2022 promised great things for data privacy. High-profile cyberattacks and a bipartisan consensus that Congress ought to act had commentators predicting a federal data standard was a real possibility. However, political headwinds, midterms, and other priorities have conspired against such a standard, and prospects now appear remote. Unfortunately, Americans lose out without a unified federal data protection standard.

Currently, the United States is a zip code lottery of data protection, with state legislatures responsible for enacting privacy laws. States like California, Virginia, Utah, and Colorado have enacted some most robust protections in the country. In contrast, those living in the other 47 must face few or no laws that govern how governments and private companies handle their data. Data protection laws are so weak in some states that governments or businesses may not be obliged to report the loss of sensitive information to consumers, meaning they may never find out that sensitive financial or personal information has been compromised.

When the “majority of Americans feel as if they have little control over data collected about them,” federal legislators must do more to eradicate the patchwork of protections and ensure Americans enjoy equal protections from cybercriminals and nefarious online actors. Simply put, zip codes should not determine degrees of protection.

While Congress has failed to pass comprehensive consumer data protection laws, it has enacted several industry-specific data protection laws. For example, in 1996, it passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which “required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.” Additionally, in 1999 Congress passed Gramm-Leach Billy, which regulates “the collection and disclosure of private financial information” and “stipulates that financial institutions must implement security programs to protect” financial information.

The fact Congress has previously legislated to mandate robust data protections in specific industries shows it has the mandate to extend such protections to consumers. 

One of the principal problems with inconsistent data protection rules is that it raises business compliance costs. A 2019 study by the Washington Legal Foundation found that state-level data protection laws “create operational inefficiencies and distort interstate markets for data, products, and services.” The Washington Legal Foundation also found that the conflicting and continually changing state data privacy laws “drive up costs, imposing a drag on economic actors who shift resources to compliance” instead of hiring, innovating, and developing new products.

The issue is particularly pronounced among smaller businesses and startups that do not have the capital or legal resources available to larger companies to ensure compliance with all applicable laws. A federal data standard would resolve this problem by providing consistent rules for each state, lowering compliance costs and incentivizing enterprise.

Weak data protection laws also leave consumers vulnerable to identity theft. Aside from the severe mental toll identity theft causes, studies estimate that the average loss for a victim of identity theft is around $1,100. Unfortunately, due to the patchwork of data protection rules, individuals in states like California, Virginia, and Colorado are less likely to suffer such severe financial losses. In contrast, those living in other states are more vulnerable to the economic pain of identity theft after data breaches.

With Congress seeming unlikely to pass a federal data standard this year, it has become apparent that the body is abandoning its duty to provide Americans with the data protection they deserve.  Unfortunately, this dereliction of duty means Americans must deal with inconsistent and weak protections that inflict unnecessary economic pain. Companies must face unnecessary compliance costs that hurt consumers in the long run.

Regrettably, the failure of Congress to act only harms consumers and aids online actors with nefarious goals.