Why Congress should pass data privacy legislation in 2022

Data privacy legislation has been on the Congressional to-do list for years, but as more states consider their own comprehensive privacy laws and Europe’s privacy regulation approaches its fifth anniversary, the federal government continues to lag behind. Due in large part to partisan divides and an unwillingness to compromise, Congress has repeatedly missed its deadlines to produce a bipartisan bill. This comes at high costs to consumers and businesses, and it threatens America’s standing as a leader in the digital economy.

Federal legislation is necessary to prevent the United States from becoming a patchwork of 50 different state laws, which would make enforcement more costly and impose unnecessary barriers to innovation in the digital economy, which runs on personal data. Every time a state passes a new privacy law, it not only imposes costs on in-state businesses, but also on many out-of-state businesses. The Information Technology and Innovation Foundation (ITIF) estimates that, in the absence of federal privacy legislation that preempts states from passing their own laws, state privacy laws could impose costs on out-of-state businesses of $98 to $112 billion annually, exceeding $1 trillion over a 10-year period — and at least $200 billion of that burden would fall on small businesses. 

Poorly crafted privacy laws can impose many direct compliance costs on businesses, which may have to hire data protection officers, conduct privacy audits, perform data-impact assessments, and respond to customers’ data requests. They also can impose indirect costs in the form of market inefficiencies that impact businesses’ ability to use data optimally and class action lawsuits over potential violations. These costs fall heavily on smaller businesses, which have fewer resources to dedicate to compliance and potential legal fees.

Fifty differing state privacy laws would impose these costs many times over, unnecessarily burdening U.S. businesses while offering no added value to consumers.

In contrast, a single, streamlined federal privacy law would give businesses one set of rules to follow, simplify the compliance process and make it easier for consumers to understand their privacy rights. This was the purpose of Europe’s General Data Protection Regulation (GDPR), which created a consistent set of rules for all EU member countries, albeit with considerable regulatory overreach and added compliance costs.

The United States can do better than the EU did in that regard. Not only should federal data privacy legislation preempt state privacy laws, it also should take a balanced approach to protecting consumer privacy while minimizing the impact on innovation and compliance costs. While a federal privacy law would still impose costs on businesses, a targeted law that addresses concrete privacy harms instead of hypothetical ones, improves transparency requirements, strengthens oversight and enforcement, and minimizes restrictions on data use would cost approximately $6 billion per year, 20 times less than modeling a federal law on the EU’s or California’s laws.

If privacy activists continue to push restrictive laws at the state level, or use a scorched earth policy to hold out for a U.S. version of the GDPR, it will become increasingly difficult for bipartisan legislation to gain momentum in Congress.

The longer Congress delays passing data privacy legislation, the more problems it will create for U.S. businesses and consumers, and the more opportunity it will give states to enact laws that impose substantial costs on businesses in other jurisdictions.

These problems are avoidable. Passing a comprehensive, bipartisan data privacy law should be at the top of Congress’ technology policy agenda in 2022.

Ashley Johnson (@ashleyjnsn) is a senior policy analyst at the Information Technology and Innovation Foundation (ITIF). Daniel Castro (@castrotech) is vice president of ITIF and director of the Center for Data Innovation.