Alyssa Wolslegel
Associate Editor
Loyola University Chicago School of Law, JD 2023
While the United States does have some federal data privacy regulations in place, the most comprehensive regulations exist at the state level with a degree of variation of protection from state to state. Recently, more conversations are being had about whether the United States should implement more federal data privacy laws. Proponents say they would likely use something equivalent to the European Union’s General Data Protection Regulation (GDPR), which focuses on regulating consumer data privacy and protecting consumers from data breaches. This is especially significant because states are taking matters into their own hands by passing state data privacy regulations that all vary slightly, which could become confusing for companies trying to be compliant with more than one.
Data privacy laws in the US
The first data privacy act passed in the US was the Privacy Act of 1974 which established rights and restrictions on data that is held by government agencies. This act allowed citizens to access their data and copy it as well as correct any information errors among other things, and although it serves as the framework for many data privacy laws today, it has not been updated since it was passed. The only other federal data privacy laws that exist are narrowly tailored to specific areas of data collection including the Gramm-Leach-Bliley Act of 1999 (GLBA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Children’s Online Privacy Protection Act in 2000 (COPPA). Although the internet has evolved drastically over the past twenty years, there have been no additional federal data privacy laws enacted to protect consumers. The Federal Trade Commission Act does have broad jurisdiction over commercial entities and could take action against companies engaging in deceptive practice, but it does not explicitly regulate privacy policies.
With the lack of federal action over data privacy, some states have stepped in and created their own regulations to protect consumers. California led the way with the Californian Consumer Privacy Act (CCPA), which requires a privacy notice on websites, allows consumers the right to access their data, the right to delete their data, and the right to opt-out at any time. New York, Maryland, Massachusetts, Hawaii, Virginia and North Dakota also have data privacy laws in place, all of which allow the right to access data. All of the aforementioned states allow for the right to delete except for North Dakota, while New York is the only state that allows for the right to correct.
Why should we implement federal data privacy laws?
On its face, the argument for additional privacy laws seems very simple: why wouldn’t you want to protect consumers? But it’s a bit more complicated than that. First, many US companies already comply with GDPR regulations because they do work with customers in the EU, and state regulations if they do work in those states that have implemented them. Therefore, we should implement our own federal laws so that all companies will be in compliance because some already are, and it is important to protect all consumer data. Next, one national standard would reduce compliance costs that companies will incur and avoid inefficiencies and misunderstandings of the law from having multiple programs in place. The more programs in place, the more likely companies are going to make mistakes which could lead to data breaches or misuses of consumer information.
Also, the issue of national security arises because new technologies like artificial intelligence and technology policies of rival powers have made personal data more available than ever before. leaving consumers vulnerable and easily taken advantage of without protective legislation. Some argue that without data privacy legislation, these rival countries may exploit the US data environment for their own economic and even national security purposes. Because the internet has evolved so much in the past few years, companies like Facebook and Google have essentially been given free rein to conduct business as they like. This is problematic because these companies have irresponsibly handled huge amounts of user profiles and made them susceptible to breach.
Where do we go from here?
Because GDPR is a model for other countries’ data privacy laws and many US companies are already in compliance, it would be easy to implement a program like it in the US instead of creating a different one from scratch. Consumers, and even companies, across the country are susceptible to cyber-attacks with the mass amounts of personal information currently flowing through the internet that have the potential to be mishandled while trying to comply with many different data privacy regulations. An updated federal data privacy law is just the thing we need to protect that information.