Settling Data Protection Law: Multistate Actions and National Policymaking

49 Pages Posted: 16 Apr 2020 Last revised: 29 Jun 2023

See all articles by Elysa Dishman

Elysa Dishman

Brigham Young University - J. Reuben Clark Law School

Date Written: April 15, 2020


Data privacy and cybersecuriy law in the United States is as unsettled as it is unsettling. By failing to pass comprehensive data protection legislation, Congress has settled for uncertainty. And the authority of the Federal Trade Commission (FTC) to enforce and seek remedies in this area has been challenged by litigants, including a case currently pending in the U.S. Supreme Court. Nevertheless, FTC enforcement settlements play a vital role in data regulation. These settlements include corporate structural reforms that become de facto regulations by shaping corporate practices nationwide.

State attorneys general (AGs) have become increasingly prominent data policymakers through enforcement settlements. AGs have instigated a series of high-profile multistate actions in response to data breaches. Like FTC settlements, multistate settlements also regulate data practices nationwide by requiring corporations to undergo structural reforms. FTC and multistate settlements have distinct differences that are outgrowths of their institutional attributes and enforcement authority that give them each comparative data enforcement advantages. The FTC and AGs may also engage in "borrowing" one another's enforcement strengths to augment their power to regulate by settlement. As a result, the future of data protection regulation will likely be shaped by more aggressive federal and multistate settlements, rather than by comprehensive legislation or agency rulemaking.

And that is unsettling. Courts and commentators have raised concerns about regulation by settlement. But those concerns have not been considered in tight of the rise of multistate enforcement actions. Unique attributes of multistate enforcement exacerbate existing concerns. about regulation by settlement, and at the same time, raise entirely new ones. This Article explores how AGs can continue to play an important role in data protection policymaking while reducing concerns about regulation via multistate settlement.

Keywords: data privacy, cybersecurity, data protection, Federal Trade Commission, regulation, data breach, multistate settlement, settlement, policymaking, enforcement, attorney general

Suggested Citation

Dishman, Elysa, Settling Data Protection Law: Multistate Actions and National Policymaking (April 15, 2020). 72 Alabama Law Review 839 (2021), BYU Law Research Paper No. 20-12, Available at SSRN:

Elysa Dishman (Contact Author)

Brigham Young University - J. Reuben Clark Law School ( email )

430 JRCB
Brigham Young University
Provo, UT 84602
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics