Data Privacy Day is an opportunity for Americans to increase their understanding about how their information is used and increase the protection of their personal privacy.  This annual national recognition of the importance of data privacy will be on January 28, 2023, marking 14 years since it was established by Congress in 2009.  It is also an opportunity for everyone to remind Congress about the importance of enacting a law that will set privacy standards for the entire country rather than the current patchwork of conflicting and confusing state laws and regulations.

The 117th Congress debated creating a national data privacy framework, but there was no consensus, and nothing was enacted.  The only successful action occurred at the last minute, when the House Energy and Commerce Committee reported out H.R. 8152, the American Data Privacy Protection Act, on December 30, 2022.  The Council for Citizens Against Government Waste expressed its views on this legislation in a July 19, 2022, letter to the committee , including concerns about preemption of state laws, the allowance of a private right of action, and the expansion of consumer data privacy authority for the Federal Trade Commission (FTC).

The lack of a national law has opened the door for states to enact their own laws or adopt regulations to protect consumer data privacy.  This has made it costly for businesses to comply, particularly those with few resources.  Indeed, one of the most unrecognized consequences of data privacy laws is that elected officials are aiming at large online companies but end up covering every other company, both large and small.  States like California, Colorado, Connecticut, Illinois, Utah, and Virginia have enacted legislation on consumer information, including biometric restrictions in Illinois and a rushed attempt in California at a comprehensive consumer data privacy law that had to be amended even before the ink was dry. 

During the last legislative session, 35 states considered privacy bills, with Connecticut and Utah having bills that were signed into law.  However, the increasing number of conflicting data privacy rules is creating uncertainty and significant costs for compliance, especially for small businesses.  A January 24, 2022, Information Technology and Innovation Foundation (ITIF) report found that if all 50 states enacted consumer data privacy laws, it could cost businesses $1 trillion more over 10 years than if there was one national data privacy standard adopted by Congress.  An August 8, 2022 ITIF report also found that if the United States adopted a law similar to the European Union’s General Data Protection Regulation (after which California modeled its law), it “would cost the U.S. $122 billion per year, including $106 billion in hidden costs.”

Citizens Against Government Waste (CAGW) offered six recommendations, first published in a November 2, 2018 letter to the National Telecommunications and Information Administration, that should be addressed in any legislation proposed in Congress to address consumer data privacy and protection.  The legislation should adopt a national framework that preempts state laws, gives consumers choice and control over how their data is used, provides transparency of notices issued by businesses collecting data, implements data minimization and contextuality in the use of data, allows flexibility for different types of data requiring different levels of sensitivity, and offers data security and breach notifications to consumers.

The lack of action by Congress has also given the Federal Trade Commission (FTC) an opening to adopt privacy rules for the entire country across all businesses.  As CAGW noted in in an August 19, 2022, blog postand November 18, 2022, comments on the FTC’s August 10, 2022, Advanced Notice of Proposed Rulemaking(ANPRM), the agency is overreaching the statutory authority granted to it by Congress and should not be considering any privacy regulations while Congress is working on privacy legislation. 

CAGW’s principles should help guide Congress in the development of a strong national framework for consumer data privacy.  However, the longer Congress delays in enacting a consumer data privacy law, the more states will engage in enacting their own separate, different laws that will add to the confusion and cost burdens for all businesses across the country, and the more opportunity there will be for damaging (and likely unconstitutional) regulations to be promulgated by the FTC.