Is the US privacy policy good enough?

Despite widespread support among Americans for data privacy legislation, the country remains behind much of the world on this front after failing to get a federal data privacy bill, the American Data Privacy and Protection Act, close to the goal line in 2022. Now with ChatGPT’s runaway popularity, generative artificial intelligence-based technologies that train themselves on users’ data have put privacy top of mind for the public and government alike. 

And yet the burden of passing privacy legislation has evaded Congress, with states having to shoulder the responsibility instead. That’s led to some incredible and quick progress, with eight states passing comprehensive data privacy laws in 2023 and two more—New Jersey and New Hampshire—already passing privacy laws in 2024. The total tally now sits at 15 states with comprehensive privacy laws, covering over 40% of the U.S. population. 

These state laws are spreading data privacy rights, allowing individuals to access and delete their personal data from companies, for example. But the legislation is creating a complex patchwork of state privacy policies that many businesses find hard to follow, even in good faith. 

After the European Union issued its own privacy regulations, the GDPR, back in 2018, the U.S. business community, including the president of the Consumer Technology Association, began to speak out on how privacy regulations would stifle innovation. 

The ongoing effects of that campaign have reverberated throughout state capitols for years, with virtually every piece of legislation that has passed ending up trading away meaningful data protections to appease the business community. 

New Hampshire’s privacy bill, which is awaiting the governor’s signature, had several aspects modified in legislative negotiations. One change was over the cure period, or the grace period granted to companies found to be in violation of the law even after it goes into effect, State Sen. Donna Soucy, told the International Association of Privacy Professionals. She said the Senate was “fine” with a permanent cure because it “didn't want the legislation to be punitive on businesses that were trying to do the right thing.” But the House disagreed and wanted a limited cure period. “The House saw it more as businesses should know what they are doing after a year,” she said.

But cure periods are far from the only compromise states have made to pass legislation. California was the first state to pass comprehensive privacy regulation, enacting the California Consumer Privacy Act, or CCPA, in mid-2018 in an attempt to model the EU’s GDPR. 

Over two and a half years later in 2021, Virginia became the second state to pass data privacy regulation, but it had to strip away vital elements of the CCPA to get the bill through. Gone were an individual’s private right of action and the inclusion of employee data, meaning people couldn’t sue companies for damages and critical employment information such as salaries, addresses and even biometric data like fingerprints did not require protection.

Virginia’s bill, the Virginia Consumer Data Protection Act, or VCDPA, then became the model for states to use. California’s regulations stand alone with their private right of action and coverage of employee data.

The fact that privacy bills are still being passed is good news. But when legislation is full of innumerable exemptions, lacks regulatory reach and resources and often fails to include basic individual rights like the right to revoke consent, the resulting impact of the regulation will be minimized. California’s CCPA remains the most progressive privacy regulation to pass in the U.S., but even state lawmakers did not think that bill went far enough, later amending it to make it stricter on businesses. Privacy laws that grant companies a large and flexible safety net give short shrift to public support for data privacy and the value of constituent data in today’s economy. 

Data privacy has become a vital issue, and government needs to step up.

Good privacy legislation requires broad individual data rights that meaningfully challenge businesses with requirements like annual audits and impact assessments. This approach will  bring businesses into the modern data economy as working partners rather than treating them with kid gloves.

State governments are trying their best to tackle this very real problem, but a fragmented approach plagued by compromises to ease compliance for the business community is making the American data privacy landscape more complicated and less surefire in delivering the protections people desperately want and need to see. 

Of course, it will take compromises to get a federal data privacy law in place, but as states begin laying the foundation, it’s clear that a coordinated effort is needed. A common vision of how to regulate data usage online, to create shared standards for both individual data rights and business responsibilities, and to encourage interstate technological solutions and tools that enable those standards will help form a more perfect union around individual privacy and data rights protections.

Gal Ringel is CEO and Co-Founder at Mine.