A Federal Privacy Law Must Face The Tradeoffs

The fight over federal privacy legislation is often described as a debate over consumer rights, but the real fight has always been over federalism. That tension was on display last week when the House Subcommittee on Commerce, Manufacturing, and Trade held a hearing on the SECURE Data Act, the latest effort to establish a federal privacy bill. As Representative Frank Pallone put it in his opening statement, “A federal privacy law must exceed the strongest protections of any state and not set a weak ceiling.”

Since California passed the Consumer Privacy Act in 2018, states have rushed to enact their own privacy laws. Today, 22 different state privacy bills exist, each with their own unique requirements and structures. I don’t doubt that local policymakers are acting in good faith when they pass these privacy bills but this patchwork approach forces businesses to repeatedly adapt their compliance strategies with every new law that passes.

Even some of the bill’s critics begrudgingly admit that it “closely resembles many of the existing state comprehensive privacy laws…in terms of its structure, terminology, consumer rights, and business obligations.” It even includes a number of provisions that aren’t in state bills, such as a federal data broker registry, parental controls and sensitive-data treatment for teens aged 13 to 16, extension to common carriers, and a Code of Conduct certification modeled on the Children’s Online Privacy Protection Rule safe harbor.

Still, the basic bargain behind federal privacy legislation remains unresolved. Republicans are willing to support national privacy standards largely because those standards would preempt the growing patchwork of state laws. Democrats, by contrast, are reluctant to accept a federal compromise that may preempt bills like Illinois’s Biometric Information Privacy Act or Washington’s My Health My Data Act. To be clear, this isn’t guaranteed because the bill sets up a litigation process to settle preemption disputes.

Meanwhile, privacy advocates add another layer of opposition, arguing that even the bill’s core data minimization provisions do not go far enough to meaningfully restrict how companies collect, use, and retain personal information. Caitriona Fitzgerald of the Electronic Privacy Information Center was clear about this in her testimony: “What makes it so weak? A core weakness of the Secure Data Act is its lack of a real data minimization.”

There is a logic to data minimization. If companies only collect what is needed, then privacy risk should fall. But research has found that minimized datasets don’t actually reduce privacy risk in the way that is imagined. In the real world, datasets have correlations that make it possible to reconstruct minimized data. Collecting less data does not sever those correlations. At the same time, data minimization imposes very real costs because it means data cannot be used for new products. Indeed, the consensus in economics is that privacy laws create real compliance costs and real frictions in data use, which are not evenly distributed. The table below collects some of the best evidence on this point.

Privacy laws don’t simply raise compliance costs, they change market structures. Less data may sound like an unambiguous improvement, but data is also an input into advertising, credit, fraud prevention, product development, and competition itself. And when the law limits that input, the costs often fall hardest on smaller firms, new entrants, and consumers who benefit from data-enabled services.

Congress should be honest about the tradeoffs. Privacy rules protect consumers but end up reshaping markets, altering competition, and imposing real costs on companies and consumers. But those costs are easier to justify under a clear federal standard than under a sprawling patchwork of 50 different state regimes. A federal privacy law with meaningful preemption would not eliminate every cost of privacy regulation, but it would make those costs more predictable and more uniform.

The post A Federal Privacy Law Must Face the Tradeoffs appeared first on American Enterprise Institute - AEI.