In a nutshell: Voters want it. The other branches of government agree we need it. The United States and the global economy are hurt without it. The United States can and should do more to set the rules of the road.
While there are many more reasons than the ones stated here, we hope that these five reasons alone will prompt Congress to act NOW to move federal privacy legislation forward.
There are at least five critical reasons why Congress needs to act NOW to pass federal privacy legislation.
1) Polling research demonstrates that privacy – not tech regulation – is one of the top issues voters care about.
In recent months, tech regulation – through competition and antitrust reform – have been at the forefront of Congressional hearings and the public discourse. But, the verdict is out about where voters really want to see action: polling research states that approximately 76% of Americans choose privacy and data security to be the top priority for them, compared to 16% who choose competition and antitrust issues. Other results from Morning Consult and Politico reaffirm this resounding public interest: more than half of all American voters support passage of a federal data privacy law.
As we begin making our way into the upcoming midterm election season – legislators need to make data privacy a priority to fulfill the compelling requests of voters. Let’s give voters what they want!
2) There is a united consensus across the branches of Government to move privacy forward as a priority.
In his State of the Union speech earlier in the year, President Biden called for strengthening privacy protections, signaling to Congress to act. And the FTC’s Chair Lina Khan noted in her first public address that she anticipates privacy and data security rulemaking as an opportunity to further update the FTC’s approach to data practices. This, coupled with the latest news regarding a leaked draft majority ruling by the Supreme Court on individual rights to privacy, are an important wake-up call to Congress that it must take action now. Action can have wide-ranging implications across every aspect of our lives.
The best way to get the wheels in motion is to move legislation forward and to finalize negotiations on what standard makes sense for the United States.
3) The cost of inaction is devastating for the U.S. economy.
At least 34 states have passed or introduced privacy bills focused on commercial collection and use of personal data. Five state consumer privacy laws – in California, Virginia, Colorado, Utah, and Connecticut – are on the books and are in the process of being implemented. Some would say keeping up with the plethora of state consumer privacy laws may be harder than keeping up with the Kardashians!
ITIF analyzed the impact of the state privacy patchwork on businesses, particularly those that serve customers across state lines. It notes that businesses that serve customers across state lines are subject to not just one, but a combination of state privacy laws, which creates a multiplier effect and has led to expensive and redundant compliance efforts. The costs are not negligible: it is estimated that state privacy laws could lead to somewhere between $98 billion and $112 billion annually, which over a 10-year period would lead to an excess of $1 trillion in out-of-state costs for businesses. The failure of Congress to act is a drain on U.S. businesses, crippling the U.S. economy, and disproportionately harms small businesses and new market entrants.
Further, ITIF states that small businesses could face $20–23 billion in out-of-state compliance costs annually. These businesses are the backbone of the U.S. economy. Harvard Business Review documents that they account for 48% of all U.S. jobs and contribute to 43% of the U.S. GDP. We need to keep them afloat and thriving.
Passing a uniform privacy standard that levels the playing field and includes appropriate exemptions is a necessary first step to supporting our local mom and pops.
4) Privacy plays an important role in helping the United States keep its foothold in the geopolitical economy.
In 2018, the European Union set a critical precedent – some would say a dangerous one – on what privacy regulation should look like for its member states by passing the GDPR. Since then, many countries have followed in the EU’s footsteps and finalized privacy laws, leaving the United States behind. More recently, the EU, United States, and many other countries are also working through new bilateral and multilateral data privacy agreements and cooperation. Without a privacy law in place in the United States, some would argue that it creates an unlevel playing field to reach decisions about adequacy and being a “fair” trade and tech economic partner.
Following GDPR and in the absence of any U.S. action, the EU, India and close to 50 other countries are shaping efforts grounded in data localization, a climate that is unworkable from a trade perspective. Countries may view data localization as a means to furthering their own economic interests and to keeping stronger control and oversight over data privacy and security practices within their borders. Such values run counter to the pro-democratic nature of U.S. technology, innovation, and competition policies.
We live in a borderless, digital economy, where governments cannot and should not be permitted to store and process copies of proprietary data on their turf – it goes against the fundamental spirit of innovation, productive research and creative authorship and it harbors serious national security concerns. Discussion about furthering the principles of a free-flowing internet has been made by G7 leaders, the World Trade Organization and the Organization for Economic Cooperation and Development.
By passing a privacy law, the United States can take part in shaping a pro-innovation, pro-democratic privacy landscape to counter this digital authoritarianism movement that imposes serious obstacles to trade.
5) The United States can demonstrate leadership through its own unique model for privacy, using a pro-innovation lens, as well as factoring in our federal constitutional rights and history.
The United States is aware of the shortcomings of GDPR and must avoid passing a law that would repeat mistakes made by countries complying with the GDPR. We can learn from the GDPR experiment – but cannot and should not – model it exactly. There are a handful of compelling reasons why.
It is clearly evidenced that, regardless of the privacy benefits, GDPR has deterred innovation. First, the GDPR does not include exemptions for SMEs, which as noted earlier, would be problematic for these players who are the backbone of the U.S. economy. Second, the National Bureau of Economic Research (NBER) just came out with research about the impact of GDPR, including implications for both the supply and demand side of the equation. After reviewing 4.1 million apps at the Google Play Store from 2016 to 2019, NBER notes that GDPR has induced the exit of about a third of available apps; and, since GDPR implementation, has led to half the number of new market entrants in the app marketplace. On the demand side, GDPR reduces consumer surplus and aggregate app usage by about one third. And, the research suggests that GDPR has generated significant consent fatigue, making it a less commendable model from a consumer and business usability standpoint.
In addition to this, as it develops a federal privacy law, the United States would need to take U.S. First Amendment rights, including free speech and individual rights, into consideration (which, of course, is not woven into the EU GDPR). SIIA has played a pivotal role in shaping the development of state consumer privacy laws to ensure that they include these considerations and would pass constitutional muster.
We can benefit from the excellent lessons learned from the GDPR. It should prompt us to tailor a U.S. law to help, rather than hinder, the political economy. It should also prompt us to focus on carefully factoring in the individual rights we are granted by the U.S. Constitution.
