As the United States federal government slowly attempts to pass nation-wide data privacy legislation, certain states have forged their own legislation. But this has left more than half of Americans with little data protection, if any.
Listen To This Story
|
As Congress struggles to catch up to the European Union’s comprehensive data privacy regulations, some US states have begun to forge their own robust legislation to increase user protection. But this system only protects the data of some Americans, leaving more than half the country without guaranteed data protection or privacy rights.
And it may take years before a national solution is created, if at all.
The EU took its first step towards providing sweeping privacy protection years ago, with the creation of the region’s General Data Protection Regulation (GDPR).
The GDPR, which took effect in 2018 and gives individuals ownership over their personal information and the right to control who can use it, is often marked as the first major, multinational step towards comprehensive data protection and privacy.
Traditionally, the EU’s approach to data privacy stems from a human rights standpoint and has its roots in World War II, when the Nazi party collected personal data to commit numerous atrocities and, later, when the East German secret police, the Stasi, carried out invasive state surveillance.
After the war ended, the right to privacy was enshrined in the European Convention on Human Rights and later in the EU Charter of Fundamental Rights, becoming the ideological foundation on which data privacy laws have been built in the EU today.
Across the Atlantic, the US Constitution does not explicitly provide a right to privacy.
Rather than enacting a comprehensive federal law, the US federal government has taken a reactive approach, passing legislation only after issues arise in a few specific business sectors, which has resulted in a series of data protection laws addressing specific types of data. For example, the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) have protected medical and financial data respectively since the 1990s.
“The US is very much an innovation, capital-first society,” said Jodi Daniels, founder and CEO of privacy consultancy firm Red Clover Advisors. “And they do want to protect the people, but it has to all get balanced.”
But in recent years, some lawmakers have begun to push back against this system by introducing comprehensive data privacy bills, like the bipartisan American Privacy Rights Act (APRA).
Introduced in April by Sen. Maria Cantwell (D-WA) and Rep. Cathy McMorris Rodgers (R-WA), APRA is like GDPR in that it is not limited to specific business sectors and aims to minimize the amount and types of data companies can collect, give consumers control over their information, and allow them to opt out of targeted advertising.
While the legislation didn’t get very far, stalling in the House Committee on Energy and Commerce, it’s the furthest any comprehensive privacy bill has gone in Congress yet. To become law, however, it would have to be reintroduced next year when Republicans control both chambers.
Some lawmakers, like Sen. Ted Cruz (R-TX), contend that APRA is more concerned with “controlling the internet” than creating a balance between innovation and privacy protection, and argue that the current right to private action present in the act, which allows individuals to pursue legal action if their privacy is violated, will give overwhelming power to trial lawyers.
These ongoing disagreements and inaction from within the federal government have led states to create their own privacy laws.
After California enacted its Consumer Privacy Act (CCPA) in 2018, 18 other states passed similar GDPR-inspired laws, demonstrating a growing desire for legislation that leans towards the EU’s comprehensive approach.
Currently, only eight states have legislation in place, such as Connecticut and Virginia, with the other 11 laws taking effect in mid-2025 or 2026.
But people living outside these states are afforded little to no data protection or data privacy rights.
“Imagine someone was behind you with a notepad and they watched every single thing that you did, marking down what you were doing. Within 30 seconds you would turn around and ask why they were following you,” said Daniels, referring to people with no privacy protection. “That’s what we do online, and we think it’s okay.”
In states with no privacy legislation certain data is protected by sectoral laws like HIPAA or Section 5 under the Federal Trade Commission Act (FTCA), which only protects people against companies that are deceptive in how they use a consumer’s data.
“All you can do is hope that companies follow Section 5 and give a privacy notice,” said Daniels.
And HIPAA, which protects health data, doesn’t protect all information linked to a person’s health. Data collected by fitness tracker apps or other well-being sites aren’t covered, meaning that only a very specific set of health data is protected for individuals outside states with comprehensive legislation.
Other than these limited protections, it is up to the businesses to decide whether they will extend privacy rights and protections required in states with comprehensive laws to those living outside these areas.
But even within the states that have effective privacy laws, these businesses face a complex system of differing legislation that makes it difficult to reach compliance and protect people’s data.
Today, companies that wish to do business in the EU and the US must comply with both the GDPR and individual state laws — but each differs slightly in terms of scope and exemptions, making it difficult for companies to reach compliance easily. For example, while the GDPR requires businesses to provide users with the option to opt in to data and cookie collection, the CCPA assumes prior consent and only requires consumers to opt out.
Due to the contrasts between regulations, companies spend large sums of money hiring lawyers to decode legal ambiguities and create plans that ensure compliance with all laws.
“The amount of legal work and amount of interpretation and legal assistance that you have to pay for in order to be compliant is daunting,” said Nicole Lapierre, an attorney specializing in data privacy and cybersecurity at the consulting firm BD Emerson.
Once companies untangle the web of complying with existing legislation, they then decide whether to give the same protections to those without legislation.
But most companies won’t protect data or provide privacy rights if they aren’t obligated to.
Many experts contacted for this article pointed to Lululemon as an example of a company that doesn’t give those living in states like Georgia, which has no comprehensive data law, the same data privacy rights as those living in California.
Looking into the future, it may be years before every American has proper data protection.
Until the federal government passes a sweeping, umbrella privacy law, or until each state has its own legislation, many Americans will continue to have little to no privacy rights or protections other than the few federal laws that protect specific types of data.
Many experts, like data privacy consultant of 20 years Carey Lening, fear that a federal law will never be enacted. And if one is, it won’t be as effective as state laws.
“Any attempted federal law will be washed down and basically meaningless,” said Lening, noting that many current state laws would have more robust regulations as they face less opposition.
But for now, Daniels urges individuals to educate themselves about what happens with their data, and to speak up when something feels wrong.
“The regular person barely knows anything about privacy laws,” said Daniels. “Consumers need to be more aware of what is happening. They need to take responsibility for themselves and advocate.”
No matter what the future holds for privacy protection, experts like Daniels push people to look at companies with a logical eye rather than assuming they will have their best interests at heart.
“Consumers need to stop taking it for granted that the company is going to take care of them, because, at the end of the day, we are a capitalistic society in the United States,” said Daniels