This is a joint project between the R Street Institute’s Cyber Team, led by Tatyana Bolton, the Belfer Center’s Cyber Project, led by Lauren Zabierek, and Cory Simpson, a senior advisor on the Cyberspace Solarium Commission.

Data privacy is one of the nation’s most pressing issues. The current lack of federal privacy legislation affects the economy, national security and consumer safety and is—at its most basic level—not a controversial issue for most Americans. Multiple leaders of top-tier tech companies have, in recent weeks, called for privacy legislation. The major bills on the table are mostly aligned. Where they differ, however, and where Congress must find consensus, is on the most contentious issues: preemption, private right of action (PRA) and the role of the Federal Trade Commission (FTC). Our goal in developing this series is to offer recommendations on the best way to find agreement on these key issues.

The United States is one of the industrialized countries that lacks a single, national data privacy law, which affects our global competitiveness. In the vacuum left by the lack of federal government progress, state laws are passing quickly. But this isn’t the best path forward. Studies have shown that a patchwork of state privacy laws could cost the United States over $1 trillion in out-of-state costs over 10 years. In addition, this patchy landscape would be difficult for businesses to navigate, especially small and medium companies.

Moreover, many countries want to take our data and weaponize it. For example, China—the most significant of these threats—is working to overtake the United States in the technology sector and is actively using our weak cybersecurity and data privacy protections to gather our data and use it against us. This can have many consequences, from blackmailing U.S.-based critics to identifying intelligence agents. Thus, the United States stands to gain significant competitive and national security advantages if our companies keep data private and secure.

The majority of Americans want data privacy regulation. Without a federal standard, consumers are left with unequal protections, or none at all.

We have drafted three articles, each of which focuses on one of the main areas of federal privacy law debate, identifies a variety of options for consensus and offers initial recommendations for compromise.

Our articles on preemption, PRA and the role of the FTC are intentionally framed differently than standard academic and think tank products. Our goal is to provide key members who are debating privacy legislation with a guide to the most challenging issues national legislation has faced, offering succinct options for bipartisan consensus. Although we present these topics separately, we recognize that these issues overlap, and progress toward consensus on one may mean a tradeoff on another.

Our work, which is the result of over 130 engagements across a full range of stakeholders, including Congress, the private sector, consumer groups and privacy advocates, builds off of the efforts of other experts, such as the Brookings Institution, Privacy for America and Duke University. Varied perspectives—even if conflicting—were crucial to understanding what an effective, passable bill could look like.

A federal data security and privacy law has never been more necessary, and we are closer to realizing that goal than ever before. For the sake of our economy, national security and consumer rights, the United States must act now rather than continue to hold out for the perfect law.

PART 1 – Preemption in Federal Data Security and Privacy Legislation

PART 2The Role of the Federal Trade Commission in Federal Data Security and Privacy Legislation

PART 3 – Limiting a Private Right of Action in Federal Data Security and Privacy Legislation

EXPLAINER – Answer to Tough Questions: The Framework of a Federal Data Security and Privacy Law

Featured Publications