How Congress Can Build the Right Data Privacy Framework

Last month, Utah Governor Spencer Cox signed into law the Utah Consumer Privacy Act, making Utah the fourth U.S. state — after California, Colorado, and Virginia — to enact consumer privacy legislation. As a growing number of states — including Florida, Indiana, and Massachusetts — seek to pass new privacy laws, it risks creating a conflicting patchwork of regulations and expanding uncertainty for businesses.

Against this backdrop of proliferating state data privacy legislation, Congress faces growing calls to pass a federal privacy law. If Congress passes such legislation, it should include the preemption of state privacy laws and minimize the regulatory burden for businesses.

The United States is unusual in not having a unified privacy framework. In contrast, other large jurisdictions like Canada, Japan, and the European Union have unified privacy rules. That means companies need to follow a harmonized set of data privacy regulations for providing goods and services in those markets. 

Privacy laws need to balance competing priorities — such as technological innovation, data privacy, and cybersecurity — so getting the rules right poses a significant challenge for lawmakers. For example, although the EU’s General Data Protection Regulation (GDPR) and subsequent court rulings have helped improve data privacy and limit government surveillance, GDPR has also increased regulatory costs for European startups and harmed European innovation.

In light of these challenges, Congress’ caution regarding federal privacy legislation is warranted. However, the absence of a national privacy law has led to a growing number of states imposing their own data privacy laws. California, Colorado, Utah, and Virginia have enacted consumer privacy legislation, while Illinois, Texas, and Washington have created new laws for biometric data. The divergent legal obligations under such laws pose new challenges for startups and businesses in an increasingly fragmented regulatory environment.

The problem is only getting worse. In 2021, more than three dozen states proposed more than 160 pieces of privacy legislation. This year, at least 22 states are considering consumer privacy-related bills. Such developments risk creating an even more fragmented and confusing patchwork for businesses providing digital services in different states. If all 50 states were to pass separate privacy legislation in the absence of federal law, it could cost the U.S. economy over $1 trillion over the next decade. The burden will fall especially heavily on startups and small businesses, which lack the compliance staff and legal resources of larger firms.

Therefore, if Congress were to enact a federal privacy law, it should preempt the proliferating state laws that risk creating a confusing regulatory patch for businesses. A uniform set of well-thought, market-friendly rules can provide much-needed regulatory certainty compared to conflicting legal obligations for handling consumer data and delivering digital services in different states.

Beyond preemption, federal privacy legislation should observe two broad principles. First, any privacy framework should apply the same standard to different industries but impose distinct rules and liabilities for various data types.

For example, Congress should distinguish between non-sensitive and sensitive data — such as biometric data and educational and medical records. Likewise, lawmakers should also differentiate between data used to provide non-critical and critical services. The strictest privacy standard should apply to sensitive data used to deliver critical services like medical surgery and banking services, while the least strict standard should apply to non-sensitive data used to provide non-critical services, such as, for example, on Netflix and Spotify streaming platforms.

Second, a privacy framework should create distinct rules for different ways in which companies process and store data. For example, in cases of a data breach, data containing personally identifiable information poses significant privacy risks. In contrast, properly anonymized datasets pose a much lower level of risk, since it is much more difficult to match such data with specific persons.

For example, one such technique to protect privacy is differential privacy. This method helps protect consumer privacy by adding pre-specified random noise to datasets without significantly altering the data, which helps mask the anonymized users’ identities. The technique also limits the number of times a hacker can request data within a given database. Combined, the random noise and limit on data requests will help reduce hackers’ ability to access sensitive personal information. Allowing businesses to use such differential privacy techniques and properly anonymized data under a lightened regulatory framework can promote innovation while reducing privacy risks from data breaches. 

As the U.S. digital economy faces the real risks of fragmentation, federal lawmakers face growing calls to act soon. By preempting conflicting state privacy laws, Congress can play an essential role in reducing regulatory costs for businesses while ensuring consumer privacy and improving cybersecurity.

Ryan Nabil is a Research Fellow at the Competitive Enterprise Institute in Washington, D.C.