With economic participation increasingly dependent on information sharing, data privacy is at the forefront of public debate. Every day, Americans are asked to share their personal information with a growing number of businesses in exchange for access to a wide variety of goods and services. Businesses use this information to tailor their offerings to consumers’ unique wants and needs and improve services. However, this type of information sharing can expose consumers to harm when businesses fail to take adequate steps to secure consumer data.
When exposure occurs, bad actors may use the situation to steal consumer information. This has become an increasingly common occurrence for large and small businesses, though some of it is made possible by consumers who fail to take adequate precautions when sharing information. In 2022 alone, the Federal Trade Commission (FTC) reports that 5.2 million consumers lost over $8.8 billion to fraud, a 30 percent increase from 2021. Similarly, the FBI reports that over 800,944 cybercrime complaints were filed with the agency in 2022. These stats demonstrate the real harm that can occur when consumer information falls into the wrong hands.
At present, no comprehensive national law covers online privacy in the U.S., meaning consumers have no form of universal protections. Most states also lack online privacy laws. In the absence of clear standards, consumer data remains vulnerable to abuse. Establishing a national standard would help eliminate that uncertainty and reduce the likelihood that a patchwork of different state laws eventually serves as the primary form of consumer protection. Having more than one privacy standard increases compliance costs for businesses and creates an additional layer of unnecessary bureaucracy.
To date, most legislation that has been introduced at the federal and state level fails to account for each of these considerations. Last year Congress introduced the ill-fated American Data Privacy and Protection Act (ADPPA). This piece of legislation would have created a national standard for data privacy that regulated how businesses acquire, store and use consumer data. While including many good provisions, the ADPPA would have exempted some covered entities and service providers from having to comply with portions of the legislation, such as having to implement most data security measures and designate a privacy and data security officer.
The ADPPA described qualifying entities as those that have met all the following criteria in the past three years: have annual gross revenue below $41,000,000, collect data on no more than 100,000 individuals and do not derive more than 50 percent of their annual revenue from the transfer of covered data. These restrictions leave a large share of American consumers unprotected who happen to do business with these entities.
Similar requirements exist at the state level. While only six states — California, Colorado, Connecticut, Iowa and Utah — have thus far passed comprehensive data privacy laws, all six have set “triggers” that determine when a business is subject to the law. In general, only three types of triggers apply, including annual gross revenue, the amount of information that is processed by a business and how much of a business’s revenue comes from the sale of consumer information. Only California, Iowa and Utah have all three types of triggers, but Colorado, Connecticut and Virginia still have at least two. While the language of these triggers may vary by state, and some states like California have stricter requirements than others, all states, at least in practice, exempt some businesses. Some individuals, in some cases, do not receive the same level of protection as others. It doesn’t have to be this way.
A better approach would be for lawmakers to design a standard that applies to all businesses. If the burden that standard may place on businesses raises concerns, legislators should re-examine the features of the standard. For instance, rather than specifying exactly what actions a business must take to comply with the law, such as designating a specific privacy and data security officer, the government might allow the business leeway to decide what works best for it. This grants the business more flexibility and control over its operations while still holding it accountable for implementing all required consumer protections.
While a national standard would be preferable to minimize compliance costs, even well-designed state legislation could provide much-needed relief to consumers. At present, at least 17 states are considering privacy legislation, meaning time still remains to make relevant adjustments. Americans, wherever they are, deserve to know that their data is safe and secure. Lawmakers can achieve this without creating a regulatory headache for businesses, most of which share consumer concerns.