Increasingly, state legislatures have been considering bills that seek to enhance protection of consumers’ data. These actions are filling the void left by the federal government, as currently there is no comprehensive federal data privacy law. Instead, data privacy is governed by industry specific legislation such as the 1996 Health Insurance Portability and Accountability Act. As the data economy continues to grow, consumers are becoming rightly worried about what companies are doing with their information. 

Many states, including California, Maine, and Virginia, have already taken concrete steps in this direction, passing comprehensive data protection laws. Governor Jared Polis of Colorado is also anticipated to sign similar provisions into law very soon.

While some states have made great strides, other states and the federal government have made little to no progress implementing consumer data protections. A data privacy bill in Florida was recently defeated after the State House and Senate could not agree on provisions addressing whether a consumer can sue for improper use of their data. This means that Floridians will be left with weak data protection laws and weaker protection than residents in Virginia, California, Maine and Colorado. 

Florida’s bill, while offering strong protections, was slightly different from the bills in other states. These slight discrepancies, such as the differences in rules addressing targeted ads, make the patchwork of state privacy legislation even more confusing for businesses and consumers. A federal law is needed to preempt a hodgepodge of state privacy laws.

Right now, the United States is a “zip code lottery,” wherein the data laws that a consumer is afforded is entirely dependent on which state they happen to reside. This means that some Americans are subject to different than others. Instead, consumers should have guarantees across state lines with regards to what a company can do with their information, and therefore federal regulation is a necessity.

Discrepancies in laws between states also make for a complicated system for businesses, especially smaller businesses who do not have the luxury of attorneys or significant capital reserves. The current patchwork of laws is burdensome to navigate, and larger companies that have large legal teams can comply much easier than smaller companies. A federal comprehensive data privacy law would benefit everyone and would avoid excessive compliance costs being passed onto consumers.

Congress should look to states who have already passed privacy laws and learn from their mistakes when drafting federal regulation. The best example of where legislation has gone wrong is the California Consumer Privacy Act (CCPA), which has received widespread criticism for being overly punitive on small businesses. Its stringent provisions have forced many businesses to spend egregiously high amounts on initial compliance fees, with low-end estimates being at a whopping $50,000 for each impacted business. This means that these businesses will have less money to invest in new hiring or in research and development. 

Any federal legislation should focus on ensuring that the consumer has as much control as possible over what data they hand over to companies while minimizing provisions that would impose undue burdens onto businesses, especially on small businesses and start-ups. 

The current mix of data privacy rules has created an unfair situation for consumers and small businesses. This is why federal data privacy regulation should be a priority for the Congress. Until a unified framework is implemented, millions of Americans will be kept in line waiting for their state legislators to act on protecting their data privacy.

Published in The Town Hall.