CCPA, CPRA, VCDPA, SHIELD. Fifty separate state legislatures (not to mention citizen activists), have given U.S. businesses an alphabet soup of privacy and cybersecurity regulations, creating inefficiencies for professionals entrusted to protect personal and commercial data due to the additional time required to navigate the question of which regulations actually apply to their clients, and perhaps more importantly, giving rise to questions about the efficacy of these laws and regulations. While the stated goals of these statutory schemes are laudable, in practice, professionals tasked with protecting privacy and data, and responding to security incidents, have found it difficult to implement a cost-effective approach to compliance on behalf of their clients. As a result, many professionals have begun advocating for a uniform national system of privacy rights and cybersecurity expectations, as well as codified safe harbors and privileges to allow such professionals to conduct their vital work without fear that it will become litigation fodder. This article examines some of the challenges created by the kaleidoscope of state-level laws and regulations, as well as inconsistent case law, and analyzes potential federal level solutions, including the recently proposed Information Transparency & Personal Data Control Act that could provide consistency across not only geography, but industries.

“What law applies to me?” is one of the first questions a client asks a lawyer when: (1) seeking advice following a data security incident; (2) proactively trying to mitigate the impacts of a future incident; and/or (3) attempting to comply with privacy regulations. It is useful to examine how the simple question of “what law applies to me” might be answered for a hypothetical client—in this case, a start-up web-based retailer (E-tailer) based in Manhattan, with 20 employees, annual sales of $5,000,000 and 10,000 customers spread fairly evenly throughout Europe, New York, Virginia and California.