Congress can prevent an over-regulated US digital economy. Here’s how
Last month, Connecticut became the fifth state to pass a comprehensive consumer data privacy law. As more states appear poised to follow suit, America’s digital economy is increasingly threatened by regulatory fragmentation. If Congress were to pass federal data privacy legislation, it should preempt this growing patchwork of state laws, protect consumer privacy and promote technological innovation.
Unlike the European Union, Japan, Canada and many other advanced economies, the United States does not have a national comprehensive data privacy law. Instead, Congress has passed specific statutes to create privacy rules in particular sectors, such as education (as with the Family Educational Rights and Privacy Act) and financial services (as with the Gramm-Leach-Bliley Act).
But in the absence of comprehensive federal privacy law, a growing number of states have sought to create new data privacy legislation. Connecticut – following California, Colorado, Utah and Virginia – passed its own data privacy law, the Connecticut Data Privacy Act (CTDPA), in May 2022, due to come into force in July 2023.
The CTDPA borrows heavily from existing state-level privacy laws, but it features significant differences. Unlike under the California Consumer Privacy Act, businesses do not become subject to the CTDPA based solely on annual revenues. And unlike under the Utah Consumer Privacy Act, companies do not need to exceed a predefined annual revenue benchmark to fall under the CTDPA’s scope.
These differences can pose a significant challenge for small and medium-sized businesses and startups trying to operate in multiple states with different legal privacy requirements. For example, the definition of “the sale of personal data” varies across state borders.
Under the more business-friendly Utah and Virginia privacy laws, a sale occurs only when personal data exchange involves monetary gains. Under Connecticut’s privacy law – which adopts the broader definition of data sale used by California and Colorado – data exchange for “other valuable consideration” will constitute a data sale and implicate certain legal obligations.
Without understanding the minutiae of such legislation, a company could easily fall afoul of the California, Colorado and Connecticut laws — even though their data practices could be legal in Virginia and Utah.
The timing could hardly be worse. With growing inflation, rising labor costs and limited access to financing options, startups and digital companies already face significant challenges. Conflicting state regulatory regimes will exacerbate the challenges that these companies face today. This patchwork of divergent laws could easily discourage companies from developing innovative products and services (or offering them in certain states) to consumers’ detriment in those states.
And things could get worse. Last year, more than three dozen states proposed over 160 new privacy laws — and more than 20 states are currently considering them. If all 50 states were to pass their own data privacy legislation, it could cost the U.S. economy more than $1 trillion in the next decade. That burden will fall disproportionately on startups and small and medium-sized businesses that lack the legal and compliance staff of large corporations.
This increasingly confusing patchwork of state data privacy laws makes it urgent for Congress to enact federal privacy legislation. Many policymakers – and President Biden – have already called for federal privacy legislation.
Just as importantly, Congress needs to ensure that such a comprehensive federal privacy framework does not create more problems than it solves. To that end, a federal privacy law should follow three basic principles.
First, it should preempt the growing patchwork of state laws that risks creating significant uncertainty for businesses.
Second, it should establish the same legal standards for all industries but create distinct rules and liabilities for different data types. For example, a consumer’s Netflix streaming preferences don’t carry the same privacy risks as her financial and medical records.
Third, it should develop separate rules based on the risk level of how companies process and store consumer data. Allowing businesses to use properly anonymized data and privacy-enhancing technologies under a lightened regulatory framework can promote innovation while reducing privacy risks from data breaches.
As more states seek to follow Connecticut’s footsteps by creating new privacy laws, America’s digital economy faces a real risk of fragmentation. That will create significant regulatory challenges for small and medium-sized businesses and confusion for consumers about how their data is processed and used across state lines. Congress can help with a pro-consumer, market-friendly data privacy framework that can help promote innovation while reducing consumer privacy risks.
Ryan Nabil is a research fellow at the Competitive Enterprise Institute (CEI) in Washington, D.C.