Data Privacy Needs an Update

Someone has your data. Apple, Garmin, Amazon, that clothing website you visited once, or even unknown third-party actors have information about you that you probably wouldn’t just hand out to anyone. As your data gets passed around all corners of the internet, most of it is unregulated; while the U.S. is a leader in technological innovation, the same cannot be said about the country’s data privacy laws. There is no overarching federal law or regulation protecting consumer data, and companies have fairly free reign in how they use, analyze, sell, or distribute consumer information. This leads to legal gaps recently highlighted by events such as the bankruptcy of 23andMe, which opened the question of the fate of user data in the face of leadership or financial changes. Furthermore, discussions about TikTok and its collection of sensitive consumer information have raised alarms regarding the protection of U.S. consumer information. Simply put, the current aging patchwork system of data protection in the U.S. won’t do in the face of an increasingly technological world; it’s time for Congress to pass a comprehensive law concerning the security of consumer data.

Privacy and security have been a part of the U.S. legal landscape longer than the country has been around. In colonial America, eavesdropping was a crime akin to physical invasion, and a man’s house was regarded as a sacred and secure place for information sharing. The Constitution enshrined this right to privacy in the Fourth Amendment, which guarantees the right of citizens to “be secure in their persons, houses, papers, and effects.” Today, however, data is often stored and shared digitally, the internet facilitating the distribution of information on a scale never before imagined in human history. Although technology keeps changing the way we consume, use, and share data, the law has remained fairly stagnant and disjointed. 

Modern consumer protection laws are remnants of a time before the contemporary web, breaking data into various categories but lacking comprehensive guidelines for information protection. The current landscape is composed of an alphabet soup of laws, including HIPAA, which protects consumer health information, COPPA, which limits the data companies can collect about children, and GLBA, requiring financial institutions to be transparent regarding their data collection policies. There is no federal legislation, however, that regulates the vast wealth of data collected by social media companies and search engines, leaving a wide swath of internet information sharing unchecked. 

The lax oversight of data privacy in the U.S. is not without consequence. Inefficient data privacy practices can leave personal information unprotected, making consumers susceptible to hacks and breaches. In 2024, over 3,000 data breaches occurred, with the personal data of over 1.7 billion victims being compromised. The threat from such attacks is far from abstract; name, birthdate, and address data can be used in identity theft and phishing scams, which took over $12.5 billion from the pockets of U.S. victims last year. Health data is also a concern when it comes to privacy. A 2023 breach of 23andMe compromised the data of nearly 7 million customers, leaving them vulnerable to misuses of their information such as extortion or impersonation of medical professionals. Aside from the security implications of poor data privacy, there are also impacts on the consumer psyche. Over 70% of Americans are distrustful of how social media companies handle their data, and 81% of Americans believe that the potential risks of data collection far outweigh the benefits. With no legal incentive, clarification, or requirement to safely store consumer information, companies are unlikely to soothe the concerns of the American public and effectively protect user data. With this in mind, it is crucial that the government steps in. 

Luckily, there are a few examples to look towards for answers to questions about regulating data privacy. One such guide can be found in the European Union. The EU passed GDPR, the General Data Protection Regulation, a sweeping privacy and security law that holds companies accountable for seven protection principles, including storage and purpose limitation, as well as data minimization to ensure only necessary consumer data is collected. The law includes other stipulations such as the requirement for consumer consent to data collection and comes armed with the threat of harsh fines of up to four percent of global turnover for those found to be in violation. Some U.S. states have followed the EU’s example and created data privacy laws as well, although the strength of these laws varies widely. 

In California, for instance, the California Consumer Privacy Act, considered one of the strongest data privacy protection laws in the U.S., gives residents the right to opt out of the sharing of certain information, delete collected personal data, and know how and why personal information is collected. Conversely, Iowa, which passed the Iowa Consumer Data Protection Act in 2023, has a weaker, more company-friendly data privacy law, not allowing consumers to correct information about their data or opt out of certain data processing used for profiling and targeted ads. The inconsistency of state laws regarding data privacy, in contrast to the EU’s comprehensive legislation, creates a confusing landscape for liability and requirements, making it difficult for consumers to be kept safe and companies to be held responsible. 

Fortunately, the U.S. already has a framework for a data privacy law: the American Privacy Rights Act of 2024. The bipartisan, bicameral bill, which has been introduced by Republican Representative Cathy McMorris Rodgers and Democratic Senator Maria Cantwell, gives consumers the right to opt out of data transfers and targeted advertising, as well as correct, delete, and access their data. The bill, however, was pulled from key hearings in June 2024, effectively stalling the measure indefinitely due to fears that it preempted existing state laws, particularly California’s stringent privacy legislation. This kind of political infighting is of no use when technology keeps advancing farther and farther past our outdated legislation. Although it is far easier said than done, the U.S. ought to go the route of the EU and create a comprehensive data privacy law to protect all people, not just those fortunate enough to live in concerned states.