An Analysis of Recent Federal Data Privacy Legislation Proposals

In 2018, data privacy regulation was a topic of debate at both the state and federal levels. Legislative proposals, letters from advocacy groups, and editorials all indicate that such conversations will only continue in 2019. Many seem optimistic that, unlike previous attempts, bipartisan federal reform may be possible in a way that provides a clearer framework for data privacy and continues to allow America to take a lead on innovation. However, policymakers should be cautious not to merely react to a perceived crisis around data privacy without considering the potential consequences of a solution. Much of the debate around data privacy comes down to individual preference, and in setting requirements, certain tradeoffs to speech, innovation, and consumer choice could make the cure worse than the disease.

In May 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect. US companies spent $7.8 billion to comply with GDPR. According to a PwC survey, 88 percent of companies spent more than $1 million, and 40 percent of companies spent more than $10 million to comply with these new regulations. Far from encouraging more competition or more privacy-centric options, these regulations have seen companies exit the market and the market share of “Big Tech” companies such as Google and Facebook grow. Yet despite these consequences, many are asking if the United States should abandon its laissez-faire approach to innovation and adopt its own data privacy regulatory regime similar to GDPR.

Since late 2018, the Senate has seen three major proposals regarding data privacy introduced. This brief will look at the benefits and tradeoffs of those proposals, the current framework for federal action regarding data privacy, and the likely impact of each approach on innovation and consumer choice.

Consumer Data Protection Act

In November 2018, Senator Ron Wyden (D-OR) proposed the Consumer Data Protection Act.

The proposal would significantly expand and change the focus of the Federal Trade Commission (FTC) on data privacy and establish a new Bureau of Technology within the commission to enforce the new regulations. This proposal calls for a dramatic increase in regulation for data privacy and cybersecurity and a change in the way data privacy and injury are understood, making that understanding similar to the one under the GDPR, and represents a significant change from the American approach. Notably, the proposal would expand the definition of substantial injury regarding data breaches to include noneconomic injury.

While harms from privacy violations can occur, as discussed in previous work from the Mercatus Center at George Mason University regarding the FTC’s approach to similar issues of informational harm, an expansive view could negatively impact free speech by silencing speakers in favor of a preference for privacy that is not universally shared. For example, a social media posting and its subsequent request for removal would require intermediaries to silence one individual in favor of the preferences of another. While there may be some situations that warrant such action—libel, personal threats, or disclosure of information that would undermine trade secrets, national security, or individual safety—an approach that always favors privacy over speech risks silencing legitimate speech. Expanding the definition of harm in such a scenario is more likely to put such rights at odds with one another. Instead, continuing the existing US approach allows common law and norms to evolve a view that more adequately balances potentially conflicting rights and preferences.

In the months since the European Union enacted the GDPR, the impact of stringent data regulations on competition and innovation has become increasingly apparent. A variety of companies, from newspapers to video games, have chosen to exit the EU market, and large companies that could afford to engage in costly compliance have grown even more dominant in the data space. Rather than encouraging smaller players to develop more privacy-sensitive options that could compete with and potentially challenge existing giants, concerns over compliance and the costs associated with compliance have further reduced the number of options available in the market. As a result, larger players have been able to retain or even grow their market share in the face of such regulations. Given the wide range of consumer preferences when it comes to privacy, a market with more is more likely to allow consumers to find products tailored to their needs. Imposing similarly restrictive regulations in the United States under this proposal would likely see the same results regarding market concentration and decreased options for consumers.

But in some ways the Wyden proposal takes things a step further than the recent European regulations by imposing harsher penalties for violations. While the maximum fines for violations mirror GDPR, one notable feature of this proposal is that it includes jail time in certain circumstances for executives whose companies violate the regulations. Such a criminal sanction does not line up with the realities of either decision-making or incentives influencing decisions around privacy.

Another key feature of this proposal is the creation of a Do Not Track registry that would essentially create a universal opt-out option for consumers modeled after the Do Not Call system. Innovative market solutions such as ad blockers and Do Not Track extensions could provide a wider variety of options for a similar purpose without the same impact as regulation, but this model would at least theoretically still function as an opt-out system rather than an opt-in. In fact, various options to avoid cookies, ads, and other methods of tracking are available to consumers who wish to use them now. However, given the severity of sanctions for violation, it is likely that most actors would err on the side of caution, resulting in a far more restrictive approach to such a registry that results in it functioning more like an opt-in than an opt-out system. Yet research shows that consumers are rarely more informed under opt-in regimes than opt-out. What’s more, opt-in systems increase costs for companies who bear the burden of regulatory compliance and forgo the higher revenue of opt-out regimes.

