There is a growing chorus of voices calling for national data privacy legislation in the United States. Not surprisingly, stakeholders have offered competing visions for what such a law should look like. Designing data privacy legislation involves a complex process that must address a wide array of legal and regulatory issues. To help policymakers understand and evaluate these issues, this report compares how different laws and frameworks around the world address various data privacy issues; describes 30 components included in existing laws, frameworks, and legislative proposals; and explains each one’s likely impact on consumers, businesses, and the digital economy.
On the basis of this analysis, the report calls for a bold new privacy framework that expands and simplifies consumer data privacy rights, reduces compliance costs from existing state and federal regulations, and paves the way for more data-driven innovation. Specifically, the report calls for comprehensive data privacy legislation to repeal and replace existing federal privacy laws with a common set of protections, preempt state laws, improve transparency requirements, strengthen enforcement, and establish a clear set of data privacy rights for Americans based on the sensitivity of the data and the context in which it is collected.
The United States does not have a single federal data privacy law. Instead, it has multiple federal and state laws that regulate the private sector, often focusing on particular sectors or types of data, with multiple regulatory authorities responsible for oversight. Where there are no sector-specific rules, the U.S. government provides oversight of industry self-regulation, allowing particular industry sectors to use voluntary agreements, peer pressure, and other methods to coordinate behavior without violating antitrust rules. For example, the online ad industry has developed a robust self-regulatory program, and companies who commit to this program and violate its rules can face action by the Federal Trade Commission (FTC). This arrangement has been one factor enabling the United States to be the world leader in innovative digital services. Of the 15 largest digital firms in the world, all are either American or Chinese. In contrast, other economies with strict data protection regulations, such as the European Union, have fallen by the wayside in part because it is so hard to use data for innovation. Indeed, of the top 200 digital firms, only 8 are European.
If Congress passes data privacy legislation, its key task will not be to maximize consumer privacy, but rather to balance competing goals such as consumer privacy, free speech, productivity, U.S. economic competitiveness, and innovation. It is relatively easy to pass legislation to maximize consumer privacy. Indeed, the Europe Union did just that when it created the General Data Protection Regulation (GDPR)—a set of strict data protection rules for EU member states—which went into effect in May 2018. But this regulation came at a steep price: high compliance costs that were passed on to consumers; reduced choice in the digital economy as some firms choose not to provide services; and limited innovation as it becomes much more difficult for organizations, including nonprofits, to use data to innovate and improve services.
Crafting privacy legislation that balances key goals is more difficult, both conceptually and politically, but it is essential if policymakers do not want to derail the continued success of the U.S. digital economy. Crafting such legislation requires a thorough understanding of the direct and indirect implications of various data protection policies. Policymakers who ignore the complexity of complying with privacy laws or the hidden costs of these regulations risk creating rules that undermine the digital economy by restricting the overall digital ecosystem and the benefits it provides consumers. The goal of data privacy legislation should therefore not be to myopically maximize consumer privacy, but to maximize consumer welfare. In other words, consumer welfare involves privacy, but it also involves lower prices (or free products and services) and the development of new products and services. This approach requires finding the optimal level of regulation for the digital economy, with rules that are neither too weak nor too strong.
This report focuses on potential federal data privacy legislation for private-sector data processing. It does not address government access to data or restrictions on government use of data. It proposes a grand bargain, in which Congress repeals existing federal data privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA), and replaces them with a single federal data privacy law that preempts state laws. The new federal law would establish a common set of federal protections for all types of data based on the sensitivity of the data and the context in which it is collected. This report also proposes to improve consumer protections by enhancing transparency requirements for business practices, and, establishing a set of clear basic rights for Americans. This report also proposes improving enforcement by granting regulators the appropriate authority to update and enforce rules while ensuring they have the proper constraints to protect industry from regulatory overreach and overzealous enforcement. In this way, its proposals will incentivize companies to focus less on check-the-box compliance and more on reducing actual consumer harm. This report also looks beyond U.S. borders, proposing how a data privacy law could facilitate data sharing abroad without simply acceding to demands from other countries or regions on how to protect data. And most importantly, it offers recommendations for how federal data privacy legislation can promote innovation and beneficial data collection, use, and sharing to ensure consumers continue to benefit from the growing digital economy, including services supported by targeted digital advertising.