Settling Data Protection Law: Multistate Actions and National Policymaking

51 Pages Posted: 16 Apr 2020

See all articles by Elysa Dishman

Elysa Dishman

Brigham Young University - J. Reuben Clark Law School

Date Written: April 15, 2020


The state of data privacy and cybersecurity law in the United States is as unsettled as it is unsettling. By failing to pass comprehensive data protection legislation, Congress has settled for uncertainty. And the Federal Trade Commission (FTC), the primary federal agency that oversees data protection, regulates data practices predominately through settlements of enforcement actions. These settlements include corporate structural reforms that become de facto regulations by shaping corporate practices nationwide.

But the FTC is not the only enforcer to regulate data practices via settlement. State attorneys general (AGs) have become increasingly prominent data policymakers. AGs have banded together in multistate enforcement actions in response to high-profile data breaches. Like the FTC, AGs require corporations to undergo structural reforms as terms of multistate settlements. But AGs have charted new paths in multistate settlements, innovating structural reforms and other terms in settlements. These innovations can act as a catalyst to spur the FTC to demand more aggressive structural reforms in their settlements going forward. The future of data regulation will likely be shaped by more aggressive federal and multistate enforcement settlements.

And that is unsettling. Scholars, courts, and commentators have raised concerns about agencies engaging in regulation by settlement. However, those concerns have not been considered in light of the rise of multistate enforcement actions. Unique attributes of multistate enforcement exacerbate concerns about regulation by settlement and at the same time raise entirely new ones. This Article explores how AGs can continue to play a vital role in data protection policymaking while reducing concerns about regulation via multistate settlement.

Keywords: data privacy, cybersecurity, data protection, Federal Trade Commission, regulation, data breach, multistate settlement, settlement, policymaking, enforcement, attorney general

Suggested Citation

Dishman, Elysa, Settling Data Protection Law: Multistate Actions and National Policymaking (April 15, 2020). Alabama Law Review, Forthcoming, BYU Law Research Paper No. 20-12, Available at SSRN:

Elysa Dishman (Contact Author)

Brigham Young University - J. Reuben Clark Law School ( email )

430 JRCB
Brigham Young University
Provo, UT 84602
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics