Europe’s Privacy Rules Should Not Shape America’s
By Roslyn Layton, Ph.D., Executive Vice President, Strand Consult and Deborah Collier, Vice President for Policy and Government Affairs, Citizens Against Government Waste
The United States is currently operating under a fragmented system of privacy regulations because Congress has not yet enacted a national framework to regulate consumer data privacy and security. States have sought to address this situation by enacting their own laws, despite the federal government’s sector-specific rules. This mosaic of laws and regulations has created uncertainty and significant costs for compliance, especially for small to mid-size businesses. Some legislators and regulators look at the European Union (EU) to provide a foundation for a comprehensive data privacy framework, but this is the wrong solution for the U.S.
Many Europeans feel buyers’ remorse seven years after the implementation of the strict General Data Protection Regulation (GDPR) in 2018. A February 2024 update to the Data, Privacy Laws and Firm Production report from the National Bureau of Economic Research found that GDPR has raised the cost of data by 20 percent for EU firms compared with their U.S. peers. EU firms face complex and costly compliance burden, which can amount to an estimated $3 million each for small and medium size businesses.
Since the GDPR went into effect in 2018, innovation and investment in Europe’s digital economy has diminished. The European Commission has difficulty to any new digital successes related to its policies. EU-born tech like Stripe, Spotify, and Booking.com all predate the regulation. In April 2025, the European Commission announced it would be making the GDPR the next target for the “red tape bonfire” by simplifying its requirements The decision follows a reassessment of the GDPR in former Italian Prime Minister Mario Draghi’s September 2025 report on Europe’s economic future competitiveness.
Despite Europe’s efforts to reassess its nanny state approach to privacy, California’s Consumer Privacy Act (CCPA), which was hastily enacted in 2018 as a GDPR-copycat, has become a misguided model for other states due to California’s economic influence and Congress’s failure to enact a national data privacy law. It has 77 provisions and a broad definition of personal data that have burdened businesses with excessive compliance costs. Rather than enhancing consumer control of their information, the complex law has created inefficient data handling practices and caused significant legal expenditures.
For example, the initial CCPA compliance cost was estimated to be $55 billion, or 1.8 percent of California’s GDP. Many firms face recurring annual expenses between $500,000 and $1 million to remain in compliance with CCPA requirements. New obligations currently under consideration at the state house, including mandatory annual cybersecurity audits and AI related regulatory requirements, could further increase compliance costs that will impact tens of thousands of California businesses.
The need for a comprehensive national framework was demonstrated by an Information Technology and Innovation Foundation report that found compliance with 50 different state privacy laws could cost consumers and industry $239 billion annually, while a targeted federal law that preempts the state patchwork would cost $6 billion annually.
On February 21, 2025, House Energy and Commerce Committee Chairman Brett Guthrie (R-Ky.) and Vice Chairman John Joyce, M.D. (R-Pa.) issued a Request for Information on developing a national consumer data privacy and security framework to be shared with a new data privacy working group, which would be used to help adopt legislation. This is a great restart to moving forward with a national consumer data privacy framework. Two of the primary challenges to this effort are federal pre-emption of state laws and a private right of action, as well as whether U.S. law should be modeled on the EU. After all, the point of federal standards is to supersede the states, ensuring all are treated equally.
Businesses operating across state lines face the Herculean task of navigating conflicting privacy requirements. Silver Star Communications, for example, provides services in multiple states and has voiced concerns about the administrative burdens posed by inconsistent state laws. The need for a single, coherent federal standard has become increasingly evident as companies, particularly small to medium size businesses, struggle with legal ambiguity and resource constraints.
Consumer data privacy legislation should be technology-neutral, ensure user choice and control, mandate transparency, and promote data minimization and timely deletion. Protections must match the type and use of data, and personal information should always be kept secure. To avoid a patchwork of conflicting state laws, privacy legislation should be enacted at the federal level with clear preemption.
The U.S. stands at a crossroads in data privacy regulation. The current patchwork of state laws is unsustainable and harmful, particularly for small businesses, however, emulating the EU’s GDPR model or California’s CCPA would raise costs and curb innovation without a commensurate benefit for consumers. A national privacy framework will protect consumers and provide certainty for all businesses regardless of size, while ensuring that America’s digital economy fuels opportunity, innovation, and competition.
