Patchwork with Holes: Why the US Needs a Federal Data Privacy Law

The FBI and IMF estimate that cybercrime cost the world $8.4 trillion in 2022 and could cost over $25 trillion by 2027. [1] That is an astronomical number –– by one measure, it is over 8% of the world’s GDP. These data breaches are often caused by malicious data collectors: websites that collect data on consumers only to sell that data to unscrupulous buyers. Even without malicious data collectors, data breaches can give cyber criminals access to sensitive private information. Most concerningly, users do not often consider what information they have shared with websites. In 2023, a Pew survey revealed that 78% of Americans accept the privacy policy without reading its contents, while only 18% actually look at the policy for every website they visit. [2] A growing number of websites ask for personal information, ranging from a user’s name to their social security number. [3] It is in the best interests of the US government to focus on creating a comprehensive framework of data privacy laws that mandate users to give informed consent to websites. This article will underscore the need for a more rigorous data privacy legislative framework in the United States, analyzing the lessons learned from the EU’s data privacy framework. Finally, it will use legislative precedents across different international jurisdictions to envision a federal data privacy law that could be applied to the United States.

The Need for a Data Privacy Law

The EU’s General Data Protection Regulation defines personal information to be any information that can connect user activity to a certain user, such as an IP address or even a social security number. The EU’s definition is deployed almost identically in all data privacy laws to date. In 2012, estimates for the cost of spam communications in the US ranged between $20 and $50 billion. [4] In 2006, identity theft led to consumer losses of $61 billion. [5] Although no similar accounting has been published in recent years, the number of global internet users has doubled since 2012 and quadrupled since 2006, meaning the nominal cost of spam and identity theft has likely risen. [6] Public opinion supports stronger data privacy laws. Pew Research found that 75% of Americans in 2019 agreed that there should be “more government regulation of what companies can do with personal data.” [7] Just as concerningly, 63% of Americans stated that they had little or no understanding of existing privacy laws in the United States, while 33% stated that they had some understanding. [8] Given public support for data protection and Americans’ lack of understanding surrounding their rights, the United States could benefit from implementing a set of data privacy laws that emphasize and mandate transparency with respect to data use. Some state laws, for example, do not require websites that collect data to clearly explain how the user’s data will be used. In place of those state laws, a federal law would enforce websites to explicitly state the purposes for which a user’s data would be collected, providing users with a much clearer idea of their data rights.

Data privacy laws produce more informed and thus more cautious cybercitizens, which further enhances the impact of regulation. In 2018, the EU enacted the General Data Protection Regulation (GDPR). Extensive data suggests that post-GDPR, EU citizens tended to better understand the importance of protecting themselves online. Compared to 56% of American citizens who never read privacy policies, only 33% of EU citizens fail to read their privacy policies or notices on a regular basis. [9] Research by Pew suggests that citizens who are more knowledgeable about their data privacy rights are twice as likely to use password managers to safely manage their passwords, change their privacy settings to suit their comfort levels, and turn their internet cookies off. [10] With policies like the GDPR, which mandates a clear opt-in to privacy policies, users necessarily become more knowledgeable about how their data is used. 74% of the more knowledgeable subset of Americans believe that their pro-privacy actions have a minimal impact on their identity security. [11] On the other hand, the vast majority of EU citizens feel more empowered to take action when confronted with data privacy problems; in a study by the European Union Agency for Fundamental Rights, 71% of EU citizens stated that they understood the framework under which they could file privacy complaints and reach out to their country’s data protection supervisory authority. [12] Thus, data privacy laws force citizens to become more knowledgeable about data privacy, allowing them to learn how to better protect themselves online.

