Data Protection Leaders Differ on Powers of New US Privacy Law

In the absence of a federal data privacy law, seven states—California, Colorado, Connecticut, Utah, Virginia, Iowa, and most recently Indiana have adopted consumer data privacy laws of their own. But this patchwork system—and the gaps it creates—has prompted some lawmakers and advocates to push for a uniform data privacy system for the entire US.

The American Data Privacy and Protection Act aimed to create a uniform law, but it stalled in Congress last year despite bipartisan backing and has yet to be reintroduced. The legislation prompts ongoing questions about whether a federal law should take precedence over existing state laws. Two data privacy experts offer their perspectives on the issue.

Time for a National Standard

Alan Butler, EPIC

Over the last three decades, Congress has allowed technology to outpace our laws, allowing big tech companies to build empires that extract and monetize our data. This surveillance economy poses a fundamental threat to human rights and to our democracy. We need to recover our shared understanding of and respect for privacy online. The only way to do that is by setting a strong national standard for data protection.

Without legal rights and enforceable rules, there’s little any one person can do to stop these constant privacy invasions. And our collective loss of privacy undermines our ability to build and maintain the social connections that are essential to a healthy democracy.

Users are routinely tracked and scored, our browsing habits are logged, and even our bodies and homes are subject to constant monitoring. This data fuels algorithms that dictate what stories and posts we see, shaping our entire information ecosystem, and drives the increasingly invasive ads that follow us around the web. This targeting and screening has fueled discrimination, disinformation, and online abuse.

The unrestricted collection and aggregation has made every company a potential target of cybercriminals looking to breach and steal our data. Meanwhile, the rapid expansion of generative AI gives companies a new incentive to capture and mine even more data about us—even our private activities in the home—to train their chatbots and other AI applications.

We can’t allow this to continue. The collection and use of our data must be limited by a set of rules that respects our human right to privacy, limits harmful discrimination and targeting, and supports the beneficial evolution of the technologies and systems we rely on in our everyday lives. Luckily, we aren’t alone in this fight for privacy.

Lawmakers at the state level have taken important steps to develop the legal rights and protections we need. But it’s not enough for one state to enact a good privacy law; we need protections that apply to every American and rules that all the major platforms and companies in the data ecosystem understand and follow.

Strong federal protections are finally a real possibility. There’s bipartisan agreement that data brokers and big tech platforms have taken too much control of our daily lives and are actively causing harm. We can have a strong technology sector in the US while protecting personal privacy. The best way for policymakers to protect privacy online is to enact a strong data minimization rule.

And that’s what the law that gained major bipartisan support last year, the American Data Privacy and Protection Act, would do: limit collection and processing of our data to what is necessary to provide the goods and services that we are seeking online, while allowing for other necessary and beneficial uses. And it ensures we not only have rights to access and correct our data, but also that companies have obligations to limit what they use and protect what they keep.

A better future is possible—one where privacy and innovation exist side-by-side—if only policymakers can find the will to get us there.

Preserve States’ Agility

Hayley Tsukayama, EFF

As consumer advocates, EFF believes that a federal data privacy law that overrides stronger state protections is a non-starter. Congress has had years to act. Yet, even in the face of rising harms from the overcollection and misuse of our personal data, such as the Cambridge Analytica scandal, the federal government has done little.

States, meanwhile, have enacted many privacy rights that we all need. Comprehensive privacy bills have been introduced in every corner of the country and passed in 11. In fact, this growing wave of state laws helped push a federal law back into the national discussion.

Not every comprehensive state privacy law has been a strong victory for consumers. But each shows a willingness by state legislators to act in response to the demands of people in their states. Congress hasn’t moved to allow for even basic rights, such as the ability to access information companies have about you and to ask them to delete it.

Some states have protected consumers using methods that many in Congress refuse to seriously consider. One example, Illinois’ Biometric Information Privacy Act, requires companies to get explicit consent to collect biometric information and allows individuals to sue companies that violate their privacy rights.

After Facebook violated this law, it agreed to pay its users $650 million. While the latest draft of a federal bill—the American Data Privacy Protection Act—would allow Illinois to keep its strong statute, it would bar other states from passing their own and instead provide far weaker biometric protection.

That kind of federal law hamstrings efforts to protect privacy. Any federal privacy law should allow states to continue to build better protections on top of a national foundation—as is the case for many older federal privacy laws, such as the Health Information Portability and Accountability Act, and the Fair Credit Reporting Act.

Companies that profit off collection, use, and sale of our personal information recognize the wind is shifting on privacy. Many of these companies once advocated against any data privacy regulation but now are calling for a federal standard—but only if it’s weak and overrides stronger state protections.

Companies continue to change the way they process our data. Many bills now, for example, regulate the use of third-party trackers such as cookies. But tech giants such as Google are working to invent new advertising technologies with different methods that go beyond cookies. We mustn’t calcify regulation for today’s technology in Congress, which isn’t known for its regulatory agility, and prevent action by states, which often are more nimble and responsive to their constituents.

This debate shouldn’t be framed as a battle between federal and state jurisdiction. Rather, it is a battle between the present and the future. A federal bill that keeps states from responding to future privacy threats removes an important consumer protection tool—one of the few tools that’s working right now.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Author Information

Alan Butler is executive director and president of the Electronic Privacy Information Center in Washington, D.C. and chair of the privacy and information protection committee of the America Bar Association’s section on civil rights and social justice.

Hayley Tsukayama is associate director of legislative activism at the Electronic Frontier Foundation, focusing on state legislation and crafting strong consumer protections, including on data privacy.

Write for Us: Author Guidelines