Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
Rob Shavell
Rob Shavell
Connect Directly
E-Mail vvv

What a Federal Data Privacy Law Would Mean for Consumers

With an array of serious proposals from both sides of the political divide, it looks as though the US may finally have a national privacy law.

For better or worse, the United States is an outlier across many global metrics, and its approach to consumer privacy is no exception. While most nations are in the process of enacting or strengthening federal privacy laws, the United States is set to become one of the few major global economies without federal online privacy protection. For consumers whose personal information is frequently blatantly abused, this situation needs to change.

Fortunately, in 2021, we are likely to see the first significant push toward a true federal data privacy law in our nation's history. While the adoption of the GDPR in the European Union, the world's largest trading bloc, in 2016 may have made a US equivalent historically inevitable, this push is also driven by tailwinds coming from the state level.

Related Content:

What Can Your Connected Car Reveal About You?

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

Over the past year, privacy legislation achieved widespread political and public support in a diverse range of states. In California, the most populous state by far, the California Privacy Rights Act's (CPRA) landslide victory in November highlights the public's growing appetite for privacy protection. However, with 75% of Americans saying they want more privacy protection online, it's clearly not just Californians who feel strongly about their online privacy.

What a Federal Privacy Law Might Look Like
With an array of serious proposals from both sides of the political divide, some form of federal privacy law now looks like an inevitability. While far from the only privacy-focused bills currently under consideration, the COPRA and the SAFE Data Act show two different views of what a federal privacy landscape might look like.

On one side of the political debate over privacy, the Consumer Online Privacy Rights Act (COPRA), sponsored in late 2019 by Democratic Sen. Maria Cantwell of Washington, outlines a GDPR-esque privacy environment for the United States. Much to the chagrin of big tech, COPRA would allow consumers to opt out of their data being collected and shared and give individuals the right to sue any organizations that violate their data privacy rights directly. If adopted, the COPRA would also stand in addition to any existing state legislation. This provision means that laws like CPRA would still stand, and the COPRA would not preempt further state-level privacy legislation.

An alternative, more "business-friendly" version of what a federal privacy law might look like can be seen in the SAFE DATA Act. Proposed by a group of GOP senators led by Mississippi Sen. Roger Wicker, SAFE DATA outlines a less stringent vision for federal privacy legislation. Under the SAFE DATA Act, each state's attorney general would enforce online privacy legislation alongside the Federal Trade Commission. The SAFE DATA Act would also make federal legislation take precedence over any existing and future state-level laws and not allow individuals to take action against companies directly.

What Federal Privacy Legislation Needs to Deliver for Consumers
While the two acts mentioned above highlight differences in political opinion about federal legislation, a pragmatic approach to privacy is wise. In my opinion, the best privacy act under consideration is the one that can pass into law. Although what our nation needs now is a strong precedent for federal privacy protection, future amendments and improvements are what will deliver both greater consumer privacy and other benefits like the following.

1. A More Streamlined Online Experience
Americans have an average of 27 online accounts that require different passwords and share users' email addresses and personal info with hundreds of third parties. A federal privacy law would provide the ability to opt out of many of these by removing the need to form a long-term relationship for a one-off transaction.

By requiring a smaller number of online accounts to access the same services, a comprehensive piece of federal privacy legislation would create a far more streamlined online experience. The fewer online accounts you need to access online services, the safer your personal information is.

2. More Choice of Services and Providers
As any federal law is likely to result in a uniform regulatory environment around privacy, businesses would not have to treat customers differently based on their location.

If American privacy laws harmonize with the European GDPR standard, it would also enable greater ability to exchange data internationally. With a single data-privacy standard, Americans could shop more confidently with a broader range of vendors, knowing that every service is subject to the same regulatory regime.

3. Leveraging Your Privacy Preferences
By choosing to "opt in" or "opt out," consumers would be able to leverage the value of their personal information when dealing with businesses. This new freedom could open up new business models and offerings for customers willing to allow companies to use their data.

Final Thoughts
In 2021, privacy is going to be high on the agenda for both the Biden administration and its political opponents. However, while the details of any potential federal legislation are important, the precedent may be more vital. While the first instance of any law will undoubtedly be imperfect, any federal regulatory framework is better than none at all.

Rob Shavell is CEO of Abine/DeleteMe, The Online Privacy Company. Rob has been quoted as a privacy expert in the Wall Street Journal, New York Times, The Telegraph, NPR, ABC, NBC, and Fox. Rob is a vocal proponent of privacy legislation reform, including the California ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Richard F.
Richard F.,
User Rank: Strategist
3/25/2021 | 2:41:48 PM
Federal Privacy Law - State AGs & FTC Ineffective - More Important Priorities
I am a Conservative, but I have also been a Judge, Prosecutor and Deputy AG.  The AGs are primarily state CRIMINAL LAW ENFORCEMENT agencies.  The "Civil Departments" and civil litigation are low priority.

Consumers must have the right to individually enforce their stautory rights for them to be real, effective and actually enforced.  Otherwise those "rights" inevitably go into the black hole of the bureaucracy to die.  Rare, occassional, if and when the bureaucratic timeservers feel like it, enforcement is worthless. 

We would all welcome any AG that would actually join into litigation.  FTC action is so rare and unhelpful to consumers that complaining to it is a complete waste of time, ink and electrons. Consider how effective the FTC is for "Do NOT Call" law "enforcement"?  

Conditioning enforcement on action by the bureaucracy is useless and will eviscerate any supposed "rights."  That is no doubt an unspoken, unacknowledged aspect of the "SAFE DATA Act" that makes it desirable from the tech and advertising companies viewpoint. Their "affiliates" have NO legitimate reason to have my data. Period!!! 

Many consumers, Conservative, Moderate and Liberal all agree that we LOATHE advertising and detest "data aggregators."  Restoring personal control over our own information and the ability to individually litigate to enforce our rights will compel compliance.  Vesting exclusive enforcement in the bureaucracies is what Rush Limbaugh used to call, "an exercise in self entertainment."  


Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.