•  
  •  
 
Vanderbilt Journal of Entertainment & Technology Law

First Page

119

Abstract

Over the past six years the United States has shifted from a relatively stable and laissez-faire privacy regime, anchored by a few, sector-specific federal statutes such as the Health Insurance Portability and Accountability Act, to an increasingly fragmented landscape dominated by numerous state-level consumer privacy laws. While these laws share commonalities, they also vary in important ways. This Article analyzes that patchwork legal regime and its impact on businesses through four points of friction: (i) statutory applicability and thresholds; (ii) notice-and-choice requirements; (iii) individual data-management rights; and (iv) controller–processor contracting obligations. This Article further explores how modern service-delivery models, especially software-as-a-service and AI tools, undermine the traditional controller—processor dichotomy, leaving the entities that exercise the greatest de facto control over personal data with the fewest direct statutory duties. Concluding that incremental state legislation is unlikely to resolve these flaws, the Authors advocate for a unified privacy framework that would focus regulatory obligations on the nature and risk of the processing rather than arbitrary data categories, thus providing clearer compliance pathways for businesses and stronger privacy protections for individuals.

Download

Share

COinS