This opinion piece is part of Access Partnership’s ‘A Digital Manifesto’ initiative, which recommends a framework to develop US global leadership on digital policy for the first 100 days of the Trump administration.
The Growing Need for a Unified Federal Privacy Framework in America
As the global tech policy landscape continues to rapidly evolve in the face of emerging innovations in artificial intelligence (AI), quantum and cloud computing, robotics, and more, the lack of a unifying federal data privacy framework sets the US further and further behind the rest of the world. Since the enactment of the EU’s General Data Protection Regulation (GDPR) in 2018, which established a comprehensive set of privacy rights for consumers and obligations for businesses, Congress has repeatedly attempted to pass federal privacy legislation – only for it to stall each session. All the while, the share of Americans accessing the Internet since 2018 has increased from 87% to 97% by 2024.
Without clear rules of the road governing how consumers’ data may be collected, processed, and stored by online platforms, twenty states have sought to fill this void by adopting their own comprehensive privacy laws. One of the earliest state laws to adopt a GDPR-style privacy framework, the California Consumer Privacy Act (CCPA), continues to maintain some of the most stringent privacy requirements in the US. The resulting patchwork of protections has resulted in wildly disparate requirements that fail to protect consumers and are a compliance nightmare for the vast majority of tech businesses providing services in more than one state.
The Stalemate Over Federal Privacy Legislation
Over the past seven years, various proposed federal privacy laws have been run aground by a handful of persistent obstacles. From the beginning, one such issue has been the question of federal pre-emption of state-level privacy laws. One of the primary objectives lawmakers seek to achieve through federal privacy legislation is a uniform framework applicable across all 50 states. However, most proposed privacy laws have fallen below the thresholds set out in the CCPA, leaving prominent California lawmakers reluctant to support any federal legislation that would override its requirements. This friction has only increased over time as more states have adopted their own privacy laws, all while California raised its bar even higher following the enactment of the California Privacy Rights Act (CPRA) in 2023.
Two significant attempts to pass federal privacy legislation – the 2022 American Data Privacy and Protection Act (ADPPA) and the 2024 American Privacy Rights Act (APRA) – were both introduced with bipartisan support but ultimately failed to gain traction. In addition to the issue of federal pre-emption, both bills faced pushback over issues such as the inclusion of a private right of action, authorisations for the Federal Trade Commission to create a centralised and broad opt-out mechanism for consumers, and data minimisation requirements restricting companies from collecting any more data than is necessary to fulfil specific tasks.
The drawn-out debate over federal privacy law has also given way to complications stemming from emerging technological developments. In the APRA’s case, the bill was scuppered after major privacy and consumer advocacy groups pulled their support owing to the removal of provisions aiming to protect vulnerable groups from algorithmic discrimination caused by AI. Consumer protections from the negative consequences of automated decision-making in data privacy are not new; the GDPR, for example, grants consumers the right not to be subject to automated decision-making without any action taken on their part. As data-intensive technologies become more complex, the necessary policy responses do as well.
Policy Recommendations for the 119th Congress
Shortly after the 119th Congress came into session, House Energy and Commerce Committee Chair Brett Guthrie (R-KY-2) assembled a nine-member Republican working group to devise a new draft federal privacy bill, and opened up the process to public stakeholders through a Request for Information (RFI). With a legislative trifecta (House, Senate, and White House), Republicans will have the strongest chance at getting federal privacy legislation adopted. Done correctly, this latest iteration could finally establish much-needed data protections for all Americans without stifling innovation:
- Consumer Privacy Rights: Enshrining uniform consumer data rights across the US is a critical component of any federal privacy law. At a minimum, legislation should guarantee consumers the right to be informed when and what kinds of data companies are collecting and processing, the right to access said data about themselves, the right to correct and/or delete their data, and the right to opt out of having their data collected or processed. Additional rights already provided for by other privacy laws – such as rights to data portability, limitations on the use and disclosure of sensitive categories of personal information, and protection from automated decision-making – should also be considered.
- Clear Definitions for Different Categories of Data: A federal privacy framework needs to account for a broad range of actors, sectors, and use-cases in order to be truly effective. At the same time, not all data should be treated the same. Legislation should clearly differentiate the scope of requirements for non-personal, personal, and sensitive personal data categories. Particularly for categories of sensitive personal data, the defined scope should be as specific as possible without compromising the law’s effectiveness. For example, “precise geolocation data” should specify a radius of no more than 1,750 feet from the data subject, reflecting the broad consensus of prevailing state-level legislation. Lastly, the scope of sensitive personal data must include specific definitions for genetic and biometric data to ensure the collection, processing, storage, and destruction of such data is properly governed.
- Data Minimisation: Personal information collected and processed by commercial entities should be limited to a relevant, proportionate, and specific purpose. Personal data is often an essential resource for companies to not only offer services to consumers, but to refine and improve their offerings as well. At the same time, guardrails are necessary to set limits on how this data is collected and used to prevent misuse. Striking a balance between these considerations is like threading a needle, but it is necessary to keep both sides of the equation in mind when designing policy.
- Provisions on Automated Decision-Making: Passing federal privacy legislation is a crucial first step towards developing an effective legal framework for artificial intelligence. That said, Congress can and should be forward-looking on the path towards creating a nationwide, comprehensive AI law by laying the groundwork in its privacy bill. While most AI-specific policy areas should be governed through separate pieces of legislation, a federal privacy law should give data subjects the ability to know if certain categories of their personal information will be used to make consequential automated decisions about them. It should also provide data subjects with the right to opt-out of that automated decision-making as well. Whether Congress includes these rights or any other AI policies in its federal privacy law, those measures should be written in a way that anticipate, and are interoperable with, subsequent legislation focused specifically on AI governance.
- Data Breach and Notification: Congress should fundamentally rethink how data breaches are handled in the US. Rather than focusing exclusively on data breach notification procedures and penalties, a comprehensive federal privacy law should encourage the adoption of robust security standards and provide meaningful enforcement of necessary safeguards through periodic audits – not just after a breach has already occurred. Definitions of harms to consumers should also delineate immediate and long-term impacts of a breach with consideration to the types of data that are compromised. This approach would promote greater accountability and improve security for consumers overall.
Shaping the Future of Data Privacy
As the US grapples with the complexities of federal privacy legislation, it is clear that a unified approach is necessary to protect consumers and provide regulatory clarity for businesses. With rapid advancements in data-driven technologies, policymakers must prioritise a framework that balances innovation with robust consumer protections. Now more than ever, collaboration between the public and private sectors is key to shaping effective and forward-looking privacy regulations.
At Access Partnership, we are experts in policy – whether supporting governments and public sector bodies in drafting legislation and building regulatory frameworks or helping businesses navigate compliance across multiple markets and jurisdictions. To learn more about how we can support your policy needs, please contact Jacob Hafey at [email protected].
