A Grand Bargain on Data Privacy Legislation for America

Summary of Study

Bottom Line: A new privacy framework that expands and simplifies consumer data privacy rights, reduces compliance costs from existing state and federal regulations, and paves the way for more data-driven innovation is needed. Specifically, policymakers should champion comprehensive data privacy legislation to repeal and replace existing federal privacy laws with a common set of protections, preempt state laws, improve transparency requirements, strengthen enforcement, and establish a clear set of data privacy rights for Americans based on the sensitivity of the data and the context in which it is collected.

The United States does not have a single federal data privacy law. Instead, it has multiple federal and state laws that regulate the private sector, often focusing on particular sectors or types of data, with multiple regulatory authorities responsible for oversight. Crafting privacy legislation that balances key goals is more difficult, both conceptually and politically, but it is essential if policymakers do not want to derail the continued success of the U.S. digital economy. 

Federal data privacy law should have multiple goals:

  • It should improve transparency of organizations’ privacy practices. 
  • It should establish clear privacy rights for consumers. 
  • It should address concrete privacy harms, rather than hypothetical ones, by focusing on the misuse of sensitive data. 
  • It should boost oversight and enforcement powers of privacy regulators to deter bad actors while also incentivizing businesses to better protect consumer data. 
  • It should ensure companies are transparent about their security practices and define the recourses available to consumers in case of a data breach. 
  • It should preempt states from passing their own conflicting privacy laws to ensure companies are not faced with 50 different state laws.

Any legislation and resulting regulations should limit their impact on innovation to the smallest possible amount. This means, among other things, reducing unnecessary regulatory costs and avoiding undermining important uses of data, including online advertising, which supports much of the free content and services on the Internet. And achieving these goals should not come at the expense of other freedoms—such as freedom of choice and freedom of speech—competition, or innovation. 

Establishing data protections and upholding these values are not mutually exclusive. By following the recommendations outlined in this report, policymakers can accomplish these goals.

Read the full report here.