permanent phenomenon.



Scott Cleland served as Deputy U.S. Coordinator for International Communications & Information Policy in the George H. W. Bush Administration. He is President of Precursor LLC, an internetization consultancy for Fortune 500 companies, some of which are Google competitors, and Chairman of NetCompetition, a pro-competition e-forum supported by broadband interests. Cleland has testified before the Senate and House antitrust subcommittees on Google. Eight different Congressional subcommittees have sought Cleland's expert testimony and when he worked as an investment analyst, Institutional Investor twice ranked him the #1 independent analyst in his field.


Precursor LLC Research on Asymmetric Accountability Harms:

Part 1:   The Internet Association Proves Extreme U.S. Internet Market Concentration [6-15-17]

Part 2:   Why US Antitrust Non-Enforcement Produces Online Winner-Take-All Platforms [6-22-17]

Part 3:   Why Aren’t Google Amazon & Facebook’s Winner-Take-All Networks Neutral? [7-11-17]

Part 4:   How the Google-Facebook Ad Cartel Harms Advertisers, Publishers & Consumers [7-20-17]

Part 5:   Why Amazon and Google Are Two Peas from the Same Monopolist Pod [7-25-17]

Part 6:   Google-Facebook Ad Cartel’s Collusion Crushing Competition Comprehensively [8-1-17]

Part 7:   How the Internet Cartel Won the Internet and The Internet Competition Myth [8-9-17]

Part 8:   Debunking Edge Competition Myth Predicate in FCC Title II Broadband Order [8-21-17]

Part 9:   The Power of Facebook, Google & Amazon Is an Issue for Left & Right; BuzzFeed Op-Ed[9-7-17]

Part 10: Google Amazon & Facebook’s Section 230 Immunity Destructive Double Standard [9-18-17]

Part 11: Online-Offline Asymmetric Regulation Is Winner-Take-All Government Policy [9-22-17] 

Part 12: CDA Section 230’s Asymmetric Accountability Produces Predictable Problems [10-3-17]

Part 13: Asymmetric Absurdity in Communications Law & Regulation [10-12-17]  

Part 14: Google’s Government Influence Nixed Competition for Winner-Take All Results[10-25-17]

Part 15: Google Amazon & Facebook are Standard Monopoly Distribution Networks [11-10-17]

Part 16: Net Neutrality’s Masters of Misdirection[11-28-17]

Part 17: America’s Antitrust Enforcement Credibility Crisis – White Paper [12-12-17]

Part 18: The U.S. Internet Isn’t a Free Market or Competitive It’s Industrial Policy [1-4-18]

Part 19: Remedy for the Government-Sanctioned Monopolies: Google Facebook & Amazon [1-17-18]

Part 20: America Needs a Consumer-First Internet Policy, Not Tech-First[1-24-18]

Part 21: How U.S. Internet Policy Sabotages America’s National Security [2-9-18]

Part 22: Google’s Chrome Ad Blocker Shows Why the Ungoverned Shouldn’t Govern Others [2-21-18]

Part 23: The Beginning of the End of America’s Bad “No Rules” Internet Policy [3-2-18]

Part 24: Unregulated Google Facebook Amazon Want Their Competitors Utility Regulated [3-7-18]

Part 25: US Internet Policy’s Anticompetitive Asymmetric Accountability - DOJ Filing [3-13-18]

Part 26: Congress Learns Sect 230 Is Linchpin of Internet Platform Unaccountability [3-22-18]

Part 27: Facebook Fiasco Is Exactly What US Internet Law Incents Protects & Produces [3-26-18]

Part 28: How Did Americans Lose Their Right to Privacy? [4-14-18]

Part 29: The Huge Hidden Public Costs (>$1.5T) of U.S. Internet Industrial Policy [4-15-18]

Part 30: Rejecting the Google School of No-Antitrust Fake Consumer WelfareStandard [4-20-18]

Part 31: Why New FTC Will Be a Responsibility Reckoning for Google Facebook Amazon [4-27-18]

Part 32: “How Did Google Get So Big?” Lax Bush & Obama FTC Antitrust Enforcement [5-23-18]

Part 33: Evident Internet Market Failure to Protect Consumer Welfare -- White Paper [5-31-18]

Part 34: What Happened Since FTC Secretly Shut 2012 Google-Android Antitrust Probe? [6-8-18]

Part 35: Buying WhatsApp Tipped Facebook to Monopoly; Why Didn’t FTC Probe Purchase? [6-19-18]

Part 36: The Sea Change Significance of Simons-FTC Privacy and Antitrust Hearings [6-27-18]

Part 37: New U.S. Privacy & Data Protection Law Is Inevitable Like a Pendulum Swing [7-9-18]

Part 38: Why a US v. Google-Android Antitrust Case Is Stronger than US v. Microsoft [7-16-18]

Part 39: Google-Android’s Deceptive Antitrust Defenses Presage a US v. Alphabet Suit [7-20-18]

Part 40: Case Study of Google Serial Over-collection of Private Data for FTC Hearings [7-30-18]

Part 41: The Unfair and Deceptive Online-Offline Playing Field – FTC Hearing Filing [8-7-18]

Part 42: What Most Stunts FTC Antitrust and Consumer Protection Law and Enforcement? [8-21-18]