While several states have already enacted some form of data privacy legislation, a federal law – like the General Data Protection Regulation (GDPR) in Europe – has yet to gain any real traction here in the U.S., as lawmakers continue to get push back on the American Privacy Rights Act as it is currently proposed.
“We do support a national privacy law that protects consumers, but this legislation would have serious negative consequences for the American economy and U.S. technological leadership,” reads a recent letter sent to the House opposing the H.R. 8818 (American Privacy Rights Act), signed by dozens of associations including the Security Industry Association (SIA). “The costs of compliance and resulting inefficiencies would harm consumers through higher costs or reduced and inefficient services.”
Although some progress has been made on the federal legislation, SIA’s Senior Director of Government Relations Jake Parker, points out, “There was no movement to address significant law enforcement issues, or broader business community concerns regarding the scope of state preemption and potential for abusive lawsuits under its private right of action (PRA). Additionally, significant last-minute changes in the proposal with respect to biometric information would, unlike in its previous iteration, essentially apply Illinois Biometric Information Privacy Act-like requirements nationwide, which would be unworkable for important implementations of biometric technologies.”
In addition, as proposed, those in opposition to the APRA say it will create a harmfully litigious atmosphere that is not included in other state-driven data privacy legislation that SIA and others in the letter support.
“APRA would empower plaintiffs’ attorneys to engage in sue-and-settle tactics against small businesses, startups, and charities,” the letter reads. “Companies acting in good faith and not engaging in willfully harmful activity will be forced to agree to pay expensive settlements or risk costly litigation. APRA would also gut arbitration agreements and enable activists to weaponize private rights of action against non-profit organizations with whom they may disagree politically.”
In addition, they say APRA would fail to establish a single, national privacy standard which is necessary to ensure certainty for both businesses and consumers, noting, “The APRA’s approach could cost the American economy as much as $1 trillion, with $200 billion being incurred by small businesses alone.”
The pushback has forced lawmakers to put the legislation on the shelf, for the time being, as some of these important issues raised by associations like SIA are effectively worked out. Meanwhile, the number of states adopting their own form of GDPR continues to rise, with similar legislation that SIA hopes will be used as a model for the reworked federal legislation.
“Nebraska, Kentucky, Maryland, New Hampshire and Rhode Island passed comprehensive data privacy measures in 2024 that are generally similar, bringing the total to 19 U.S. states that have enacted what many consider to be the emerging ‘state consensus’ data privacy model that is based more closely on the European Union’s General Data Protection Regulation,” says Parker.