America: A Patchwork with Holes

Although the US lacks federal horizontal data privacy laws, there are several vertical laws already enforced. Horizontal data privacy laws point to laws that apply to how databases use sensitive information. Vertical data privacy laws, on the other hand, refer to those that regulate a specific subset of data. The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996, for example, places strict limits on the accessibility of medical records by individuals other than the patient. The Privacy Act of 1974 protects the privacy of information provided to the government. The Children’s Online Privacy Protection Act (COPPA), enacted in 1998, places requirements on websites that knowingly collect data from children under 13 or that are targeted at children of that age group. These websites are required to give notice of data collection and obtain affirmative consent of collection from parents. Although appropriate in theory, with the advent of social media, COPPA has become outdated. Millions of children lie about their age every year, exposing themselves to harmful content without the consent of their parents. [13] Without a horizontal law, strong safeguards for vulnerable subsets of data are warranted; at present, however, many vertical data privacy laws in the United States do not suffice. As such, a federal horizontal law could address this legislative insufficiency by directly targeting the root of the issue, regulating data collectors as opposed to data sets.

At present, 17 states have passed horizontal laws of varying stringencies, creating a complex set of state laws that often face interstate discrepancies.. In 2018, California signed into law the California Consumer Privacy Act (CCPA), which declared that consumers possess the right to know how their data is being used, and mandated businesses to allow users to stop the sharing of their personal information. [14] Subsequent legislation in other states, including Colorado, New Jersey, and Connecticut, similarly gave users the right to access, delete, and opt out of data collection. California’s law can be enforced upon all businesses that collect personal information from California residents, while Indiana’s law can only be applied to businesses that collect personal data from a minimum of 100,000 residents, or who collect personal data from a minimum of 25,000 residents and derive 50% of their revenues from the sale of that data. Iowa’s law –– the Iowa Consumer Data Protection Act –– signed on March 29, 2023, was particularly notable because it did not guarantee residents the right to delete or change submitted data, making it far more business-friendly than other states and discouraging smaller Iowan firms from entering business in more regulated states. Such differences in the stringency of data privacy laws pose issues for interstate online economic activity.

This complex set of new laws will be difficult for websites, especially smaller ones, to navigate. To illustrate the challenges of navigating these state laws, one can observe the consequences of the GDPR, which is already more centralized than the set of state laws in the United States. When the GDPR was enacted in 2018, over a thousand prominent US news websites, including the Los Angeles Times and the The Boston Globe, remained shut down to European users for months because they needed to ensure compliance with the new regulation. [15] These news sites did not have the massive legal teams of The New York Times or The Wall Street Journal, so they needed to expend more time and capital to understand and comply with the new laws. They faced considerable issues from the GDPR; change that single law to 17, and the effects grow. Most dangerously, faced with high costs, some companies may choose to ignore individual state provisions, at which point the state governments will have two choices: push enforcement at the risk of hurting major companies’ profits, or allow for wider interpretations of the state laws. A number of firms have already attempted to stretch the provisions of the GDPR. [16] Enforcement would require the government (and taxpayers) to expend copious resources. Wider interpretations would undermine the data privacy laws, while emboldening data collectors to continue to push the rules. A single federal horizontal law would prevent the high costs of compliance and enforcement.

Lessons from the Europe’s General Data Protection Regulation: Regulations Must be Enforced

Future data privacy laws can divulge two lessons from the implementation of the GDPR, enacted in 2018. First, bad actors are ubiquitous across the online landscape, and further regulatory frameworks are needed to keep them in check. Second, although the economic detriment of the GDPR on firms is high, the benefits to consumers are just as valuable.

Bad actors have continuously tried to stretch the rules of the GDPR. Most recently the Interactive Advertising Bureau (IAB), which sets standards and provides legal support for online advertising companies, was fined and forced to amend its guidelines. Prior to the enactment of the law in 2018, the IAB released the “Transparency and Consent Framework (TCF),” which gave websites guidance on how to notify and receive affirmative consent regarding the use of user data, per the requirements of the GDPR. In their guidelines, however, they enabled websites to bundle consent without explaining who would gain access to user data, allowing thousands of advertising agencies to hide under a single “Accept Cookies” button. [17] In 2022, the Data Protection Agency of Belgium stepped in to fine the IAB and force amendments to its TCF. After a couple of appeals by IAB to the Belgian Court of Appeals, they have, as of March 2024, implemented much of their approved action plan. [18] The IAB case is notable because of their position overseeing the digital marketing market; the IAB set the guidelines, and those guidelines flagrantly went against the GDPR. In the IAB’s appeals to the Belgian Courts, they did not refute that they had tried to break the rules; instead, they tried to extricate themselves from the rules by disputing “the controversial and novel allegation that it acts as a controller.” [19] By making such an argument, they effectively admitted their attempt to skirt the law.

