Jun 9, 2021 - Technology

How the U.S. got boxed in on privacy

Illustration of two hand cursor arrows pushing an American flag into a squeezed shape
Illustration: Annelise Capossela/Axios

The federal government's failure to craft a national privacy law has left it to be squeezed on the issue by the EU on one side and California on the other.

Why it matters: Companies are stuck trying to navigate the maze of EU and state laws, while legislators in Washington have no choice but to use those laws as de facto standards.

The big picture: Three years after the EU's GDPR (the General Data Protection Regulation) law went into effect and six months after California's strict privacy statute (the California Privacy Rights Act) became official, the U.S. is still nowhere close to passing nationwide privacy rules.

Yes, but: Any U.S. law would largely be shaped by rules set by the EU and California.

  • Businesses have already spent big to comply with these laws, and Congress would be hard pressed to pass rules that are a weaker than those the industry is already following.
  • "It lowers the required energy to pass a federal privacy law in the United States because global companies have already done most of the heavy lifting," Future of Privacy Forum senior counsel Stacey Gray told Axios. "But it also means there's a narrower world of what legislation could look like."

What's happening: California and Virginia have both passed consumer privacy laws, with Colorado's state legislature approving its own privacy bill Tuesday and sending it to the governor's desk.

  • California's law gives consumers the right to access, delete and opt out of the sale of data.
  • "Being able to opt out of sale is a uniquely California spin, and you can see the influence, it's now turning up in bills across the United States and may become part of a federal privacy law," Gray told Axios.
  • Virginia's law, which will go into effect in 2023, allows consumers to opt out of having their data used for targeted advertising, among other measures, but is viewed as more industry-friendly.

Meanwhile, in Congress, momentum for action on privacy has stalled, despite the pile-up of state and global regulations.

  • The pandemic and the new administration's proposals for addressing its fallout have taken priority.
  • Even within the tech policy world, other issues — including Senate Majority Leader Chuck Schumer's China competition bill, antitrust and misinformation — have drawn lawmakers' focus.
  • "The administration and some of the relevant leaders in Congress, and chairs in the relevant committees, are going to need to make it a priority for it to happen," Samir Jain, director of policy for the Center for Democracy & Technology, told Axios.

What to watch: House consumer protection subcommittee chairwoman Jan Schakowsky (D-Ill.) has said she intends to host privacy roundtables with her Republican counterpart and interested stakeholders to try to hammer out the sticking points on legislation, with a goal of passing a bill by 2022.

  • A spokesperson for ranking Republican Gus Bilirakis (R-Fla.) said the congressman is optimistic about reaching a bipartisan agreement on privacy, but "he is eager to learn more" about Democrats’ plans.

The bottom line: "We tend to, especially in D.C., expect things to either happen very quickly or never happen," Aaron Cooper, head of global policy for BSA, a software industry group, told Axios.

  • "The reality is getting these laws right for the constituency takes time, and we shouldn't be surprised if the process takes several years over the course of several congresses," he said.

Go deeper:

Go deeper