Written by: Divya Sridhar and Grant Gendron
America wants privacy, but our policymakers remain divided about getting a deal done. The benefits of a federal privacy law are clear: these are the 5 “S”s: we need a federal privacy law for stability, solidarity, sales, security, and to stay up to speed. Privacy legislation is critical to keeping the American dream intact.
There are at least five critical reasons for why Congress needs to act NOW to pass federal privacy legislation.
In 2023, passing a federal privacy law is:
1) a critical part of the 2023 federal directive of U.S. policymakers;
2) imperative based on its economic impact on the global economy and cross border data flows;
3) long overdue to keep America globally competitive and technologically relevant;
4) deemed essential to strengthening our nation’s national security; and
5) the ultimate exemplar of leadership, dignity, and strength for the United States.
Read each of our posts to learn more about the facts and figures that make the case.
U.S. Policymakers Are Elevating Privacy as Part of their 2023 Directive
In at least one way, the new year has begun where 2022 ended: with a call from the highest ranks of government to advance federal privacy legislation. In a recent Wall Street Journal op-ed, President Biden urged Congress to unite in a bipartisan way to pass federal privacy legislation that would place new guardrails on business and ensure special protections for children and vulnerable communities. Leaders from Congress [House Energy & Commerce Committee Chair Cathy McMorris Rodgers and Representative Frank Pallone] and the Administration [Alan Davidson, Assistant Secretary for Communications and Information at the U.S. Department of Commerce] have echoed this sentiment.
The years’ long effort to advance federal privacy legislation holds promise in the 118th Congress. Though the House of Representatives has flipped to being a Republican majority, key members – including Chair Cathy McMorris Rodgers and Ranking Member Rep. Pallone – have long advocated for federal privacy legislation. And key members in the Senate – including Senators Cantwell and Cruz, Majority and Ranking Leader, respectively, on the Senate Commerce Committee – have expressed support for this effort.
Last year, federal privacy legislation came closer than it had in many years to being finalized. The “Three Corners” introduced and quickly advanced federal privacy legislation in the summer of 2022, as a nod from Rep. Frank Pallone (then Chair of the House Energy and Commerce (E&C) Committee); Leader Cathy McMorris Rodgers (then Ranking Member of House E&C); and Senator Roger Wicker (then Ranking Member of the Senate Commerce Committee) about privacy legislation being a top priority of theirs. The bill sailed through the House subcommittee on consumer protection, but stopped short of making its way to the House floor for a vote prior to the midterms.
Recent developments at the FTC, including its Advanced Notice of Proposed Rulemaking (“ANPR”) on Commercial Surveillance and Data Security, to tackle privacy, also signals the need for movement at the federal level. But, federal legislation would be a more impactful, purposeful and divisive approach, which FTC Chairs also highlighted. (SIIA’s comment can be found here.)
Moving legislation forward is the best way to get the wheels in motion. Policymakers must finalize negotiations on what a federal standard on privacy looks like for the United States.
Inaction on Privacy is Directly Harming the U.S. Economy
As of this writing, there are at least eight states with active consumer privacy legislation, and it has only been a few weeks into the new year. We expect much more activity in the coming months. For reference, by last October, more than 34 states had introduced or passed privacy bills (in at least one chamber) focused on commercial collection and use of personal data. Five state consumer privacy laws (California, Virginia, Colorado, Utah, and Connecticut) are on the books and are at various stages of implementation and enforced. Keeping up with the patchwork of state laws (to say nothing of laws abroad) is now a full-time job.
The Information Technology and Innovation Foundation (ITIF) analyzed the impact of the state privacy patchwork on businesses, particularly those that serve customers across state lines. It notes that businesses engaging in interstate commerce are subject to a combination of different state privacy laws, which creates a multiplier effect and has led to expensive and redundant compliance efforts. The costs are not negligible: it is estimated that state privacy laws could lead to somewhere between $98 billion and $112 billion annually, which over a 10-year period would lead to over $1 trillion in out-of-state costs for businesses.
