Protect Data Without Undermining Its Value
Privacy legislation is not just about protecting data; it is about ensuring that data can still be used in valuable and responsible ways. If the sole objective were to lock down data, the solution would be simple—prohibit most data collection, mandate deletion within 24 hours, and impose severe penalties for violations. However, such an approach would eliminate the many benefits that responsible data use provides.
As Congress considers a new path forward on federal data privacy legislation, it should ensure that it strikes the right balance so that data protection does not come at the expense of the ability to use data in ways that improve services, drive innovation, and support economic activity
Personal data plays a critical role in industries such as healthcare, financial services, and e-commerce. And businesses across all sectors rely on data for routine business operations, such as marketing and customer engagement, to function efficiently. Indeed, one of the biggest impacts of data privacy laws is not on large tech companies but on the wide array of local businesses—such as plumbers, dog groomers, and landscapers—who use data-driven advertising to find customers.
When California passed its first major privacy law, one of the earliest concerns came from the owner of a small florist shop who pointed out that even a non-tech business like his depended on digital marketing tools. Phone numbers allowed him to text customers, and email addresses enabled targeted advertising. Restrictive privacy laws increase compliance costs and, in some cases, make online marketing prohibitively expensive, forcing businesses to rely on costlier and less effective alternatives such as radio or television ads.
Many privacy regulations focus on punishment for non-compliance rather than improving consumer outcomes. The EU intended the General Data Protection Regulation (GDPR) to be the global standard for data protection, yet there is no evidence it has reduced data breaches, despite forcing organizations to spend millions on compliance. Part of the reason is that enforcement often targets minor infractions instead of addressing meaningful risks. One recent case involved a €2,500 fine issued because a firm mistakenly CC’ed someone on an email instead of using BCC.
This punitive approach is evident in state-level privacy laws as well. For example, Illinois created the Biometric Information Privacy Act (BIPA) to protect biometric data, but the law’s broad enforcement mechanisms have encouraged excessive litigation. BIPA requires companies to obtain written consent before collecting biometric data, such as fingerprints, for employee timekeeping systems.
In 2019, the Illinois Supreme Court ruled that individuals could sue for violations even if they suffered no harm. Before this ruling, only a handful of BIPA lawsuits were filed each year; afterward, cases were filed daily. This shift turned a well-intended privacy law into an avenue for opportunistic litigation. And even when these lawsuits are successful, it is mostly the lawyers, not the plaintiffs, who take home a fat check.
As Congress drafts new data protection legislation, it should prioritize compliance and consumer protection over financial penalties. Some state privacy laws include cure periods, allowing companies to correct violations before facing penalties. This approach ensures that the primary goal is compliance rather than punishment, especially in cases where no real harm has occurred. Other measures, such as limiting the ability of individuals to make excessive requests on businesses, help prevent privacy laws from being exploited and misused.
Another priority for Congress should be simplification. The oft-repeated claim that the United States lacks a federal privacy law is misleading; numerous federal laws already regulate consumer privacy, including HIPAA, FERPA, the Privacy Act of 1974, GLBA, and the Video Privacy Protection Act.
In addition, nearly two dozen state privacy laws have created a fragmented and inconsistent regulatory landscape. Any new federal privacy law should seek to reduce this complexity rather than add to it. At a minimum, it should preempt state laws so that consumer privacy rights vary from state to state, which creates confusion for consumers and compliance challenges for businesses.
Even better, Congress should strive to start harmonizing existing sector-specific federal privacy rules, such as by using consistent definitions, to ensure that similar types of consumer data receive consistent protection.
Congress should also draft privacy legislation that accounts for differences in consumer preferences. Surveys consistently show that individuals have varying levels of concern about data privacy. Some prioritize strict privacy controls, while others are more willing to share data in exchange for convenience or personalized services.
Opt-out mechanisms allow those with strong privacy preferences to limit data collection while enabling others to continue benefiting from data-driven services without unnecessary barriers. In contrast, opt-in requirements often discourage data sharing, even among consumers who would otherwise have no objections, making data collection more costly and less efficient.
Transparency is another critical issue. Consumers should be aware when their data is stored and processed in a foreign country whose government may access their personal information. Strengthening disclosure requirements can provide greater awareness and allow individuals to make more informed decisions about their data.
Effective privacy legislation should protect consumers while ensuring that businesses, researchers, and organizations can continue to use data in ways that benefit society. Striking the right balance requires a regulatory approach that emphasizes clear rules, promotes responsible data use, and avoids unnecessary complexity or punitive enforcement that stifles innovation. As Congress goes back to the drawing board on federal privacy legislation, it has a chance to enhance security and transparency without diminishing the economic and societal value of data.