Even worse, most bad actors go either undetected or with negligible consequences. It would be reasonable to think that, if the IAB, a massive non-profit organization, attempts to break the rules, there likely exist countless smaller, more malicious companies that go undetected. In fact, 159 companies were caught trying to break the law in 2022, yet only 36% of those companies received fines, with the rest receiving reprimands. [20] For a regulation that allows fines up to 20 million Euros or 4% of the offending company’s global turnover, reprimands with no fines are a light punishment. For cases not as severe as the IAB, a number of firms have been able to bend the rules with minimal consequences. The GDPR has started in the right direction, with a record-breaking €1.2 billion fine against Meta in 2022. A law in the US would require strict enforcement to prevent the appearance of bad actors.

Some may argue that the economic costs of the GDPR has led to costs to the European economy by raising compliance costs, which was particularly detrimental for small and medium-sized enterprises (SMEs). Profits of European businesses shrunk, on average, by 8.1 percent, while that figure was 8.5 percent for SMEs. Small IT firms saw a drop in profits of around 12 percent, while large IT firms only fell an average of 4.6 percent. [21] While these numbers may look scary, it is important to note that they are, in large part, the result of initial compliance costs like overhauling privacy technology. The paper that projected the above impact of the GDPR also note that “our estimates are silent on aggregate welfare effects.” [22] In other words, they measure the impact on firms, who were the targets of the regulation, while ignoring the impact on users, who were the beneficiaries. Thus, the detriment to the European economy is far overstated by researchers’ focus on firms rather than users. Although not much research has been conducted on the benefits to the aggregate welfare of EU residents, a study in Poland that asked Polish students how much they were willing to pay for their data privacy rights found that the GDPR was worth 6.5 Euros per person per month. [23] Applying that 6.5 Euros to the entire EU, the value of the GDPR exceeds 2 billion per month. Of course, this figure of 6.5 Euros is not as tangible as firms’ balance sheets, but these early experiments examining the value of data privacy reveal enormous unaccounted value. On a final note, some proponents of the GDPR argue that a discussion of harms to firms is pointless because the law was created to ensure basic privacy rights for EU residents: to argue against the GDPR would be like arguing against a law that prevents wanton theft. [24]

Envisioning a Federal Data Privacy Law

With so many federal vertical laws and state horizontal laws, the US has strong precedents upon which they can base a federal data privacy law. The support for the creation of such a federal law becomes stronger when taking into consideration the impact of the EU’s GDPR, now in its sixth year. Unsurprisingly, a couple of federal privacy bills have already been proposed in Congress. The most recent one, named the American Data Privacy and Protection Act, was presented on April 7, 2024. This bill proposes the rights to opt out of the transfer of personal information, to immediately sue companies for data breaches, and to choose not to participate in data collection for AI. The bill would also limit companies to collecting only “necessary, proportionate, or limited” data from users. It mandates the FTC to create an accessible registry of data brokers (those who collect data from data collectors and hand them to advertising agencies), along with a do-not-collect list, forbidding data brokers from collecting data from people on the list (akin to the Federal do-not-call list). [25] One final precedent can be found in the form of the TikTok ban in late April, when the US government stated that they would ban TikTok in the US unless it was sold within a year, citing concerns about national security. The claim was that data collected by the social media company would be a threat in Chinese hands. [26] If data from one app can be a national security threat, then data from websites across the internet, in the hands of malicious users, must be world-ending. From the state laws to the GDPR to the proposed bills to the TikTok ban, precedents abound for a federal data privacy law.

