Laws regulating the collection, use, and disclosure of personal data are (mostly) constitutional, and critics who suggest otherwise are wrong. Since the New Deal, American law has rested on the wise judgment that, by and large, commercial regulation should be made on the basis of economic and social policy, rather than blunt constitutional rules. This has become one of the basic principles of American constitutional law. Although some observers have suggested that the United States Supreme Court’s recent decision in Sorrell v. IMS Health Inc. changes this state of affairs, such readings are incorrect. Sorrell involved a challenge to a poorly drafted Vermont law that discriminated on the basis of both content and viewpoint. Such a law would have been unconstitutional if it had regulated even unprotected speech. As the Sorrell Court made clear, the real problem with the Vermont law at issue was that it did not regulate enough, unlike the “more coherent policy” of the undoubtedly constitutional federal Health Insurance Portability and Accountability Act of 1996.
Data privacy law should thus rarely be thought of as implicating serious constitutional difficulties, and this is a good thing. As we move into the digital age, in which more and more of our society is affected or constituted by data flows, we face a similar threat. If “data” were somehow “speech,” virtually every economic law would become clouded by constitutional doubt. Economic or commercial policy affecting data flows—which is to say all economic or social policy—would become almost impossible. This might be a valid policy choice, but it is not one that the First Amendment commands. Any radical suggestions to the contrary are unsupported by our constitutional law. In a democratic society, the basic contours of information policy must ultimately be up to the people and their policy-making representatives, and not to unelected judges. We should decide policy on that basis, rather than on odd readings of the First Amendment.