Plainly put, the attitude concerning federal data privacy law in 2022 is grey, even with support from Congress.

Rather than a comprehensive legal protection for personal data, the United States has only a patchwork of sector-specific laws that fail to adequately protect data. Congress should create a single legislative data-protection mandate to protect individuals’ privacy.

There are three main issues that perpetuate the lack of movement towards federal data privacy law:

1. Firstly, the relationship between integrating federal data privacy law and emerging state laws would require a lot deliberation. In order for comprehensive federal data privacy law to progress, legislators would need to provide a framework outlining to what degree federal law should preempt state law. States like California, Virginia and Colorado have already implemented privacy laws, with many others considering moving forward with their own versions.
2. Secondly, an impeding federal data privacy law adoption would involve questions of enforcement of the privacy law; how enforcement would take place, which regulator would enforce the data privacy law, and how it would integrate with the current state privacy laws. 
3. Following on from this the third question would be what role the Federal Trade Commission (FTC) should and would play in enforcing federal legislation.

The FTC is the federal government’s enforcement arm for antitrust law, as well as consumer protection. It is though by certain legislators that the FTC has too much power, and this could interfere with implementation of federal privacy law. 

Looking forward, a federal privacy law would set parameters on the use of personal data collected by social media platforms and e-commerce firms. In the last decade, several iterations of federal data privacy legislation have been proposed, but inaction from Congress has forced a shift in focus to enforcing regulation on big tech firms through the application of antitrust laws.

As a result of the inaction of Congress, states have been adopting privacy laws, the most recent being the Utah Privacy law, which is already presenting problems of implementation in several businesses.

According to Sen. Marsha Blackburn, states have been reactive to the need for more privacy oversight,” but without federal intervention the United States will end up with a patchwork of state regulations.

What Could Federal Privacy Law Look like in the US

Where the US has sectoral privacy legislation in a number of areas such as finance, healthcare and children’s privacy, the European comprehensive privacy law, General Data Protection Regulation (GDPR), requires companies to comply with certain data protections relating to sharing, collecting and processing data; this gives individuals rights to access, delete, or control the use of their personal data. The United States, in contrast, doesn’t have an omnibus law that covers the privacy of all groups of personal data. Instead, its sectoral nature relays distinct laws with acronyms like HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA, designed to target specific groups and industries that collect specific types of data in explicit circumstances.

Three well known industry specific privacy laws are:

• The Health Insurance Portability and Accountability Act (HIPAA) has little to do with privacy and covers communication between you and “covered entities,” which include doctors, hospitals, pharmacies, insurers, and other similar businesses. People misconstrue the purpose of HIPAA and its parameters; they believe it covers all health data, but it doesn’t. For example, health data collected on a device like Fitbit isn’t protected.
• The Fair Credit Reporting Act (FCRA) covers information relating to credit. It limits who is allowed to see a data subjects credit report, what data the credit bureaus can collect, and how the information is obtained.
• The Gramm-Leach-Bliley Act (GLBA) requires consumer financial products, such as loan services or investment-advice services, to explain how they share data, as well as the data subject’s right to opt out. One criticism of this law is that it doesn’t restrict how companies use the data they collect, as long as they disclose their usage beforehand.

With the wide range of sectoral laws, it’s easy to see how data subjects get confused about what rights they have. 

Recommendations for moving forward

To avoid the continued patchwork of state laws and the sectoral industry specific laws that have perpetuated the data privacy sphere, the federal data privacy law would need to preempt state law with some carveouts where states could continue to have some authority.

Federal data privacy law would need a specific definition of what entities and personal data elements it covers, as well as enforcement mechanisms such as private right of action, and data subject rights.

A private right of action should balance avoiding frivolous lawsuits with protecting consumer personal data and providing a variety of remedies, similar to its European sibling, such as injunctive relief instead of a monetary award.

Primary enforcement of the federal data privacy law, is still a topic to be discussed in the future. Though the FTC’s rulemaking authority is currently under question, it definitely has potential to successfully enforce a comprehensive privacy law.