The recent introduction of the American Privacy Rights Act of 2024 (APRA) by Senate Commerce Committee Chair Senator Maria Cantwell (D-Wash.) and House Energy and Commerce Committee Chair Representative Cathy McMorris Rogers (R-Wash.) has federal regulation of consumer data privacy in a bright spotlight. The lawmakers aim to get their bipartisan bill to the president’s desk this year, prior to McMorris Rogers’ retirement.
Although comprehensive consumer privacy proposals have languished for years, this one raises the likelihood that Congress passes broad-based legislation. Therefore, Congress must carefully consider the possible effects on American competitive vigor and innovation.
The Current Status of Privacy Regulation
Consumer privacy protection is already found in many federal and state laws. The European Union has also enacted a major consumer data privacy law which is expected to prove influential on other countries.
On the federal level, a variety of specialized laws protect consumers from unauthorized release or misuse of private information. Major statutes include the Privacy Rights Act of 1974 (personal information held by government), the Health Insurance Portability and Accountability Act (personal data held by health care providers and insurers), the Gramm-Leach-Bliley Act (personal data held by financial institutions), and the Children’s Online Privacy Protection Act (personal information of individuals 12 and younger). Numerous agency rules have been promulgated to make these laws effective.
The Federal Trade Commission is the leading enforcer, though other federal agencies have a role. The FTC also has challenged various breaches of consumer privacy under its authority to address “unfair acts or practices” in or affecting commerce. It filed a complaint against Facebook in 2011 and secured an order barring the company from misrepresenting its privacy practices. In 2019, Facebook agreed to a second, farther-reaching order resolving claims that it violated the FTC’s first order, paying a $5 billion penalty. Facebook and the FTC are embroiled in current litigation concerning claims that Facebook has violated the second order.
Fifteen states have enacted comprehensive consumer data privacy laws in recent years. California’s Consumer Privacy Act (CCPA), the most far-reaching, gives consumers a broad set of rights to control their personal information which must be honored by businesses. Individuals are given the right to opt out of data collection, processing, and sharing.
California consumers who do so cannot be denied goods or services, charged different prices, or provided a different quality of service, unless the price or difference is “reasonably related to the value provided to the consumer by the consumer’s data.” As Mercatus Center economist Dr. Tracy Miller explains, this restriction interferes with normal efficient business practices, since “[t]o earn enough revenue to cover their costs and stay in business,” firms “may need to treat . . . consumers [who opt out] differently.”
As a practical matter, virtually all U.S. firms engaging in online commerce must take into account the CCPA’s commands, given the California market’s economic significance. Slightly different requirements imposed by other states mean additional compliance costs on businesses.
The European Union’s General Data Protection Regulation (GDPR), which took effect in 2018, requires “data controlling entities” to obtain “opt-in” consent from consumers before collecting and processing their data. Among other rights, it gives consumers a broad data access right to request and receive access to their personal data and know when it is being processed.
The GDPR directly affects the many U.S. firms that do business in Europe and is somewhat similar to California’s law. It does not, however, share the CCPA’s explicit “anti-discriminatory” protections for consumers who opt out.
The New Proposal
APRA is a far-reaching bill. It preempts comprehensive state data privacy laws, responding to a concern that federal uniformity is needed to eliminate the costly burdens of overlapping and conflicting state laws. It nevertheless does not preempt specialized state “consumer protection laws” and privacy laws directed to narrow concerns (for example, financial records, public records, and cyberstalking). There remains a risk that some such provisions may be applied by some states to data privacy, limiting the potential of APRA uniformity.
APRA requires businesses to minimize their collection, processing, and transfer of data beyond what is necessary to provide or maintain a required product or service. Consumers are given strong controls over the use and transfer of their data and the right to opt out entirely of having their data utilized. Data security requirements are imposed on businesses. Other key provisions include restrictions on data brokers and prohibitions on the discriminatory application of algorithms in violation of civil rights. As is the case with the CCPA, businesses are barred from denying or charging different rates for goods and services to individuals who invoke these new rights.
