Data Protection in the Digital Economy: Legislating in Light of Sorrell v. IMS Health Inc.

Abstract

Consumers overwhelmingly believe that companies do not do enough to protect their personal data. As Congress considers federal data protection legislation, it must ensure that any proposed legislation comports with the First Amendment. In 2011, in Sorrell v. IMS Health Inc., the U.S. Supreme Court determined that a Vermont law prohibiting the use of physician-prescribing records for marketing purposes violated the First Amendment. At the heart of Sorrell is that shared data, unlike a traditional commodity like oil, conveys information and is thus First Amendment-protected speech. Since Sorrell, the use and retention of data, specifically personal data, has exploded and is only expected to increase. Nevertheless, the United States currently lacks comprehensive federal data protection legislation. To fill this legislative gap, state legislatures have begun to pass data protection laws. These laws apply either to specific types of data—such as biometric information or Internet service provider customer information—or simply all consumer data. As state and federal legislative efforts advance, lawmakers must consider the lessons from Sorrell to ensure that new legislation protects consumer privacy interests without infringing on data holders’ protected speech. This Note argues that most data protection legislation will likely survive First Amendment scrutiny under Sorrell because the legislation establishes baseline personal data privacy rights while still generally allowing businesses to use personal data so long as they are transparent.