Synthesizing various researchers’ analyses, the American Data Privacy and Protection Act can be improved upon by forcing websites to be more transparent about how they collect and use data. As proposed, the bill gives the right to opt out of the transfer of personal information, sue for data breaches, and access a list of data brokers. It also limits the quantity of data collected in equivocal terms (“necessary, proportionate, or limited”). The loosely-enforced GDPR demonstrates how these ambiguous terms will likely be stretched significantly by data collectors. Data collectors, after all, have no incentive to follow the rules. Instead of focusing on how data collectors spread personal information, therefore, the Act can strictly enforce one factor: transparency. Users are incentivized to ensure the safety of their own data, and informed users have proved themselves about twice as likely to take measures to improve their online safety. [27] A federal act should mandate, unequivocally, that websites explain what data will be collected and where it will be sent, all in simple and concise terminology. With such transparency, the onus would be on the user to protect their own data. This would allow the Act to otherwise be more relaxed towards data collectors, allowing for less damage to firm revenues. A second improvement could be made in implementation of compliance: the GDPR showed how smaller firms struggled to comply with the GDPR. The government must establish a large help center specifically for these smaller firms, funded by the biggest technology companies. Especially for issues like privacy notices, clear instructions could make it possible for smaller websites to independently confirm compliance. Such a help center will be critical for maintaining competition and the performance for smaller firms.

Conclusion

The pressing need for a comprehensive federal data privacy law in the United States could not be overstated. The current patchwork of state laws and vertical federal regulations creates a complex and often inadequate framework that fails to fully protect American citizens' personal data. Drawing lessons from the European Union's General Data Protection Regulation (GDPR), it is evident that a well-structured, horizontal data privacy law at the federal level can significantly enhance citizens' understanding and control over their personal information, ultimately leading to better privacy practices and more informed digital behaviors. A federal data privacy law would streamline the regulatory landscape, reducing the compliance burden on businesses, particularly smaller enterprises, which struggle to navigate the myriad of state-specific regulations. It would also ensure a uniform standard of data protection across the country, preventing states with weaker laws from becoming loopholes that undermine overall privacy efforts. The American Data Privacy and Protection Act, as proposed, provides a solid foundation but could benefit from a sharper focus on transparency and support mechanisms for compliance. By mandating clear, concise, and easily understandable privacy notices, the law would empower users to make informed decisions about their data.

Bibliography

[1] “Digital Press Briefing with Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies,” United States Department of State, accessed June 9, 2024, https://www.state.gov/digital-press-briefing-with-anne-neuberger-deputy-national-security-advisor-for-cyber-and-emerging-technologies/.

[2] Colleen McClain Park Michelle Faverio, Monica Anderson and Eugenie, “2. How Americans Protect Their Online Data,” Pew Research Center (blog), October 18, 2023, https://www.pewresearch.org/internet/2023/10/18/how-americans-protect-their-online-data/.

[3] Brian X. Chen, “Everyone Wants Your Email Address. Think Twice Before Sharing It.,” The New York Times, January 25, 2023, sec. Technology, https://www.nytimes.com/2023/01/25/technology/personaltech/email-address-digital-tracking.html.

[4] Justin M Rao and David H Reiley, “The Economics of Spam,” Journal of Economic Perspectives 26, no. 3 (August 1, 2012): 88, https://doi.org/10.1257/jep.26.3.87.

[5] Alessandro Acquisti, Curtis Taylor, and Liad Wagman, “The Economics of Privacy,” Journal of Economic Literature 54, no. 2 (June 1, 2016): 475, https://doi.org/10.1257/jel.54.2.442.

[6] Hannah Ritchie et al., “Internet,” Our World in Data, April 13, 2023, https://ourworldindata.org/internet.

[7] Brooke Auxier, Lee Rainie, Monica Anderson, Andrew Perrin, Madhu Kumar and Erica Turner, “4. Americans’ Attitudes and Experiences with Privacy Policies and Laws,” Pew Research Center (blog), November 15, 2019, https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/.

[8] Auxier, Rainie, Anderson, Perrin, Kumar, and Turner, “4. Americans’ Attitudes.”

