How Congress Can Build the Right Data Privacy Framework

Last month, Utah Governor Spencer Cox signed into law the Utah Consumer Privacy Act, making Utah the fourth U.S. state — after California, Colorado, and Virginia — to enact consumer privacy legislation. As a growing number of states — including Florida, Indiana, and Massachusetts — seek to pass new privacy laws, it risks creating a conflicting patchwork of regulations and expanding uncertainty for businesses.

Against this backdrop of proliferating state data privacy legislation, Congress faces growing calls to pass a federal privacy law. If Congress passes such legislation, it should include the preemption of state privacy laws and minimize the regulatory burden for businesses.

The United States is unusual in not having a unified privacy framework. In contrast, other large jurisdictions like Canada, Japan, and the European Union have unified privacy rules. That means companies need to follow a harmonized set of data privacy regulations for providing goods and services in those markets. 

Privacy laws need to balance competing priorities — such as technological innovation, data privacy, and cybersecurity — so getting the rules right poses a significant challenge for lawmakers. For example, although the EU’s General Data Protection Regulation (GDPR) and subsequent court rulings have helped improve data privacy and limit government surveillance, GDPR has also increased regulatory costs for European startups and harmed European innovation.

In light of these challenges, Congress’ caution regarding federal privacy legislation is warranted. However, the absence of a national privacy law has led to a growing number of states imposing their own data privacy laws. California, Colorado, Utah, and Virginia have enacted consumer privacy legislation, while Illinois, Texas, and Washington have created new laws for biometric data. The divergent legal obligations under such laws pose new challenges for startups and businesses in an increasingly fragmented regulatory environment.

The problem is only getting worse. In 2021, more than three dozen states proposed more than 160 pieces of privacy legislation. This year, at least 22 states are considering consumer privacy-related bills. Such developments risk creating an even more fragmented and confusing patchwork for businesses providing digital services in different states. If all 50 states were to pass separate privacy legislation in the absence of federal law, it could cost the U.S. economy over $1 trillion over the next decade. The burden will fall especially heavily on startups and small businesses, which lack the compliance staff and legal resources of larger firms.

Therefore, if Congress were to enact a federal privacy law, it should preempt the proliferating state laws that risk creating a confusing regulatory patch for businesses. A uniform set of well-thought, market-friendly rules can provide much-needed regulatory certainty compared to conflicting legal obligations for handling consumer data and delivering digital services in different states.

Beyond preemption, federal privacy legislation should observe two broad principles. First, any privacy framework should apply the same standard to different industries but impose distinct rules and liabilities for various data types.

Read the full article at Real Clear Policy.