2022: The Year of US Data Privacy Laws?

Alyssa Wolslegel

Associate Editor

Loyola University Chicago School of Law, JD 2023

When you think of the most valuable commodity in the world today, you might automatically think of money, however, personal data has now become one of the most valuable forms of currency today. The vast amounts of personal data available have made it increasingly valuable to companies who know how to use it to their advantage. The means of receiving this data are sometimes questionable, and up until recently, often unregulated, leading to companies using unethical methods to get their hands on this valuable data. The US is starting to follow the rest of the world and develop extensive data privacy laws that cover more than just medical information to ensure that consumers are protected, but there’s still lots of disagreements surrounding how and what should be protected in the US.

Current US privacy laws

In the US today, California, Virginia and Colorado are the only states with comprehensive data privacy laws enacted. Various other states are introducing data privacy laws for debate in 2022, but they will likely not be passed this year because of the heavy amount of debate surrounding it with limited time. Seventeen states have not yet attempted to introduce comprehensive data privacy laws in their state. At the federal level, we have a few federal regulations governing certain types of information, but no single law that governs all personal data. Common federal data privacy laws you may have heard of are the Health Insurance Portability and Accountability Act (HIPAA) which protects individual medical records and other individually identifiable health information, the Children’s Online Privacy Protection rule (COPPA) which imposes certain requirements on websites directed at children, the Fair Credit Reporting Act (FCRA) which protects personal information held by credit reporting agencies, and finally the Gramm-Leach-Bliley Act (GLBA) which requires some financial institutions to share their information-sharing practices to protect consumers sensitive data. Although the federal laws in place do protect important pieces of consumer information, we are still missing one that protects consumers as a whole.

Why you, as a consumer, should care

Having individual laws for every state makes it extremely time consuming and complicated for companies to keep up and comply with every one of them, so, they often don’t. Many of the states that passed data privacy laws don’t have a delegated authority to enforce the law, so companies are waiting to get caught instead of making the effort to comply from the beginning. For consumers, this means your personal information is being collected and traded without much oversight leaving it vulnerable to hackers. Consumers should also care because the information being associated with them may not be correct, and without an authoritative body enforcing the regulations, no one would catch it and you would have no right to correct it.

Many experts in the field don’t think we will see a comprehensive federal regulation in the near future because of the deep political disagreement and the lack of buzz from the public. Consumers likely won’t speak out on this issue and demand action until a data breach occurs that affects almost everyone and leaves their information vulnerable and possibly even stolen. Many don’t understand how much of their information is collected and will be surprised when it is used against them. Politicians also can’t agree on how to enact privacy regulations, and the divide boils down to a debate over preemption and private right of action. The preemption aspect questions whether the federal law should preempt state laws, meaning it essentially overrides them, or whether it should be the floor and states can create their own laws in addition to it. The private right of action debate is centered around the disagreement on whether consumers should enforce the law and be given standing to sue, or whether a government body should be given the sole authority to investigate and hold companies accountable for violations.

Until Congress can come together and decide on federal regulations for the protection of consumers, we will likely see more and more states pass and attempt to pass their own version of data privacy laws making it more difficult for companies to comply. This will lead to companies putting pressure on the federal government to pass one singular data privacy law. Many consumers will likely not be aware of this battle until it affects them personally, and that may be just what we need to encourage government officials to finally take action and protect their personal data.