Privacy Leg

5 Reasons Congress Needs to Act NOW on Federal Privacy Legislation


In a nutshell: Voters want it. The other branches of government agree we need it. The United States and the global economy are hurt without it. The United States can and should do more to set the rules of the road.

While there are many more reasons than the ones stated here, we hope that these five reasons alone will prompt Congress to act NOW to move federal privacy legislation forward.

There are at least five critical reasons why Congress needs to act NOW to pass federal privacy legislation. 

1) Polling research demonstrates that privacy – not tech regulation – is one of the top issues voters care about. 

In recent months, tech regulation – through competition and antitrust reform – have been at the forefront of Congressional hearings and the public discourse. But, the verdict is out about where voters really want to see action: polling research states that approximately 76% of Americans choose privacy and data security to be the top priority for them, compared to 16% who choose competition and antitrust issues. Other results from Morning Consult and Politico reaffirm this resounding public interest: more than half of all American voters support passage of a federal data privacy law.

As we begin making our way into the upcoming midterm election season – legislators need to make data privacy a priority to fulfill the compelling requests of voters. Let’s give voters what they want!

2) There is a united consensus across the branches of Government to move privacy forward as a priority.

In his State of the Union speech earlier in the year, President Biden called for strengthening privacy protections, signaling to Congress to act. And the FTC’s Chair Lina Khan noted in her first public address that she anticipates privacy and data security rulemaking as an opportunity to further update the FTC’s approach to data practices. This, coupled with the latest news regarding a leaked draft majority ruling by the Supreme Court on individual rights to privacy, are an important wake-up call to Congress that it must take action now. Action can have wide-ranging implications across every aspect of our lives.

The best way to get the wheels in motion is to move legislation forward and to finalize negotiations on what standard makes sense for the United States.

3)  The cost of inaction is devastating for the U.S. economy.  

At least 34 states have passed or introduced privacy bills focused on commercial collection and use of personal data. Five state consumer privacy laws – in California, Virginia, Colorado, Utah, and Connecticut – are on the books and are in the process of being implemented. Some would say keeping up with the plethora of state consumer privacy laws may be harder than keeping up with the Kardashians!

ITIF analyzed the impact of the state privacy patchwork on businesses, particularly those that serve customers across state lines. It notes that businesses that serve customers across state lines are subject to not just one, but a combination of state privacy laws, which creates a multiplier effect and has led to expensive and redundant compliance efforts. The costs are not negligible: it is estimated that state privacy laws could lead to somewhere between $98 billion and $112 billion annually, which over a 10-year period would lead to an excess of $1 trillion in out-of-state costs for businesses. The failure of Congress to act is a drain on U.S. businesses, crippling the U.S. economy, and disproportionately harms small businesses and new market entrants.

Further, ITIF states that small businesses could face $20–23 billion in out-of-state compliance costs annually. These businesses are the backbone of the U.S. economy. Harvard Business Review documents that they account for 48% of all U.S. jobs and contribute to 43% of the U.S. GDP. We need to keep them afloat and thriving. 

Passing a uniform privacy standard that levels the playing field and includes appropriate exemptions is a necessary first step to supporting our local mom and pops.

4) Privacy plays an important role in helping the United States keep its foothold in the geopolitical economy.

In 2018, the European Union set a critical precedent – some would say a dangerous one – on what privacy regulation should look like for its member states by passing the GDPR. Since then, many countries have followed in the EU’s footsteps and finalized privacy laws, leaving the United States behind. More recently, the EU, United States, and many other countries are also working through new bilateral and multilateral data privacy agreements and cooperation. Without a privacy law in place in the United States, some would argue that it creates an unlevel playing field to reach decisions about adequacy and being a “fair” trade and tech economic partner. 

Following GDPR and in the absence of any U.S. action, the EU, India and close to 50 other countries are shaping efforts grounded in data localization, a climate that is unworkable from a trade perspective. Countries may view data localization as a means to furthering their own economic interests and to keeping stronger control and oversight over data privacy and security practices within their borders. Such values run counter to the pro-democratic nature of U.S. technology, innovation, and competition policies.

We live in a borderless, digital economy, where governments cannot and should not be permitted to store and process copies of proprietary data on their turf – it goes against the fundamental spirit of innovation, productive research and creative authorship and it harbors serious national security concerns. Discussion about furthering the principles of a free-flowing internet has been made by G7 leaders, the World Trade Organization and the Organization for Economic Cooperation and Development.

By passing a privacy law, the United States can take part in shaping a pro-innovation, pro-democratic privacy landscape to counter this digital authoritarianism movement that imposes serious obstacles to trade

5) The United States can demonstrate leadership through its own unique model for privacy, using a pro-innovation lens, as well as factoring in our federal constitutional rights and history. 

The United States is aware of the shortcomings of GDPR and must avoid passing a law that would repeat mistakes made by countries complying with the GDPR. We can learn from the GDPR experiment – but cannot and should not – model it exactly. There are a handful of compelling reasons why.

It is clearly evidenced that, regardless of the privacy benefits, GDPR has deterred innovation. First, the GDPR does not include exemptions for SMEs, which as noted earlier, would be problematic for these players who are the backbone of the U.S. economy. Second, the National Bureau of Economic Research (NBER) just came out with research about the impact of GDPR, including implications for both the supply and demand side of the equation. After reviewing 4.1 million apps at the Google Play Store from 2016 to 2019, NBER notes that GDPR has induced the exit of about a third of available apps; and, since GDPR implementation, has led to half the number of new market entrants in the app marketplace. On the demand side, GDPR reduces consumer surplus and aggregate app usage by about one third. And, the research suggests that GDPR has generated significant consent fatigue, making it a less commendable model from a consumer and business usability standpoint.

