Testimony to the House Administration Committee on “Big Data: Privacy Risks and Needed Reforms in the Public and Private Sectors”

ITIF Vice President Daniel Castro provided testimony for a February 16 hearing on “Big Data: Privacy Risks and Needed Reforms in the Public and Private Sectors,” in which he argued why Congress should pass data-privacy legislation, what that legislation should look like, and how the United States can avoid the mistakes made in the EU’s General Data Protection Regulation (GDPR) and other data-privacy laws.

Why Congress Should Pass Data-Privacy Legislation

U.S. data privacy is at a crossroads. Many consumers are justifiably frustrated by the frequency with which they learn about new data breaches and the seeming lack of accountability for those who misuse personal information. At the same time, many businesses are overwhelmed by the tsunami of new data-protection obligations they face and the growing restrictions on how they can use personal information. And all are confused by the multitude of ever-changing laws and regulations.

These conditions have created a groundswell of support for new data-protection laws. Over the past few years, federal and state lawmakers have proposed various privacy laws to regulate the collection and use of personal data. Three states—California, Virginia, and Colorado—have passed comprehensive data-privacy legislation that gives consumers in those states new rights regarding the collection of their personal information and imposes new obligations on businesses. Many other states have considered enacting similar privacy laws. Between 2018 and 2021, 34 state legislatures have introduced a total of 72 bills, which have advanced to various stages of the legislative process.

These new state privacy laws can create confusion for consumers and impose significant costs on businesses—both direct compliance costs and decreases in productivity—and undermine their ability to responsibly use data to innovate and deliver value to consumers. Moreover, these laws create high costs not just for in-state businesses, but also for out-of-state businesses that can find themselves subject to multiple and duplicative rules. For example, California’s recently enacted privacy law will likely cost $78 billion annually, with California’s economy bearing $46 billion and the rest of the U.S. economy bearing the other $32 billion. California small businesses will bear $9 billion of in-state costs, while out-of-state small businesses face $6 billion of costs.

In the absence of federal data-privacy legislation, the growing patchwork of state privacy laws could impose out-of-state costs between $98 billion and $112 billion annually. Over a 10-year period, these costs would exceed $1 trillion. The burden on small businesses would be substantial, with U.S. small businesses bearing $20 billion to $23 billion annually.

What Federal Data-Privacy Legislation Should Accomplish

1. Federal data-privacy legislation should establish basic consumer data rights.
2. Lawmakers should establish uniform privacy rules for the entire nation by preempting state and local privacy laws.
3. Congress should ensure there is robust and reliable enforcement of federal privacy law.
4. Congress should set a goal of repealing and replacing potentially duplicative or contradictory federal privacy laws.
5. Federal data-privacy legislation should minimize the impact on innovation.

How to Avoid the Mistakes of the GDPR and Other Privacy Laws

• Avoid excessive compliance costs.
• Understand that more regulation does not always benefit consumers.
• Ensure sufficient resources for regulators.
• Beware of unintended consequences.
• Prevent costly lawsuits.

Read the full testimony (PDF).