Only a few decades ago, data was described as “the sludge of the information age — stuff that no one has yet thought very much about” (Lucky, 1989; Levitin & Redman, 1998: 89). Now, scholars refer to the widespread commercial practice of “trafficking in human information” (Richards and Hartzog, 2021: 967). Although much has changed, US jurisdictions have only recently started to adopt broad data privacy laws. This new wave of data privacy laws began with enactment of the California Consumer Privacy Act (“CCPA”) in 2018. Subsequently, Virginia and Colorado enacted “comprehensive” consumer privacy laws in 2021, followed by Utah and Connecticut in 2022. At the federal level, Congress has failed to enact broad privacy legislation, although significant bi-partisan steps were taken in 2022 with the American Data Privacy and Protection Act (“ADPPA”).
Conventional wisdom suggests that the growing interest in omnibus data protection laws in the US has been driven by adoption of the GDPR in the EU (Schwartz, 2019; Chander et al., 2021). An alternative theory of catalysis posits that American data privacy laws differ significantly from the GDPR and are more likely inspired by the CCPA, adopted just a month after the GDPR went into effect in Europe (Chander et al., 2021: 1733-1734). Despite resembling data protection law, Chander et al. (2021) argue that the CCPA, “differs significantly—and consciously—from the European model . . . [offering] a fundamentally different regime for data privacy” (p. 1736), one that lacks “major structural elements of the GDPR” (p. 1746). Yet again, while either might have been the impetus, the current swath of laws being adopted and proposed in the last few years often appear to follow the what has been called the “Virginia Model” (Sabin, 2021)—copying and replicating many aspects of Virginia’s Consumer Data Protection Act of 2021 which was based on legislative language proposed previously in Washington State—even if their impetus was the CCPA.
In this article, we present a comparative legal analysis of the material scope of the broad consumer data privacy laws adopted in California, Virginia, Colorado, Utah, and Connecticut, and contrast these against related provisions of the GDPR. This moves beyond existing comparative studies in the literature. We also examine related provisions of the ADPPA (as proposed) and model bills by the American Law Institute (Solove and Schwartz, 2022), Uniform Law Commission (2022), and Consumer Reports (2021). We compare how each of these laws (or legislative proposals) define and scope their subject matter (e.g., what constitutes “personal data”), how they define data subjects, what amounts to data processing, and which entities are obligated to respect the data subjects’ rights provided by these laws. We demonstrate how the state laws are more limited in most respects than the GDPR, and how their framing as consumer protection laws significantly limits their applicability and restricts their ability to adequately address the broad range of data privacy problems that confront contemporary society.
Drawing from neorepublican political philosophy (e.g. Pettit, 2012), we also analyze how well these laws ensure some measure of what Pettit (1996) calls “antipower”—that is, the power to resist the possibility of arbitrary or uncontrolled interference by others. This analysis is informed by Julie Cohen’s notion of “semantic discontinuity” (Cohen, 2013, 2012), which helps us argue for ways in which data privacy law could better promote antipower and reduce the possibility of informatic domination. We question whether the material scope of these laws adequately captures and protects the underlying interests that appear to have motivated their adoption, such as privacy and the need to protect people from other data-driven harms. Finally, we examine to what extent the material scope of these laws—including how they protect privacy interests and limit corporate power—contributes to promoting neorepublican notions of liberty, non-domination, and antipower. We argue that most of these laws generally fail to adequately constrain commercial data markets in many contexts. In the end, they do little to reign in corporate and state power to collect and use personal data and represent a missed opportunity to provide much more significant protections for individual data privacy rights in the United States.