[9] European Union Agency for Fundamental Rights., Your Rights Matter: Data Protection and Privacy : Fundamental Rights Survey. (LU: Publications Office, 2020), 9, https://data.europa.eu/doi/10.2811/292617.

[10] Colleen McClain Park Michelle Faverio, Monica Anderson and Eugenie, “3. A Deep Dive into Online Privacy Choices,” Pew Research Center (blog), October 18, 2023, https://www.pewresearch.org/internet/2023/10/18/a-deep-dive-into-online-privacy-choices/.

[11] Ibid.

[12] European Union, 14.

[13] Julie Jargon, “How 13 Became the Internet’s Age of Adulthood,” Wall Street Journal, June 18, 2019, https://www.wsj.com/articles/how-13-became-the-internets-age-of-adulthood-11560850201.

[14] “California Consumer Privacy Act” (2018), https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5.

[15] “More than 1,000 U.S. News Sites Are Still Unavailable in Europe, Two Months after GDPR Took Effect,” Nieman Lab(blog), accessed May 27, 2024, https://www.niemanlab.org/2018/08/more-than-1000-u-s-news-sites-are-still-unavailable-in-europe-two-months-after-gdpr-took-effect/.

[16] Seb Joseph, “Five Years in, the GDPR Has Had a Double-Edged Impact on the Ad Market,” Digiday, May 25, 2023, https://digiday.com/marketing/five-years-in-the-gdpr-has-had-a-double-edged-impact-on-the-ad-market/.

[17] “The BE DPA to Restore Order to the Online Advertising Industry: IAB Europe Held Responsible for a Mechanism That Infringes the GDPR | Autorité de Protection Des données
Gegevensbeschermingsautoriteit,” accessed May 27, 2024, https://www.dataprotectionauthority.be/iab-europe-held-responsible-for-a-mechanism-that-infringes-the-gdpr.

[18] “FAQ: APD DECISION ON IAB EUROPE AND TCF - Updated March 2024” (IAB Europe, March 2024), 7, https://iabeurope.eu/wp-content/uploads/20240223-FAQ_-APD-DECISION-ON-IAB-EUROPE-AND-TCF-Updated-March-2024-1.pdf.

[19] Ibid., 3.

[20] Joseph, “Five Years in.”

[21] Benjamin Mueller, “A New Study Lays Bare the Cost of the GDPR to Europe’s Economy: Will the AI Act Repeat History?,” Center for Data Innovation (blog), April 9, 2022, https://datainnovation.org/2022/04/a-new-study-lays-bare-the-cost-of-the-gdpr-to-europes-economy-will-the-ai-act-repeat-history/.

[22] Carl Benedikt Frey and Giorgio Presidente, “Privacy Regulation and Firm Performance: Estimating the GDPR Effect Globally,” Economic Inquiry, March 4, 2024, 14, https://doi.org/10.1111/ecin.13213.

[23] Garrett Johnson, “Economic Research on Privacy Regulation: Lessons from the GDPR and Beyond” (Cambridge, MA: National Bureau of Economic Research, December 2022), 18, https://doi.org/10.3386/w30705.

[24] The Economic Impact of GDPR, 5 Years On,” accessed May 27, 2024, https://www.cnil.fr/en/economic-impact-gdpr-5-years.

[25] “Data Privacy Strikes Back: American Privacy Rights Act,” Brownstein Hyatt Farber Schreck, accessed May 27, 2024, https://www.bhfs.com/insights/alerts-articles/2024/data-privacy-strikes-back-american-privacy-rights-act.

[26] Sapna Maheshwari and Amanda Holpuch, “Why the U.S. Is Forcing TikTok to Be Sold or Banned,” The New York Times, May 8, 2024, sec. Technology, https://www.nytimes.com/article/tiktok-ban.html.

[27] Colleen McClain Park Michelle Faverio, Monica Anderson and Eugenie, “3. A Deep Dive into Online Privacy Choices,” Pew Research Center (blog), October 18, 2023, https://www.pewresearch.org/internet/2023/10/18/a-deep-dive-into-online-privacy-choices/.