CIPL shares the view that comprehensive federal privacy legislation is an urgent priority for the United States. The U.S. is an outlier in not having a comprehensive privacy law. The lack of such federal privacy legislation undermines Americans' trust in the digital economy and leaves them vulnerable to a range of economic, physical, reputational, psychological, and other harms. It also risks undermining U.S. leadership in the digital economy. The emergence of a patchwork of state privacy laws in the absence of a federal standard raises compliance costs, placing an especially acute burden on small businesses. It also creates barriers to innovation and digital progress as businesses face different rules for their products and services across different states, while Americans are left with inconsistent protections depending on where they live.
CIPL has published a series of papers since 2019 outlining priorities for U.S. privacy legislation. Any new federal privacy bill should have the overarching goal of fully enabling the digital economy and society while also protecting individuals’ privacy and other important rights and interests. To further these dual objectives, it should include a foundation of organizational accountability for risk-based, responsible data practices; a core set of data subject rights; and a commitment to fostering interoperability with existing data protection regimes:
- Organizational accountability. Any new federal law should require organizations to adopt and implement comprehensive accountability frameworks through which they assess and mitigate risks to individuals, provide transparency on their practices to stakeholders, and monitor and verify for effectiveness.
- Risk-based approach. Organizations should be required to assess risks associated with their uses of personal data, while enabling them to calibrate measures of protection in accordance with the level of risk. Risk assessments should explicitly account for the risks of harms associated with bias and discrimination, as CIPL re-emphasized in a recent article.
- Individual empowerment without overreliance on notice and consent. As in the EU's GDPR and privacy laws in U.S. states, data subjects should enjoy a core set of rights. However, the law should seek to avoid overwhelming consumers with choices, and instead place greater responsibility on organizations to be accountable for data protection and security. It should also provide flexibility for legitimate uses of data that do not harm individuals.
- Global Interoperability. Lawmakers can reduce compliance burdens on organizations and foster continued U.S. leadership in the digital economy by harmonizing new U.S. federal privacy legislation with existing laws around the world, where possible and appropriate. There will naturally be differences in terminology and approaches in light of countries' unique historical experiences and legal traditions. Drawing on multilateral principles to which the U.S. has already agreed, like the OECD Privacy Framework, the APEC Privacy Framework, and schemes like the Global Cross-Border Privacy Rules (CBPR) Forum can help.
In addition, no comprehensive federal legislation will advance unless lawmakers reach agreement—and compromise, where necessary—on challenging but important issues such as preemption and private right of action. It will also be essential that the law has clear and strong protections for minors, given the bipartisan consensus on the urgency of doing more to keep kids safe online.
The road ahead will not be easy, but the success of the last Congress’s Energy and Commerce Committee in reaching agreement on a bill that enjoyed broad bipartisan support gives reason to hope that this Congress can do the same - and perhaps even move a bill that meets the needs of the modern digital economy and society across the finish line.