Congress Has a Fresh Chance to Pass a Comprehensive Data Privacy Law

Unlike many other nations, the United States lacks a comprehensive national data privacy law addressing the collection and use of personal information by the private sector. Existing American privacy laws are narrowly focused or sectoral in character, covering issues such as children’s privacy, financial and health-related privacy, or various government uses of data.

In the absence of a more broad-based and cross-sectoral national privacy law, twenty state governments have passed major privacy bills in recent years. Those measures contain a variety of data collection and use restrictions, reporting and auditing requirements, transparency mandates, and other regulations. California imposes the most far-reaching of these state laws with its California Consumer Privacy Act (CCPA), but the state also has two dozen other privacy and data security laws, some of which overlap with federal law. Some states are also advancing aggressive sector-specific laws, like the state of Washington’s “My Health My Data Act,” which imposes sweeping new regulatory obligations and liability on health-related data processors.

This patchwork of differing parochial policies creates confusion and hassles for innovators and consumers alike, who must contend with differing standards for data handling, even though these activities are inherently interstate in nature. This patchwork “is quickly becoming unmanageable for many U.S. companies”—especially smaller businesses—and it raises serious liability risks for firms of all sizes.

Despite major efforts to address this in the previous two sessions of Congress, federal lawmakers failed to pass comprehensive privacy legislation. Congress now has another chance with a new measure introduced on April 22nd by Rep. John Joyce (R-Pa.). The “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” (or the SECURE Data Act), proposes a preemptive national privacy framework rooted in bipartisan laws that already passed in several states. The measure includes several new federal consumer rights, including access and deletion rights, data portability and minimization requirements, and certain opt-out rights related to targeted advertising or the sale of personal data. The law imposes various obligations on firms that collect consumer data related to these rights.

The law also includes a novel mechanism whereby firms can choose to opt into third-party voluntary codes of conduct that would be approved by the Department of Commerce in consultation with the Federal Trade Commission (FTC). So long as the code “meets or exceeds the relevant requirements” of the new act and firms remain in compliance with the code, they are granted a rebuttable presumption related to any enforcement action brought against them under the statute. Firms would also have a “cure” period during which time they could remedy violations before enforcement actions are brought against them. The Commerce Department is also granted new authority to address issues surrounding international cross-border data flows.

Finally, the proposal also gives the FTC various new oversight responsibilities in addition to the authority the agency already has to police unfair and deceptive practices. It also preserves various other sector-specific federal privacy laws and complements another new bill that the House Financial Services Committee is simultaneously proposing to address financial privacy issues in a more consistent manner.

Importantly, a national privacy law such as the SECURE Data Act would help address many of the issues currently under consideration as part of artificial intelligence (AI) and online child safety policy debates. Many of the concerns being raised in those debates and corresponding legislative proposals are actually data security and privacy issues. It is also vital to recognize that AI can be utilized to increase data security and privacy. It would make more sense for Congress to legislate holistically to address data collection and use instead of making bespoke rules for AI systems. This is why the new SECURE Data Act represents a sensible step forward for national tech policy.

Avoiding Earlier Mistakes

In the last session of Congress, negotiations over the American Privacy Rights Act (APRA) broke down over several key provisions. Some critics worried about the law’s “Swiss cheese approach to preemption” due to a variety of exceptions that would have left the door open to extensive state regulation. There were also concerns about the inclusion of new regulations for AI and automated decision-making systems, as well as a legal private right of action (PRA) that would have created new court-based litigation rights and “unleash trial lawyers on every small business in America,” according to House Majority Leader Steve Scalise (R-La.).

By contrast, advocates of more aggressive regulation wanted a strong PRA, plenty of room for continuing state regulation above a federal law, and open-ended new AI rules. These APRA critics insisted more far-reaching AI regulation was needed on the theory that consumers “have little to no way to protect themselves” from potential AI-related harms, and pushed for inclusion of additional mandates. In reality, a diverse collection of existing consumer protection statutes, civil rights laws, and court-based remedies at both the state and federal level already cover algorithmic systems, making additional regulations unnecessary and burdensome.

Those pushing for more extreme privacy and AI regulation appear driven by a desire to move America closer to a European-style data protection regime, bundled with sweeping new data minimization and AI mandates as well as expansive litigation rights. These advocates also want this aggressive federal regime in addition to a patchwork of overlapping state privacy and AI regulations.

