Patchwork privacy: how effective have US state data laws been?

With the absence of a comprehensive federal privacy law in the United States, states have taken the lead in enacting laws designed to protect their citizens' digital footprints. 

The question remains: have these laws been effective? 

According to the 2024 "The State of Privacy" report by the Electronic Privacy Information Center (EPIC) and the US PIRG Education Fund, the tangible impact of these laws may not be as expected. 

The report offers a glimpse into the patchwork of data privacy laws across 14 states, including key players like California, Virginia, and Texas, and underlines a pressing concern: the substantial sway of Big Tech in sculpting these laws, often at the expense of consumer rights. In fact, several state laws have been diluted due to intense lobbying efforts by these corporations. While it is important to recognize the perspectives and technological insights of Big Tech, there needs to also be a balance.


The varied landscape of US privacy laws and the challenges of enforcement

The definition of "sensitive data” and data collection practices are evolving across all industries; however, there are clear gaps in consumer protection across state privacy laws. 

While many existing laws do call for principles like data minimization and stricter controls over sensitive information, the report notes that the wording in legislation sometimes shifts the burden to the consumer to actively manage their privacy. 

This gives companies more leeway to decide how much data they can collect. 

For example, the Virginia data law allows companies to collect as much data as they wish, provided it is disclosed in a privacy policy. The report notes that the data collected is often more than consumers would expect or want, and as the law includes no private right of action, consumers are unable to challenge these practices in court. This law is also cited as a notably lenient data protection legislation that other states may follow. 

The potential weakening of some of these state laws highlights a pressing need for effective legislation that genuinely safeguards consumer data. 


The real-world effects of state data laws on businesses and consumers

Data law compliance requires not just a financial investment but a comprehensive overhaul of operational practices - which can present a significant challenge for businesses, particularly SMEs. 

For small businesses alone, compliance costs amount to approximately $50 billion per year.

The Information Technology and Innovation Foundation (ITIF) estimates that complying with disparate state laws costs businesses a staggering $239 billion annually.  

This is an extensive economic burden, particularly on out-of-state businesses, which face up to $112 billion in annual costs due to multiple, overlapping regulations.

For example, California’s privacy law alone can impose about $78 billion in costs annually, with small businesses both in and out of state shouldering massive costs.

The national economic impact over ten years could exceed $1 trillion, with SMEs taking the worst of the blow. 

In contrast, a cohesive federal privacy law could reduce these costs dramatically to around $6 billion annually.

On the consumer side, the lack of consistent legislation can mean higher consumer prices, as businesses try to offset their compliance expenses. Additionally, the variability in privacy laws across states creates a confusing environment for consumers, where rights vary significantly by location. Ultimately, this means unequal protection under the law.  


Despite these challenges, the effectiveness of any privacy law depends on consumer awareness and engagement. Essentially, many individuals remain unaware of their rights, and businesses need to take the lead in educating their customers. Transparent business data policies that are easy to comprehend can help consumers both understand and assert their privacy rights - all of which will improve the impact of these laws on data protection. 


The future of US data privacy laws

So far in 2024, laws in Montana, Oregon and Texas have come into effect. These laws vary in scope and enforceability, with Oregon more closely aligning with California’s stronger framework, while the Texas and Montana laws are more lenient. 

Additionally, states like Illinois, Massachusetts, Maine, and Maryland are considering legislation to curtail poor data collection practices and commercial surveillance. 

California, Texas, Oregon, Delaware, and New Jersey are also expanding the definition of sensitive data to encompass a broader range of information. 

Proactive federal enforcement has been key in maintaining strong data protection rights. 

Despite the lack of a unified federal privacy law, the Federal Trade Commission (FTC) has been proactive in enforcing sector-specific federal privacy regulations, such as HIPAA and COPPA. 

For example, the FTC restricted data broker X-Mode Social from selling sensitive location data that could track individuals to locations like medical clinics and religious centers, in violation of the FTC Act's ban on unfair and deceptive practices. 

There is also an increased focus on AI -, President Biden's executive order on safety and regulation shows how the US is actively attempting to safeguard privacy in the context of AI, and lays the groundwork for concrete legislation.  


The evolution of data privacy laws in the US has profound implications for businesses, especially in how they navigate the complexities introduced by varying state regulations. A federal privacy law offers a promising solution by proposing a unified framework to replace the patchwork of state laws. It would significantly reduce compliance costs and operational hurdles for US businesses, and foster a more predictable and consistent business environment across all states. 


To learn more about the US data protection landscape, visit our policy page.

Previous
Previous

The Nebraska Data Privacy Act (NDPA): prepare your business for 2025

Next
Next

A new federal law on the horizon? A deep dive into the American Privacy Rights Act (APRA)