Despite a promising start on the hill, the American Privacy Rights Act (APRA), aimed at creating a comprehensive federal consumer privacy framework, failed to become a law last year. Instead, states are taking control by passing their own data privacy laws, which vary from state to state but are largely focused on granting rights to individuals on the collection, use and disclosure of their data by businesses.
According to the International Association of Privacy Professionals (IAPP), state-level momentum for comprehensive privacy bills is at “an all-time high.” With the presidential inauguration right around the corner, is it possible that the state-level momentum will pick up and finally give way to federal legislation?
Probably not. Here’s why:
For one, the APRA establishes robust enforcement mechanisms to hold violators accountable, including a private right of action (PRA) for individuals. In other words, with a PRA in the equation, individuals would be able to sue companies directly for privacy intrusions. This carries a lot of weight considering most organizations today (75%) aren’t honoring consumers’ ‘do not track’ requests.
As such, it’s no surprise that the PRA is a point of contention in the proposed legislation. PRAs have been debated for years, and many companies argue that they will lead to an increase in “frivolous lawsuits” while impeding innovation and draining company resources. Understanding the pressure to innovate that businesses face today, realistically it will take far more debates and drafts to reach a consensus on how the PRA fits into the proposed federal legislation.
Additionally, looking at the bigger picture — although data privacy tends to garner support from both sides of the aisle — there are far too many competing priorities to reasonably predict federal privacy legislation to make much headway this year. Even putting aside the hot-button election issues like inflation, immigration and the job market, technology-related concerns are dominated by the complexities of artificial intelligence and pushing privacy further down the priority list.
However, it is not the time to throw in the towel. Rather, the opposite.
In the absence of federal legislation, state lawmakers have the opportunity to set the tone for effective data privacy regulation. When they get it right, it contributes to a domino effect, giving the next piece of legislation a stronger foundation to build upon.
For instance, the General Data Protection Regulation (GDPR) in Europe put a stake in the ground when it was introduced in 2016. Around the time that GDPR went into effect, the California Consumer Privacy Act (CCPA) was introduced, bearing “a high degree of similarity” to GDPR, but with more focus on transparency obligations and “do not sell” provisions. Since then, a chain reaction of legislation has erupted throughout more states, earning that “all-time-high” momentum and bringing the country to an important inflection point.
As states pick up steam, it’s critical to understand that existing legislation should serve as a starting point, not an exact blueprint. Lawmakers must resist the temptation of “copy/paste legislation,” and instead remain meticulously improvement-oriented. As the saying goes, “Leave it better than you found it.”
For example, the Texas Data and Privacy Security Act (TSPSA) — also now known as the Texas privacy law — stands out for a few reasons. First, the sheer size of Texas puts its legislation deeper into the spotlight than other states. It’s the second-largest state behind California, representing a sizable sample of the country’s population and their data.
The Texas privacy law also places a unique emphasis on data processors — the entities that process personal data on behalf of data controllers, which are the entities that determine the purposes and means of processing personal data. If you had to read that sentence twice, you’re not alone. Data, like all goods and information, exists amid a complex supply chain of many organizations and therefore requires a nuanced understanding to effectively regulate it.
Lastly, the Texas privacy law requires businesses to recognize universal opt-out mechanisms like the Global Privacy Control (GPC), which is a web browser setting that allows users to control their privacy online. Although this component of the legislation is not unique to Texas, it’s important because it sets a precedent. With the nation’s eyes on the lone star state, the attention to GPCs establishes them as a core element to be recognized in future legislation at both the state and federal levels.
No data privacy legislation is perfect, but each new law passed by states contributes to a stronger foundation and a deeper understanding of what effective data protection entails. These incremental improvements pave the way for comprehensive federal legislation that goes the distance. So don’t give up yet: 2024 may not have been the year for federal legislation, but it’s certainly not the time to throw in the towel either.
Is it time to throw in the towel on federal data privacy legislation?
Is it possible that the state-level momentum will pick up and finally give way to federal legislation?
