The vast expansion of digital technology in everyday American life has contributed to the technology companies’ collection of vast quantities of consumers’ data.[1] However, the regulation of data collection and usage in American states only started in 2018 with the passage of the California Consumer Privacy Act.[2] Now, in 2024, only 14 other states have adopted similar comprehensive data privacy laws.[3] These laws generally grant individuals rights pertaining to the collection, use, and disclosure of their personal data by businesses.[4] The fluctuating data privacy laws across states not only pose compliance and liability risks for businesses operating across multiple jurisdictions[5] but also heighten the vulnerability of Americans’ data to international sale,[6] thereby necessitating the establishment of a comprehensive federal privacy or data protection law to ensure national security and safeguard consumer interests.
Currently, most of the data lifecycle is invisible to consumers.[7] Consumer data that is collected gets passed between countless third parties who profit from such data, but in doing so increase the chance of the data from being leaked or breach that can cause damage to our society. [8] These damages include, but are not limited to: financial loss, identity theft, and stolen biometric and genetic data, allowing hostile actors to track Americans.[9] Despite this enormous potential for widespread harm, the United States does not have a singular law covering the privacy of all types of data.[10] Only a handful of specific types of data have protection nationwide in the United States; however, they are only protected in special and usually outdated circumstances.[11] These protections include, but are not limited to: the Health Insurance Portability and Accountability Act, the Family Educational Rights and Privacy Act, and the Children’s Online Privacy Protection Rule.[12] Outside of these federal laws, there a few states that have comprehensive data privacy laws. These state laws try to cover gaps in the federal privacy laws by narrowly protecting certain data types, such as biometric identifiers and health data, and also by governing the activities of data brokers and internet service providers.[13] However, although this patchwork is a good start, there are still large gaps in Americans’ data protection. Further, the compliance requirements vary from state to state, creating a disarray of rules to follow.
Addressing these data risks, the European Union implemented the General Data Protection Regulation (GDPR) as their comprehensive privacy law in 2018.[14] The GDPR’s primary objective is to empower individuals and residents by returning control of their personal data to them, while also streamlining regulatory standards for businesses through a single, uniform data protection regulation applicable across all EU member states.[15] Specifically, the GDPR requires companies to obtain consumer consent to share and collect data, and gives individuals rights to access, delete, or control the use of that data.[16] Arguably the world’s toughest privacy law, the GDPR imposes fines of up to 4% of a business’s annual sales.[17] Penalties have been infrequent since many major tech corporations, seeking to avoid these penalties, closely adhere to GDPR regulations.[18] Nevertheless, even companies operating outside the European Union may face liability for non-compliance with GDPR.[19] Regardless of whether they actively seek data from or trade with EU residents, the GDPR applies to any digital platform that draws visitors from the EU or the European Economic Area. [20]
Overall, the GDPR provides the EU with strong, unified data laws designed to protect European national security and consumer interests.[21] This is something the current patchwork of US privacy laws cannot replicate. That is because US state privacy laws do not advance national interests. Rather, they focus on protecting a state’s consumers and businesses.[22] The creation of a federal data privacy law is a clear solution, offering an integrated privacy law that advances US national interests, especially in consumer protection and national security.[23] Ideally, such a federal framework would follow the GDPR’s approach and require controllers to obtain consent for using data in any way, in addition to applying extraterritorially.
[1] Timothy Morey et al., Customer Data: Designing for Transparency and Trust, Harv. Bus. Rev. (May 2015), https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trust.
[2] Which States Have Consumer Data Privacy Laws?, Bloomberg (Mar. 18, 2024), https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/.
[3] Id.
[4] Id.
[5] Id.
[6] See Will Weissert & Barbara Ortutay, Biden Acts to Better Protect Americans’ Personal Data Such as Health Records and Finances, AP News (Feb. 28, 2024), https://apnews.com/article/biden-executive-action-personal-data-protections-china-ea0fe0af31dc26b254e2724c8e53867f.
[7] Thorin Klosowski, The State of Consumer Data Privacy Laws in the US (And Why It Matters), N.Y. Times (Sept. 6, 2021), https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/.
[8] Id.
[9] Weissert & Ortutay, supra note 5; James Mackay, 5 Damaging Consequences of Data Breach: Protect Your Assets, MetaCompliance,
https://www.metacompliance.com/blog/data-breaches/5-damaging-consequences-of-a-data-breach (last visited Apr. 1, 2024).
[10] Klosowski, supra note 6.
[11] Id.
[12] Id.
[13] Bloomberg, supra note 2.
[14] Klosowski, supra note 6.
[15] Id.
[16] See Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), arts. 7, 13, O.J. (L 119).
[17] Anda Bologa, Fifty Shades of GDPR Privacy: The Good, the Bad, and the Enforcement, Ctr. for Eur. Pol’y Analysis (Feb. 7, 2023),https://cepa.org/article/fifty-shades-of-gdpr-privacy-the-good-the-bad-and-the-enforcement/.
[18] Id.
[19] Chris Singlemann, GDPR US equivalent: How the US and EU compare on data privacy laws, Thoropass (Feb. 13, 2024), https://thoropass.com/blog/compliance/gdpr-us-equivalent/.
[20] Id.
[21] See GDPR, supra note 16, arts. 1-4.
[22] See, e.g., Biometric Information Privacy Act, 740 Ill. Comp. Stat. Ann. 14/10 (West 2008).
[23] See Justin Sherman, Weak US Privacy Laws Hurt America’s Global Standing, Wired (July 20, 2021), https://www.wired.com/story/weak-us-privacy-law-hurts-americas-global-standing/.