Europe’s experience shows why such a regulatory regime would be an unworkable and costly disaster for the United States. A growing body of economic research finds that laws like the European Union’s General Data Protection Regulation (GDPR) and other data privacy-related policies have undermined business formation, competition, and investment. Larger platforms can handle the enormous resulting compliance costs as they have the resources to weather the onerous rules while smaller firms do not. By hollowing out the continent’s digital technology base through regulatory overreach, Europe also undermined its geopolitical standing. “Europe has abdicated its role in history” argued one Wall Street Journal columnist last year, and is “failing the test of the digital age, generating neither the new technologies nor companies that the 21st-century demands.”

America avoided this fate because, in the mid-1990s, federal lawmakers worked in a bipartisan fashion to devise balanced, pro-innovation digital policies that fostered investment and competition. While Europe became “the biggest loser” due to over-regulatory policies, America became the global leader in digital commerce, and is now also experiencing “a massive private sector stimulus” in AI systems, with U.S. private investment increasing 160.2 percent since 2024, compared to an increase of 32.2 percent in China and just 7.2 percent for all of Europe.

The Danger of a Growing Privacy Patchwork and Costly Litigation

The SECURE Data Act offers a better alternative to the European approach. The bill builds on the same core elements found in many state privacy measures that have already passed on a bipartisan basis in states like Kentucky, Tennessee, and Virginia. Under the new federal law, these and other state data regulations would be preempted so that regulations are applied more consistently across the nation. The SECURE Data Act makes it clear that no state, “may prescribe, maintain, or enforce any law, rule, regulation, requirement, standard, or other provision having the force and effect of law,” if such law is already covered by the provisions of this new bill. However, state attorneys general would still be able to bring claims under the standards of this new act on behalf of their residents.

To be clear, the 65-page SECURE Data Act creates major new regulatory obligations that would impose some costs on many companies across all sectors of the economy. But the law does so with an eye toward balancing new consumer protections alongside the continued need for data-driven innovation and competition. The growing thicket of state privacy laws and new compliance and liability will upset the balance needed to foster innovation, which is why plenary preemption is the most crucial feature of the bill.

A 2022 study by the Information Technology and Innovation Foundation estimated the costs associated with the state privacy patchwork to exceed $1 trillion over 10 years, with at least $200 billion of that burden falling on small businesses. Even California, the nation’s most aggressive privacy regulator, has identified the economic burden associated with its rules. The state prepared an economic impact analysis last year that revealed its latest expanded mandates under the CCPA would impose $4.8 billion in costs over 10 years and that small businesses would face $16,377 of annual ongoing costs because of the new rules. These numbers are almost certainly conservative, but even a $16,000 burden for some smaller firms could be highly disruptive to their operations.  

Importantly, the SECURE Data Act wisely does not include a PRA, which would only exacerbate America’s growing over-litigation problem. Tort costs grew at a rate of seven percent annually—nearly double GDP growth—between 2016 and 2022, with most of the money enriching trial lawyers instead of plaintiffs. Frivolous claims based on junk science continue to flood the courtrooms, undermining innovation in numerous sectors, which is why many argue that, “the greatest threat to economic productivity is America’s noxious legal environment.”

Thus, the approach some privacy advocates want in a federal bill—sweeping data collection limitations, limited preemption of state laws, new AI regulations, and an open-ended PRA—would undermine innovation, investment, and new entry. That cannot be the basis of American technology policy.

The Path Forward on Privacy

The SECURE Data Act presents a superior alternative. America’s data-driven economy needs clear, simple, cost-effective consumer protection standards that simultaneously ensure an open and robust interstate marketplace continues to exist while also strengthening America’s global technological leadership position.

Congress needs to act soon to ensure that balance is not derailed by other government actors. As noted in R Street testimony before the House Energy and Commerce Committee last May, without any federal privacy or AI framework whatsoever, “America’s AI innovators risk getting squeezed between the ‘Brussels effect’ of overzealous European regulation and the ‘Sacramento effect’ of excessive state and local mandates.”

Federal lawmakers need to take steps to address the danger of the many conflicting regulations and burdensome liability standards that are proliferating both domestically and internationally. The SECURE Data Act offers a sensible solution to this growing problem.