Despite a promising start on the hill, the American Privacy Rights Act (APRA), aimed at creating a comprehensive federal consumer privacy framework, failed to become a law last year. Instead, states are taking control by passing their own data privacy laws, which vary from state to state but are largely focused on granting rights to individuals on the collection, use and disclosure of their data by businesses.
According to the International Association of Privacy Professionals (IAPP), state-level momentum for comprehensive privacy bills is at “an all-time high.” With the presidential inauguration right around the corner, is it possible that the state-level momentum will pick up and finally give way to federal legislation?
Probably not. Here’s why:
For one, the APRA establishes robust enforcement mechanisms to hold violators accountable, including a private right of action (PRA) for individuals. In other words, with a PRA in the equation, individuals would be able to sue companies directly for privacy intrusions. This carries a lot of weight considering most organizations today (75%) aren’t honoring consumers’ ‘do not track’ requests.
Join us Jan. 27 for our Industry Exchange Cyber 2025 event where industry leaders will share the latest cybersecurity strategies and technologies.
As such, it’s no surprise that the PRA is a point of contention in the proposed legislation. PRAs have been debated for years, and many companies argue that they will lead to an increase in “frivolous lawsuits” while impeding innovation and draining company resources. Understanding the pressure to innovate that businesses face today, realistically it will take far more debates and drafts to reach a consensus on how the PRA fits into the proposed federal legislation.
Additionally, looking at the bigger picture — although data privacy tends to garner support from both sides of the aisle — there are far too many competing priorities to reasonably predict federal privacy legislation to make much headway this year. Even putting aside the hot-button election issues like inflation, immigration and the job market, technology-related concerns are dominated by the complexities of artificial intelligence and pushing privacy further down the priority list.
However, it is not the time to throw in the towel. Rather, the opposite.
In the absence of federal legislation, state lawmakers have the opportunity to set the tone for effective data privacy regulation. When they get it right, it contributes to a domino effect, giving the next piece of legislation a stronger foundation to build upon.
For instance, the General Data Protection Regulation (GDPR) in Europe put a stake in the ground when it was introduced in 2016. Around the time that GDPR went into effect, the California Consumer Privacy Act (CCPA) was introduced, bearing “a high degree of similarity” to GDPR, but with more focus on transparency obligations and “do not sell” provisions. Since then, a chain reaction of legislation has erupted throughout more states, earning that “all-time-high” momentum and bringing the country to an important inflection point.
As states pick up steam, it’s critical to understand that existing legislation should serve as a starting point, not an exact blueprint. Lawmakers must resist the temptation of “copy/paste legislation,” and instead remain meticulously improvement-oriented. As the saying goes, “Leave it better than you found it.”
For example, the Texas Data and Privacy Security Act (TSPSA) — also now known as the Texas privacy law — stands out for a few reasons. First, the sheer size of Texas puts its legislation deeper into the spotlight than other states. It’s the second-largest state behind California, representing a sizable sample of the country’s population and their data.
The Texas privacy law also places a unique emphasis on data processors — the entities that process personal data on behalf of data controllers, which are the entities that determine the purposes and means of processing personal data. If you had to read that sentence twice, you’re not alone. Data, like all goods and information, exists amid a complex supply chain of many organizations and therefore requires a nuanced understanding to effectively regulate it.
Read more: Commentary
Lastly, the Texas privacy law requires businesses to recognize universal opt-out mechanisms like the Global Privacy Control (GPC), which is a web browser setting that allows users to control their privacy online. Although this component of the legislation is not unique to Texas, it’s important because it sets a precedent. With the nation’s eyes on the lone star state, the attention to GPCs establishes them as a core element to be recognized in future legislation at both the state and federal levels.
No data privacy legislation is perfect, but each new law passed by states contributes to a stronger foundation and a deeper understanding of what effective data protection entails. These incremental improvements pave the way for comprehensive federal legislation that goes the distance. So don’t give up yet: 2024 may not have been the year for federal legislation, but it’s certainly not the time to throw in the towel either.
Daniel Barber is CEO of DataGrail.
Copyright © 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
Closing the digital gap: The importance of secure development practices in government IT modernization
Feds With Benefits: Making Medicare decisions at 65
Federal IT skills shortage: How AI can help relieve the gap and improve security