The Impending Patchwork of Privacy Is Bad for Business and Consumers

Congress has still yet to advance comprehensive federal data privacy legislation to the floor of either chamber, despite signs of progress in 2022. Meanwhile, states have continued the trend of passing their own privacy bills to fill the void. With five state privacy laws coming into effect this year and 19 states actively considering new bills, the future of American privacy could end up as an expensive patchwork of 50 or more different laws, where an individual’s privacy rights vary depending on where they live.

California was the first state to pass its own comprehensive privacy law, the California Consumer Privacy Act (CCPA), in 2018. The law went into effect in 2020 and was partially modeled after the EU’s General Data Privacy Regulation, a strict privacy regime that imposes significant costs on businesses and the economy. Four states have passed their own laws since then—the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, and the Connecticut Data Privacy Act—all of which go into effect in 2023, as does the California Privacy Rights Act, a ballot measure that amends and expands the CCPA.

The state bills and laws that have been introduced and passed primarily fall into one of two categories. Some bills follow the CCPA’s approach to privacy, with costly provisions such as a private right of action. Other bills, including Utah’s law, take a narrower and more targeted approach. However, each bill has its own unique provisions that force data holders with users in multiple states to adjust to a new set of regulations every time one of these bills becomes law.

The estimated annual cost of complying with 50 different state privacy laws would reach $239 billion, with small businesses paying $50 billion in compliance costs, including the costs of hiring and retaining data protection officers, conducting privacy audits and data impact assessments, and responding to consumer requests. Litigation in states with a private right of action and market inefficiencies from less efficient use of data also contribute to these high costs. In comparison, a targeted but effective federal privacy law that preempts state laws would cost $6 billion per year.

High compliance costs get passed onto consumers in the form of higher prices, charging for services that were previously free, or offering discounts less frequently, which disproportionately impacts low-income consumers. Consumers would also suffer from the inconsistent and uncertain regulatory landscape of a patchwork of state privacy laws. Their rights would vary depending on where they live. People who live on the border of one state and work in another would have different privacy rights from their coworkers, and people who live in states that are late to pass privacy laws would have fewer rights than those who live in states that were early movers.

Regulating data privacy on a state-by-state level is unnecessary, costly, and confusing. These costs will impede innovation, and the inconsistency will harm consumers. Congress should act to pass a comprehensive privacy law that preempts state laws before the status quo becomes unsustainable.