The FTC is directed to issue guidance on key areas covered by APRA. The FTC, state attorneys general, and private citizens are authorized to sue to enforce it.
The Trade-Offs
Already, concerns have been raised about the potential downsides of APRA. American Enterprise Institute technology expert Klon Kitchen cites potential harm to American innovation:
“Strict data minimization and consent requirements could limit the data available for developing new technologies and services, precisely when new AI models and other data hungry technologies are maturing. Startups and small businesses, in particular, might find compliance burdensome, potentially slowing the pace of innovation and technological advancement in the U.S.”
Senator Ted Cruz (R-Texas), ranking member of the Senate Commerce Committee, is concerned with unwarranted regulatory costs, abusive litigation, and “big tech” favoritism:
“[I] cannot support any data privacy bill that empowers trial lawyers, strengthens Big Tech by imposing crushing new regulatory costs on upstart competitors or gives unprecedented power to the FTC to become referees of internet speech and DEI compliance.”
More generally, APRA starts from the premise that federal privacy legislation is an unalloyed good with no downsides, ignoring the inevitable trade-off between the costs and benefits of any regulatory scheme. The need to consider tradeoffs is emphasized by technology scholars Matt Perault of the University of North Carolina and Dr. Andrew K. Woods of the University of Arizona:
“Of course privacy matters, but it does not obviously matter more than other important social goals like innovation, health, and safety. In that sense, privacy is just like other social values: It should be protected when the benefits of those protections outweigh their costs. The key thing is to determine which types of privacy protections and privacy reforms satisfy this criterion. Every policy proposal should therefore defend the claim: “This is important because it will make the world better in the following ways, and that world is better than the alternative universe where this regulation does not occur.”
Perault and Woods urge that Congress consider pre-passage cost-benefit analysis of privacy regulation. They note that this analysis could be carried out by congressional referrals to economic expert staff, found in such bodies as the Congressional Research Service or White House Office of International and Regulatory Affairs.
Possible competitive harm (including to consumers) is one factor that merits being weighed. A 2023 study by Dr. Stanley Goldberg of Stanford University, citing his and other research, found that the GDPR leads to a competitive advantage for larger firms (who can better absorb new regulatory costs) than smaller firms. Goldberg concluded that:
“Privacy regulation can be costly to firms, particularly smaller ones, and may benefit incumbent firms. Regulation has been effective at reducing some tracking online, but can hurt marketing efforts, making it harder for consumers to find products they want and hurting company profits.”
A Choice-Of-Law Alternative
Thoroughly weighing APRA’s potential downsides and benefits requires time. There is, moreover, another option.
A legislative alternative that could avoid difficult cost-benefit analysis while reducing the growing burden of proliferating state privacy regulation has been advanced by scholars Geoffrey Manne of the International Center for Law and Economics and Jim Harper of the American Enterprise Institute:
“[W]e propose a federal statute requiring states to recognize contractual choice-of-law provisions, so companies and consumers can choose what state privacy law to adopt. Privacy would continue to be regulated at the state level. However, the federal government would provide for jurisdictional competition among states, and companies operating nationally could comply with the privacy laws of any one state. Unlike a single federal privacy law, this approach would provide 50 competing privacy regimes for national firms. Protecting choice of law can trigger competition and innovation in privacy practices while preserving a role for meaningful state privacy regulation.”
This novel approach has not yet been widely discussed or introduced in Congress. Critics might contend that it would incentivize states to “race to the bottom” to attract companies by offering laws that minimize privacy protection. On the other hand, politically motivated consumers concerned with privacy could be motivated to vote only for legislators who support strong privacy measures. The proposal should immediately lower business costs by lessening complicated compliance burdens and allowing states to compete to find the right solutions. This could lead to the widespread adoption over time of a generally recognized and accepted set of regulations.
The Road Forward For Privacy Regulation
ARPA may enjoy considerable support and could directly benefit privacy-conscious consumers in the near term. It could also impose serious costs on American competition and innovation. In marked contrast, encouraging competition among state privacy regimes could lead to innovative privacy protections which lower business regulatory costs. As such, Congress has a lot to think about.