In addition to this, as it develops a federal privacy law, the United States would need to take U.S. First Amendment rights, including free speech and individual rights, into consideration (which, of course, is not woven into the EU GDPR). SIIA has played a pivotal role in shaping the development of state consumer privacy laws to ensure that they include these considerations and would pass constitutional muster. 

We can benefit from the excellent lessons learned from the GDPR. It should prompt us to tailor a U.S. law to help, rather than hinder, the political economy. It should also prompt us to focus on carefully factoring in the individual rights we are granted by the U.S. Constitution.


Event Recap: SIIA Presents at Privacy-enhancing Tech Summit on May 18

Lisa Bader, Vice President of Communications for PET company Enveil (left), and Paul Lekas, SIIA Head of Policy, (right) engaged in a fireside chat on the regulatory landscape of privacy-enhancing technologies (PETs).



On May 18, SIIA participated at the Privacy-enhancing Technology (PET) Summit, hosted by Kisaco Research. The summit included a range of public and private sector participants: governmental entities, private companies offering PETs, academics and PET researchers, and SIIA – one of the few trade associations who is actively advocating on expanding PETs. Private companies in attendance varied in size, scope and sector, demonstrating that PETs and privacy-preserving techniques, as well as AI and machine learning, are being used in a number of productive ways to expand the scale of usable data in the digital ecosystem. 

What are PETs? PETs are techniques grounded in advanced statistics and cryptography, that remove identifiable personal information from datasets so that they can be used both scalably and responsibly. By allowing the secure, real-time, and global sharing of data, PETs enable organizations to protect personal privacy while at the same time using data to make faster, better-informed decisions. Common examples of PETs include: homomorphic encryption, anonymisation, and differential privacy, which provides additional protection by never revealing personal data in plain text. 

PETs are being leveraged in various ways by the public and private sector. Just to share a few specific examples, the White House announced the use of PETs to improve supply-chain related challenges earlier this year and the U.S. Dept of Commerce published its 2022-23 priorities, including Strategic Goal #4, which is to expand opportunity and discovery through data. The private sector has been incorporating PETs into its strategy as well. Banks are using PETs to tackle money laundering and financial crime. In health care, PETs are advancing clinical trials that were once improbable and are being used to research and diagnose rare health diseases.

As was noted during the summit, due to a lack of general consensus and unified momentum, PETs continue to be underutilized as a solution to a myriad of privacy-related problems associated with data analysis and data transfers. 

Key takeaways from the session included:

  • Governmental entities, such as U.S. National Institute of Standards and Technology, which is conducting research and shaping guidelines for the use of PETs, as well as entities such as the UK ICO’s office, which is shaping guidance on PETs, discussed efforts underway in government and internationally to further fundamental research and applications of PETs, including pilot projects and the new U.S.-UK challenge..
  • SIIA’s head of policy, Paul Lekas, spoke in a keynote with leading PET company, Enveil. Lekas described the state of policy and regulation around PETs and opportunities for industry to educate lawmakers and policymakers. He shared the steps that can be taken to shape policy to encourage PET adoption. He explained how, as the phrase goes, a “rising tide will lift all boats”: companies in the PET space can work together to promote the use of these technologies for socially-beneficial purposes. He also spoke to the valuable impact that a trade association can play in bridging the gap between policymakers and private companies. SIIA is actively advocating to move the role of PETs forward and has been meeting with policymakers at every level of government to emphasize the socially beneficial uses of data and PETs in supporting stronger cross-governmental collaboration as well as U.S. competitiveness and innovation.  
  • Private companies and researchers presented examples of the unique use cases of PETs, including an emphasis in highly regulated markets that process sensitive data, like the financial services and healthcare sectors. But there are more use cases outside of these sectors, including in retail and cross-contextual advertising. Some machine learning and AI companies demonstrated in-house templates that are laying the groundwork to expand interoperable PETs usage beyond sector-specific uses. 
  • Venture capitalists commented on their vision and rationale for investing in PETs. There is optimism that PETs will be a fundamental driving force in the data economy. They noted the importance of further research on the ROI of PETs, in order to estimate the market need and drive further adoption and scale. 

Some brief takeaways from the event include:

  • The appropriate choice of PETs can differ considerably by use case, as demonstrated by evidence-based research.Therefore, no one PET is seen as paramount. While this means that the PETs community should be working to get the word out, the lack of standardization makes it difficult to unify the various approaches to PETs.
  • There is a need for further standardization and common definitions across the industry. Companies are using a range of AI and machine learning to build PETs into their infrastructure and no one PET has been evidenced to have more overarching potential than others.
  • Governments are in the very early stages of exploring how PETs can further the objectives of financial, health care, and other objectives. There is more that the U.S. government can do to model financial and regulatory incentives that are working in other countries, including the UK and Singapore, to expand mainstream PETs usage. 
  • More advocacy is needed. More can and should be done to unite the PETs companies in their shared goals to support a data-driven economy. SIIA is helping with advocacy and lobbying to take the heavy lifting off of small companies whose voice should be elevated with members of Congress and governmental stakeholders.
  • The future for the use of PETs is bright. Venture capitalists see tremendous potential for the industry, though they believe it remains in its infancy at the moment. It will require more alignment between private and public sector entities and will benefit from incentive-driven opportunities to encourage new market entrants.

Data use, capture, and processing is driving nearly every facet of our lives. By furthering a holistic strategy for PETs that incorporates all of the appropriate stakeholders in the data value chain, we can truly unlock its full potential.