As an alternative, various working groups have come up with protocols and best practices regarding “Do Not Track.” These non-enforceable norms or standards, also called soft laws, provide an innovation-friendly approach that can better balance consumer needs and the needs of industry. For example, the World Wide Web Consortium has addressed a variety of concerns through best practices such as developing a working draft on complying with consumer notices of Do Not Track in a uniform way to respect users’ preferences. Similarly, the National Telecommunications and Information Administration (NTIA), through cooperation between government, industry leaders, and civil society advocates, developed best practices for the commercial use of facial recognition software including addressing a number of potential data security concerns. Of course, such tools only work if industry players buy into them, or if industry polices itself, or if consumers themselves keep businesses in check. While some dispute about the definition and enforcement of Do Not Track policies continue, many have adopted such industry principles already. Still, taking a soft-law or self-governing approach through working groups and the development of best practices is more likely to be able to consider the realities of industry decisions around available technologies and come to a consensus that reflects both consumers’ desires and these realities.

The bill does provide exceptions for nonprofits, journalists, and smaller companies. These companies are less likely to be able to afford the initial compliance burden and would be more likely to face difficult choices and potentially crushing liability. Such carve-outs also show an attempt to learn from the lessons of GDPR. Still, these carve-outs could discourage a new company from ever growing large enough to challenge existing market incumbents, since at a certain point additional growth also requires a significant increase in regulatory compliance costs.

In general, the Consumer Data Protection Act would shift the United States’ approach to innovation from a laissez-faire to a precautionary regime that values a particular privacy preference above other options.

Data Care Act

In December 2018, Senator Brian Schatz (D-HI) proposed the Data Care Act. This proposal would give broad regulatory authority to the FTC, which would likely introduce significant compliance burdens on companies that would have to transfer innovative resources and energies to regulatory compliance efforts.

A key distinguishing feature of the Data Care Act is the idea of information fiduciaries. The act would establish a duty of care for consumer data for covered entities that would be similar to the heightened duties regarding personal information that currently apply to institutions such as banks and hospitals.

However, the concept of information fiduciaries is less practical than traditional fiduciary relationships, like those found with trustees or financial institutions. In a traditional fiduciary relationship, the vulnerability associated with disclosure is readily apparent. But concerning “personal” information online, there seems to be a wider variety of preferences and understanding of what information should be covered as well as more disagreement over what information makes one vulnerable. Establishing such a requirement would force innovators to value privacy over other benefits that consumers may actually prefer. A company would be forced to place significant resources in ensuring privacy, including potentially charging for a product rather than having added revenue to support it. In many cases consumers have indicated that they would be unwilling to pay for what are currently data-supported products such as social media. For more sensitive information such as Social Security numbers or financial information, consumers tend to be more willing to pay for privacy or services, and that is reflected in their selection of intermediaries and the offerings on the market.

Additionally, this act places broader regulatory authority regarding data privacy with the FTC. This would likely result in an increased regulatory burden. However, it is possible this could merely result in formalizing the existing strategies engaged in through various consent decrees, providing more transparency and certainty to innovators about what constitutes violations. Ideally, such regulations could incorporate recommended self-regulatory best practices or be developed through multistakeholder initiatives to be more adaptive and forward-looking rather than, like the GDPR, possibly prevent new innovative online intermediaries from ever getting off the ground owing to burdensome regulatory requirements. Failing to clarify the appropriate bounds of such delegation would result in a greater risk that the regulatory approach would be more restrictive and prescriptive than the current policy.

The Data Care Act would change the relationship between innovators, consumers, and regulators to be centered more around privacy than other goals, ultimately emulating the European approach to data privacy.

American Data Dissemination Act

The most recent proposal from Senator Marco Rubio (R-FL), the American Data Dissemination (ADD) Act, would impose privacy regulations on private actors similar to those currently imposed on government actors and would also preempt states in imposing additional regulations. While this approach would solve some of the more disruptive problems of laws such as the California Consumer Privacy Act (CCPA), it still has several potential concerning consequences that could limit innovation, eliminate choices consumers enjoy, and still have a particularly burdensome impact on smaller players.

First, applying the current government standards to private actors does not consider the differences between such actors in the reasons for collecting data, the way they are used, or the incentives for data security. While individuals may choose not to use a certain service because of their preferences for privacy, they typically do not have the same choice to opt out when it comes to government data collection. Likewise, government incentives regarding safeguarding data may be based less on preferences or individuals’ desire for privacy and more on preventing the potential harm to government interests, such as national security, that could come from such a data breach.

