2025 is kicking off with several new comprehensive state privacy laws taking effect – with Delaware, Iowa, Nebraska, New Hampshire and New Jersey’s laws all taking effect in January and a total of 19 state laws either in effect or a countdown ticking to their effective dates.
While many of these laws look and feel like copycats of other state laws that are already in effect, the real catalyst for each of these laws can be traced back to EU privacy regulation (with the 2018 effective date of GDPR being the biggest driver). This is the Brussels Effect at work and on full display in the US privacy patchwork. If you haven’t read Anu Bradford’s book The Brussels Effect and you work in privacy, it’s worth adding to your reading list this year. I read it a couple years ago and have looked at state privacy laws and industry lobbying different since.
In the book, Bradford breaks down just how the EU drives privacy globally through both the de facto Brussels Effect (companies adopting practices that comply with EU privacy regulation on a global scale) and the de jure Brussels Effect (when jurisdictions outside the EU embrace GDPR-like comprehensive privacy laws). While The Brussels Effect is applied to other regulations in the book, the five key elements make privacy regulation a perfect storm for “unilateral regulatory globalization.”
- Market Power
- Regulatory Capacity
- Stringent Standards
- Inelastic Targets
- Non-Divisibility
Market Power
The EU’s population of roughly 450 million people makes up a substantial market force as global companies seek to offer their goods and services to this massive market. As a result, the regulatory power of the EU reaches broadly around the globe to impact the compliance and governance of US and other third countries’ firms.
Regulatory Capacity and Stringent Standards
The EU’s “[r]egulatory capacity refers to [its] ability to promulgate and enforce regulations,” and is “often closely associated with . . . the propensity to promulgate stringent rules.” The capacity to regulate privacy by a relatively small regulatory body like the EU is bolstered by the delegation of GDPR enforcement to EU members states. The preference for stronger privacy rights that stem from the EU’s desire to treat privacy as a human right and offer stringent protections for its citizens through regulation. See The Brussels Effect at 41 (quoting Commission President Jean-Claude Junkcer, “I will not sacrifice Europe’s safety, health, social and data protection standards . . . on the altar of free trade.”)
Inelastic Targets
Bradford’s inelastic target, as it relates to privacy law regulation, is demonstrated through “[t]he inelastic nature of consumer markets[, which] does not leave producers with a choice regarding the jurisdiction; they cannot ‘shop’ for favorable regulations without losing access to the regulated market.” The Brussels Effect at 48.
Non-Divisibility
Finally, the non-divisibility of global privacy regulation is demonstrated by the inefficiency to embed data protection tools, technology, and processes for different jurisdictions on a global scale. Of course, there are situations where tech companies use local cloud environments for EU data subjects; however, it’s harder to scale product features and teams across the entire tech stack than it is to embrace a data protection scheme that works across the globe. Additional fallout from that non-divisibility encourages global firms to lobby for consistent regulations that will impact local competition in the US and other third countries.
19 Laws and Counting
While California was a bit of a wildcard from a lobbying and drafting perspective, industry has continued to lean in to influence everything from the failed Washington Privacy Act that was reborn in Virginia and every other state along the way for a thematically consistent GDPR-lite framework with a regulatory lineage back to Brussels.
The European Union recently updated its privacy law through the passage and implementation of the general data protection regulation, affording its residents the strongest privacy protections in the world. Washington residents deserve to enjoy the same level of robust privacy safeguards.
– from Legislative Findings in the failed Washington Privacy Act (S. 5376, 66th Leg., 2019 Reg. Sess. (Wa. 2019)).
The Brussels Effect is full steam ahead in the US privacy landscape and we’re sure to see more state privacy laws passed in 2025. And buckle up for the upcoming deluge of AI regulation to accompany the privacy patchwork – brought to you by The Brussels Effect!