Evan Schuman's StorefrontBacktalk

When it comes to regulating retailers, what could be worse than an over-zealous Washington? How about fifty over-zealous “Washingtons”?

Discussions about “Big Brother” and onerous regulation of business usually center around the federal government. Not that Uncle Sam isn’t evil at times, but these days it’s the states that are causing the big headaches for retailers, especially those that operate on a multi-state or national level.

Every couple of weeks, it seems, another state makes news for attempting to regulate, tax or otherwise control retailers and retail technology. The toughest part, for merchants, is that states usually tackle the issues with little regard to being aligned with the efforts of their colleagues in other states or for the hardships their one-of-a-kind provisions impose on retailers.

The laws just keep on coming. Nevada, for example, passed a data protection law last month that goes into effect Jan. 1, 2010. In addition to forcing businesses to use encryption when data storage devices containing personal information are moved outside the company’s physical or logical control, the new law also mandates compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) for businesses that accept payment cards.

As noted by New York law firm Hunton & Williams, “Minnesota law currently codifies certain select PCI DSS requirements. The new Nevada law is significantly more comprehensive, however, since it adopts the PCI DSS in its entirety by reference.”

On the same day, a new data protection law goes into effect in Massachusetts. It has been described as one of the toughest such laws in the world.

(Not all state efforts are frightening retailers. See our related story about state attorneys general trying to discipline TJX this week. The Keystone Cops are more frightening.)

Meanwhile, E-Commerce players, such as Amazon.com, are battling it out with states over sales tax collection. In a letter it reportedly sent Monday (June 22) to California legislators, Amazon threatened to stop doing business with its marketing affiliates in the Golden State if it is forced to collect sales taxes there under a proposed law, similar to one it’s fighting in New York, that it believes to be unconstitutional.

The passage of bills like these, which usually differ (often slightly and sometimes largely) from other states’ regulations, has created a dizzying patchwork of often conflicting state laws, regulations and proposals. Learning about, lobbying for or against and eventually complying with these government initiatives puts a financial and logistical strain on even the largest retailers and their IT departments. Doing so can be enough to quash expansion plans by smaller players.

“It’s extremely difficult to keep up with all the state announcements,” said lawyer Lisa Sotto, a partner in the New York office of Hunton & Williams and head of the firm’s privacy and information management practice. “There are 47 states and other jurisdictions with data breach notification laws and they’re all a little bit different. The same tenor is followed in all these laws, but the verbiage differs and some of them are substantively quite different. So we are dealing with a non-harmonized regime on the state level. It’s impossible, it really is.”