Another concern is that the proposal’s broad definition of covered entities could include any service that uses the internet and collects records. As Will Rinehart points out, “There is hardly a business in America that wouldn’t be included with that kind of expansive definition.” The use of data and information is not merely limited to the internet intermediaries one typically thinks of, such as social media sites. Changes to data regulation are not limited to but can impact everything from brick-and-mortar businesses’ loyalty programs to newer technologies that are still developing, such as the internet of things. Data privacy legislation will have an impact on both innovation and consumer choices beyond just online behavior, and the broader the definition of covered entities, the more industries that will be impacted. As a result small business would likely be particularly impacted by these regulatory and compliance costs limiting new entrants seeking to provide innovative products.

By preempting state laws regarding data privacy such as the CCPA, the ADD Act would address a potentially growing problem of states attempting to impose regulatory frameworks on the internet. Given the borderless nature of data flows, such preemption will likely be essential for any federal data privacy policy. Federal preemption of state laws concerning data privacy could prevent the development of a patchwork of state laws, which would place burdens on speech and interstate commerce. Preemption would also eliminate the risk that a state-based system would also further complicate compliance for online actors and other data collectors who would have to consider numerous and possibly conflicting standards.

Continuation of the American Model

Of course, an alternative to any of the current proposals is merely to maintain the laissez-faire regulation model that has allowed the United States to be a leader in technology. Seven of the ten largest tech companies are American, while only one is European. The United States’ success as a leader in technological innovation stems largely from this liberal approach to innovation that has encouraged new ventures online with minimal government regulation, while the European precautionary and regulatory approach has largely quashed innovation. Still, with states like California now enacting their own data privacy policies, federal action may be necessary to prevent an individual state from unfairly disrupting markets and the framework initially established for the internet.

In fact, the American regulatory model is capable of fostering innovation while dealing with privacy problems as they appear. Under the current system, the FTC has dealt with data breaches and information privacy through its enforcement under unfair and deceptive practices authority. This has led it to focus on consumer harm and address issues on a case-by-case basis. As a result, companies can provide a variety of options to consumers while still allowing the FTC to address issues of companies engaging in practices that harm consumers. Facebook is likely to face record fines owing to its violations of existing consent decrees with the FTC, which would affirm the FTC’s authority to intervene in and correct such violations.

Of course, this approach is not without its own drawbacks. For example, addressing problems on a case-by-case basis does nothing to establish broadly applicable norms that new innovators can rely on when determining what actions are necessary for compliance with agency standards. The resulting treatment can seem random to the parties involved because the results of regulation are determined by various parties’ desire to avoid litigation and quickly reach an agreement owing to both legal and public factors. The regulatory interventions themselves may fail to adapt and change with evolving industry standards, forcing first-movers out of the market while similar behavior becomes, in time, generally tolerated.

In addition to the FTC, a wide variety of multistakeholder groups and industry coalitions has worked to develop best practices and other informal forms of self-regulation and soft law. But often the success of such processes depends on forming a consensus in the industry that will adopt those best practices. Embracing industry standards and focusing only on cases of demonstrable harm seems to be the most effective approach to regulation that, at once, provides protections to consumers and minimizes disincentives to innovation.

As states like California have enacted their own data privacy laws, companies could face an even more crushing regulatory landscape in the absence of federal action. Because of the borderless nature of the internet, without such laws being struck down by preemption or the courts, innovators would face a situation that requires them to either pick and choose which states to provide products in or to invest in complicated compliance with 50 or more regulatory schemes. For example, an Illinois law governing biometric information privacy prevented Illinois residents from being able to use the Google Arts & Culture Face Match. More general privacy laws could prevent new products from reaching consumers and segment usage in a way that makes it incredibly difficult for new competitors to truly challenge the existing giants who can afford to comply in all 50 states. It is also almost inevitable that such laws would come into conflict with First Amendment expression and speech rights as individuals or entities are forced to remove information.

The current approach has allowed the United States to cultivate a sunny climate for innovation that has yielded generous fruits in terms of convenience and variety in consumer products. However, with the emergence of state laws and other regulatory regimes like GDPR, the absence of federal law could allow for the springtime of American innovation to turn into winter.


The presumption that data privacy is broken based on individual incidents such as breaches rather than real harm to consumers or competition could lead to tradeoffs that impact innovation and remove choices that consumers actually enjoy. Many of the proposed solutions could result in valuing privacy over innovation and choice. As a result, such changes could unintentionally lock in the current options and prevent new players from arising and providing better products. Ideally, policy proposals should focus on remedying actual harms while allowing as much freedom to innovate as possible, lest America surrender its technological leadership.