By Boyd Garriott, an Associate, Megan Brown, a Partner, and Wes Weeks, an Associate, with Wiley Rein LLP in Washington, DC.

Businesses in the United States face a patchwork of different state privacy and data security laws—a patchwork that is only expected to grow in the coming years.  These laws differ state by state and often include vague requirements, such as demanding “reasonable” cybersecurity controls.  With this multiplicity of state laws comes the specter of significant damages, stemming from statutorily granted private rights of action to sue.  This collection of uncertain and—often—excessively punitive state laws can be a nightmare for businesses with little clear benefit to consumers.  Luckily, this status quo is not set in stone.  Federal preemption—either via a comprehensive federal privacy law or through the courts—could solve these problems and encourage a uniform national approach to an inherently interstate digital economy.

The State Privacy Landscape Is Complex and Is Worsening

While federal policymakers and agencies consider privacy regulation, states are taking action—and not necessarily in ways that are good for business.