These different laws can disrupt business flow (and add further costs) if the legislation and any respective guidance takes a unique approach to how businesses and other entities must comply. For example, Colorado’s recent draft guidance includes an approach to the universal opt out mechanism that differs from California’s regulatory approach. The states also have unique views on definitions, including how the states categorize the entities that are expected to comply with the law; the exemptions these entities receive; and the way the state lawmakers define terms such as “sensitive data”, “biometric data”, and “automated decision making/profiling.” These distinctions have significant consequences for business compliance. Knowing that a federal privacy bill is coming could seemingly influence states’ approaches to their own legislation this year. But the bottom line is that one uniform bill – covering consumer privacy practices across the nation – is better than many bifurcated approaches.
In addition to draining U.S. businesses, inaction disproportionately harms small businesses and new market entrants. ITIF states that small businesses could face $20–23 billion in out-of-state compliance costs annually. These businesses are the backbone of the U.S. economy. The Harvard Business Review documents that they account for 48% of all U.S. jobs and contribute to 43% of the U.S. GDP. We need to keep them afloat and thriving.
Enforcement plays a part in this math too. As any Chief Privacy Officer and Chief Security Officer knows, privacy violations and data-breaches can be existentially costly for businesses. Expensive litigation and enforcement actions are becoming more common by the month, with recent enforcement actions by the FTC related to Ed-Tech company Chegg, data broker Kochava, and California’s action against beauty product company Sephora making headlines. Last December, Epic Games agreed to settle privacy and dark-patterns claims for its Fortnite game in an amount exceeding $500M, including the FTC’s largest administrative enforcement yet.
Passing a uniform privacy standard that levels the playing field and includes appropriate exemptions is a necessary first step to protecting our economy from fiscal standstills that result from stagnant cross border data flows, unnecessary multiplier effects, and expensive litigation.
Privacy is Essential to the United States’s Competitiveness Abroad
In 2018, the European Union set a critical precedent on what privacy regulation should look like for its member states by passing the GDPR. Since then, many countries have followed in the EU’s footsteps and finalized privacy laws, leaving the United States behind. These include privacy acts in countries like Canada, New Zealand, Brazil, Singapore, Thailand, Germany, Switzerland, and proposed developments in the UK and India.
More recently, the EU, United States, and other countries are working to streamline interoperability on data privacy rules, through new bilateral and multilateral data privacy agreements, global cross border mechanisms, and cooperations. Key among them is the recent draft adequacy decision for the U.S. and EU’s Trans-Atlantic Data Privacy Framework (TADPF). The EU itself continues charging ahead to set standards for the rest of the world, most recently with the EU AI Act and the Data Act. For its part, the Organization for Economic Co-operation and Development (OECD) has adopted the first intergovernmental agreement towards safeguards for privacy, civil liberty, and human rights, as it concerns securing personal data in the context of national security and law enforcement.
If we look strictly at the numbers, cross border data flows are essential to the global economy. In 2022, 2 trillion dollars worth of data was affected by cross border flows, which is expected to rise to an estimated 15 trillion dollars by 2025. The United States will be at a disadvantage negotiating cross border data flows if it lacks its own national privacy standard.
We must act now on data privacy to keep up in the global race on emerging technology, as data is the foundation underlying emerging technology. Without a privacy law in place in the United States, the United States will appear behind the >150 countries that have already passed privacy laws. These optics do not paint the United States as a fair trade and tech economic partner, even if it is leading the development of privacy-related pillars and principles in the Indo-Pacific Economic Framework for Posterity (the IPEF) and the Trade and Technology Council (TTC).
By passing a federal privacy law, the United States can take part in shaping a pro-innovation, pro-democratic privacy landscape to counter this digital authoritarianism movement that imposes serious obstacles to trade.
Privacy is Increasingly Essential to Uphold National Security
Comprehensive federal privacy legislation is also critical to advance national (and international) security. The recent scandals regarding potential misuses of data by TikTok has put this squarely in the spotlight. Several states, along with the federal government, have banned the use of TikTok on government devices. Congress has also introduced bipartisan legislation to ban the notorious TikTok app based on data security and privacy concerns. Lax privacy rules can foster greater mistrust in the online ecosystem and enable the spread of misinformation. This issue is now front and center with scrutiny focused on Twitter following moves by Elon Musk that would weaken privacy protections and trust and safety oversight (echoed in this 2022 whistleblower testimony).
