Is There Hope for a National Data Privacy Law in America?
The data privacy landscape in the United States is complicated, but still far behind that of Europe’s. 2023 has seen some clarity come with over a half dozen comprehensive state data privacy regulations passed, but federal legislation has eluded the world’s largest economy.
The first five states to enact major data protection regulations were California, Virginia, Connecticut, Colorado, and Utah, with Connecticut and Colorado’s laws taking full effect on July 1, 2023. Those laws were passed well before 2023, with most having at least a year-long gap between the legislation passing and entering into law.
For 2023, seven states have joined the fray by passing laws that all will enter into force between 2024 and 2026: Iowa, Indiana, Tennessee, Montana, Texas, Florida, and most recently, Delaware.
Many of the bills share similar cores regarding who needs to comply, enshrined data rights, exemptions, and requirements for businesses. With these major tenets lined up, it’s no surprise a flurry of laws is finally coming to fruition.
However, that increased momentum does not necessarily translate to the federal level, which is the real test for data privacy in the United States.
Last year in 2022, the U.S. got as far as it ever had on comprehensive legislation, with the American Data Privacy and Protection Act (ADPPA) advancing out of committee in the House of Representatives and heading to the Senate for review.
From there, despite some excitement about the prospect of a national law, the ADPPA withered away, never coming to the Senate floor for an official vote. With that Congressional session wrapping up in January 2023, the current iteration of Congress has yet to make any moves on data privacy.
Still, with states both conservative and progressive emphasizing and passing data protection regulations within a single session, one would think there’s a higher probability now than ever that the baton does get picked up and carried along by Congress.
Nevertheless, with the way the ADPPA unraveled, it appears a federal law is not anywhere near guaranteed until after the 2024 elections. Why? Well, the same elements of federalism that have helped define American government pose massive challenges to a data privacy bill.
The one outlier of the states with comprehensive regulations is California. California has tried to pass considerably more progressive legislation than the other 11 states with laws on the books, including the private right to action included in the state’s recent CPRA amendments.
The private right to action, which gives citizens the right to bring legal cases against companies that have violated data privacy regulations and caused personal harm, is central to the EU’s GDPR, but only California has included it among American state-level regulations.
The majority of California lawmakers publicly declared they would oppose the ADPPA unless it featured the private right to action, since otherwise a federal law would preempt the CCPA and render several progressive provisions useless. For most Congressmen, a full and complete private right of action is a non-starter in a federal bill, largely thanks to lobbying by Big Tech as well as the perceived notion that it would be unfriendly to the nation’s entrepreneurial environment.
This is particularly true of Washington Senator and head of the Senate Commerce Committee Maria Cantwell, who single-handedly sidelined the bill by not bringing it to the floor for a vote. With Cantwell well established within the Senate and seemingly not at risk in the 2024 elections, gaining her seal of approval will be vital, especially as multiple data privacy bills have circulated and failed over the past half decade.
She herself has been heavily involved with data privacy drafts for several years, during which time the issue has gained more public steam as a hot-button issue. Cantwell, as a liberal Democrat, made public comment numerous times throughout 2022 at aspects of the ADPPA she felt discouraged by, such as the 4-year implementation window and several provisions that created hurdles and blockages to private right of action.
The seven state regulations passed in 2023 have all done so without the private right of action, which did not feature heavily into conversations at all during the legislative process for any of them. That fact alone puts a damper on the prospects for a federal bill while Cantwell heads the Commerce Committee.
All in all, the messy Congressional politics in the U.S. have created a situation where national legislation is unlikely to pass in the near future, even with data privacy gaining steam across the country as a legal and technological issue.
By proxy however, an increasingly large and complex web of state-level laws creates an environment where businesses operating within the U.S. will need to adopt and embrace data compliance, including efficient data subject request (DSR) handling and a wider understanding of where, why, and how an organization uses consumer data.
It’s a backdoor route to true data protection, but if more states pass regulations–as they are expected to throughout 2024–and there is any level of enforcement to these laws, the United States could end up with a de facto national standard on the matter even without the ADPPA or an equivalency.