Saturday, January 28 is Data Privacy Day.

These days, Data Privacy Day can feel more like (the classic film) Groundhog Day with each passing year seeing more of the same doubling down on problematic policy trends. The state patchwork of data privacy laws continues to grow, a more regulatory European approach impacts companies and consumers well beyond its borders, and Congress tries but fails to advance a federal framework despite bipartisan support. The policy debate over data privacy may be less prominent in headlines than other tech policy topics, but it remains critically important to both innovators and consumers.

Europe: The Continued Impact of GDPR and the Future of Cross Border Data Flows

In May 2023, the General Data Protection Regulation (GDPR) will have been effective for five years. For the average user, they’ve encountered GDPR in the increase in cookie pop ups or the unavailability of certain websites or features if they find themselves in Europe. Companies that do business online in Europe from social media to retail to schools and universities have spent millions of dollars and countless time focused on insuring compliance.

This focus on compliance comes with a cost and users might not even know they are missing. For example, in 2022, a study found nearly one-third fewer apps had entered the app store market in Europe than would have been expected, with at least some of this tied to compliance concerns with European tech regulations including GDPR. While some may argue that the apps added are more privacy sensitive, what can only be truly stated is that they are more compliant with regulators idea of privacy. In some cases, this may mean that they still bring with them risks that regulators did not anticipate. Others may not have been able to pursue different, innovative solutions if they could not be deemed compliant with certain regulatory requirements.

The most recent headlines indicate Europe continues to challenge the existing data and ad focused business model that provides consumers many zero cost or low-cost options. Notably already this year Meta is facing over $410 million in fines from European data protection authorities related to behavioral advertising practices. Yet, this European approach often fails to weigh the potential benefits of such business models to both consumers and advertisers and what an alternative business model might look like. If Europe succeeds, we might return to the more analog era of one size fits all online experiences that are less relevant to an individual user’s preferences or desires. For those that do prefer a less data driven customized experience, such options are typically only a few clicks away or available in other comparable services.

The State of the States: A Growing Patchwork

Since California became the first state to enact its own data privacy legislation in 2018, a growing number of states have introduced and even passed their own legislation. With the first effective dates beginning in 2023, this may be the first year consumers and innovators truly experience the potential consequences of a data privacy patchwork.

As of January 2023, five states (California, Colorado, Connecticut, Utah, and Virginia) have passed comprehensive consumer data privacy laws. All five of these state laws will have at least some, if not all, parts become effective this year. In many cases, it remains unclear for both consumers and impacted businesses how they will be implemented and what precisely compliance should like. For example, the rulemaking processes for California and Colorado are still ongoing. In many cases, these laws may impact companies outside of a state’s borders as well.

Unlike a nice patchwork quilt, this one will inevitably create a mess as any number of requirements layer on top of one another creating confusion for consumers. Because these laws have different models, businesses may not merely be able to comply with the most restrictive one. Instead, they will likely incur additional costs and require additional time for each law rather than developing the best privacy and security options for their product’s intended audience more generally.

For the average user, this may mean a lot of those “our terms of service have been updated” emails in 2023 as companies tweak their privacy policies to ensure compliance. But those emails could eventually mean not all online services are available in all states as innovators may pick and choose whether compliance costs are worth it or deal with conflicting state laws. This particular problem seems to only grow as already in January 2023, ten states proposed new consumer data privacy legislation.

Federal Data Privacy Debate: Recent Congressional and Agency Actions

With the impact of a state patchwork becoming less theoretical and instead a reality, the time is right for a federal data privacy framework. Such a framework should come from Congress and clarify consumers rights and choices, provide a uniform standard, and protect beneficial and innovative data by focusing on harms rather than the use of data more generally. Additionally, a federal framework must also clarify any kind of regulatory authority delegated to agencies and provide specific direction for agency rulemaking in this matter.

In 2022, there was some progress in these goals as the American Data Privacy and Protection Act (ADPPA) advanced out of committee in the House of Representatives. While this proposal was far from perfect including, it is notably the most progress of a bipartisan federal data privacy bill to date. Hopefully, a new congress will continue to focus on this important issue and improve from these past attempts. For example, the ADPPA provided separate steps around cybersecurity issues and recognized the different resource levels of impacted businesses but it would have failed to fully overcome the emerging state patchwork.

Just like the states, some agencies aren’t waiting for Congress to act. In 2022, the FTC began a rulemaking process on “Commercial Surveillance and Data Security” with a broad reaching request for comments on more than 90 questions related to an advanced notice of proposed rulemaking. Concerningly, the agency’s questions suggest that they intend to take a heavily regulatory approach that could make everyday uses of data difficult along with penalizing bad actors.

In some ways, 2023 may seem poised to be a repeat of previous years of data privacy policy debates but there are also key changes that could occur and should require Congressional attention. Without such action, consumers and businesses may instead be dealing with a messy set of regulations. Hopefully by next Data Privacy Day, there will be less of a problematic patchwork and more progress towards a federal solution with a balanced approach to the tradeoffs and preferences around data privacy. But if not, we can all use Data Privacy Day as a reminder to check our privacy settings on our favorite websites.