A uniform set of rules on data privacy is fundamental to the spirit of innovation, productive research, and creative authorship and will mitigate these national security concerns. Discussion about furthering the principles of a free-flowing internet has been made by G7 leaders, the World Trade Organization and the Organization for Economic Cooperation and Development.
To this end, the Administration – as part of its broader goals to support the G7 and secure its place on the world stage – has undertaken at least three critical efforts in the past few months that underscore the impact of data privacy on national security. These efforts include the new Open Government National Action Plan, privacy as part of the 2022 National Security Strategy, and the White House cyber labeling initiative on the IOT.
- The Open Government Action Plan aims to increase the public’s access to data and improve how data is used by the government while improving the delivery of services and benefits. By publishing this plan and advocating for a more data rich ecosystem, with the government as the central decision maker, the Administration is signaling the need for new opportunities, embedded carefully in protections and guardrails that uphold national security. This initiative works hand in hand with federal privacy legislation.
- The 2022 National Security Strategy recognizes that an international technology ecosystem is critical to protecting our security and privacy, as a core component of “U.S. and allied technology leadership.” The international economic system should be “fit for contemporary realities,” including “high standards and protections for stability, privacy, and security” to reinforce the U.S.’s “global primacy.”
- Additionally, the White House announced a cyber labeling initiative for the Internet of Things (IoT) in October 2022. After a listening session with attendees including the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), the FTC, the Consumer Product Safety Commission, and manufacturers, standards-setting bodies, and other stakeholders, the White House identified concerns about the ease with which bad actors can exploit poorly secured devices to steal data, cause disruption, or conduct surveillance. A contemplated solution is a cybersecurity label barcode that could be scanned for real-time security information.
These efforts would only be further bolstered and have more cohesive outcomes for the government and its stakeholders, if the United States were to pass a federal privacy law.
The United States can Demonstrate Leadership Through its own Unique Model for Privacy and Innovation
The United States recognizes the EU GDPR’s shortcomings and must avoid passing a law repeating similar mistakes. We can learn from the GDPR experiment but cannot (and should not) model it exactly. There are several compelling reasons why.
Despite any of its privacy benefits, the GDPR has deterred innovation. First, the GDPR does not include exemptions for small and medium sized enterprises (SMEs), which harms those players who are the backbone of the U.S. economy. Second, the National Bureau of Economic Research (NBER) researched the GDPR’s impact, including implications for both the supply and demand sides of the equation. After reviewing 4.1 million apps at the Google Play Store from 2016 to 2019, NBER notes that GDPR has induced the exit of about a third of available apps; and, since GDPR implementation, has led to half the number of new market entrants in the app marketplace. On the demand side, GDPR reduces consumer surplus and aggregate app usage by about one third. And, the research suggests that GDPR has generated significant consent fatigue, making it a less commendable model from a consumer and business usability standpoint. This is to say nothing of the immense fines being paid to Europe for tracking or targeted advertising in violation of the GDPR.
For these reasons, other countries like the United Kingdom have made the steady shift from a pro GDPR model, to a UK GDPR, and now to a forthcoming model that will bolster competition and innovation. All the while, the UK retained appropriate safeguards for individual privacy and data protection. The Inaugural Meeting of U.S. and UK Comprehensive Dialogue on Technology & Data further underscores this theme.
As it develops a federal privacy law, the United States must take our Constitution’s First Amendment rights of free speech into consideration (which are not woven into the EU’s GDPR). SIIA has played a pivotal role in shaping the development of state consumer privacy laws – including in Colorado and California – to ensure that they include these considerations and would pass constitutional muster.
America can benefit from the excellent lessons learned from the GDPR. It should prompt us to tailor a U.S. law to help, rather than hinder, the political economy. It should also prompt us to focus on carefully factoring in the individual rights we are granted by the U.S. Constitution.
In a nutshell:
While there are many more reasons than the ones stated here, we hope these five will prompt Congress to act NOW to move federal privacy legislation forward.
You can see our previous blog on the topic here.