A summer 2024 legislative effort appeared momentarily to revive hopes of a federal data privacy law. She doesn’t promise to see into the future, but Osana’s Rachael Ormiston looks at the unpredictability fueled by the lack of such blanket protections.
After years of questions about forward momentum in the U.S. for a national privacy law, optimism rose earlier this year when the American Privacy Rights Act (APRA) gained bipartisan support in the House and Senate. For privacy professionals who have long advocated for a federal data privacy law, finally, there was hope of success with bipartisan support.
But after the bill drew backlash from various stakeholders, a planned hearing on it was abruptly canceled and no movement has taken place on the APRA since June.
This isn’t the first time something like this has happened to a proposed federal law. Seasoned compliance and privacy pros have seen this movie before with the American Data Privacy and Protection Act (ADPPA), which met a similar fate in 2023. All of this begs the question: Will we see a comprehensive federal privacy law any time soon?
As we approach 2025, it’s difficult to predict what exactly is around the corner. We’ve already seen months full of surprises on the data privacy front — the rise and possible demise of the APRA, White House executive orders on sensitive data, acclimating to new California regulations and an ever-lengthening list of new state laws. All of that is in addition to an incredibly contentious presidential election. The only thing I can predict for certain is that compliance and privacy professionals will face much more complexity and unpredictability.
That complexity and unpredictability is, of course, being exacerbated by the lack of a modern federal privacy law. In the absence of one, what we have is an increasingly complex, constantly changing patchwork of state laws that change on nearly a daily basis. Unlike in Europe, where there is a uniform regulatory environment for privacy, companies operating in the U.S. must design privacy programs that are able to keep up with and comply with varying state laws that have hundreds or even thousands of moving parts to them. This poses enormous challenges to compliance teams.
Demystifying Data De-Identification for US Privacy Compliance
De-identification is a valuable tool for protecting consumer privacy, but the process requires diligent compliance with multiple state and federal standards. L. Hannah Ji-Otto and Julie A. Kilgore, both of Baker Donelson, and legal adviser David Chen explore the various regulatory perspectives on data de-identification and their implications for businesses operating in the United States.
Read moreDetailsMany of these challenges would be solved by a federal law that sets a national standard applicable everywhere in this country. This would help companies to operationalize programs with greater ease, applying the same standards across state boundaries. The corporate teams that now spend their time dealing with the myriad, slightly different laws would have more time to spend updating systems and applying business insights.
A federal law would also benefit consumers by promoting privacy equality across the country and allowing state neighbors to have the same rights and privileges over how they manage their data. If you are in California, you have the right to have your information corrected, but this is not the case in Utah, though both states have privacy laws. Meanwhile, other states lack modern data protections altogether.
Notably, though, there isn’t universal agreement that a federal law is the right solution. Case in point: California. The California Privacy Protection Agency (CPPA) opposes APRA because it believes a federal law would weaken the protections Californians currently enjoy under the CCPA and the California Delete Act. Advocates for existing California protections feel a federal law prevailing over those state-level protections would weaken the state’s intentionally strict protections.
But is that reason enough to forgo a federal law that could potentially benefit the remainder of Americans, the vast majority of whom do not reside in California? And why not adopt the Golden State’s protections as a baseline? Because those pro-privacy protections may be seen by other states as simply too progressive in a way that potentially harms business. For long-term success, taking a more radical approach at a federal level, straight out of the gate, may be too much; we simply may need time to evolve and get to that place.
And it is worth remembering that a federal law does not solve every problem. With a federal privacy law coming under the purview of a lone regulator, the Federal Trade Commission (FTC), it is easy to imagine the potential delays in enforcement that having a single regulator could create. If that were to occur, perhaps a consequence of that is a focus on Big Tech that would dissuade programmatic change for smaller businesses where arguably change is most needed.
So what should compliance and privacy professionals do in the meantime? If APRA is not revived later this year or in a new Congress, it will continue to be a waiting game. Given the number of state laws that are proliferating, there is clearly an appetite for wider privacy regulation that would support the idea of a federal regulation, but it is likely that concessions will have to be made. The two most strongly contested points appear to be on the right of preemption and the ability to raise a private right of action, but there is also the small matter of how to enforce. One potential compromise could be to enable regional regulatory supervision, using established agencies under FTC oversight. Or would that simply create more confusion?
Rachael Ormiston is the head of privacy at Osano. With more than 15 years of professional experience, she has deep domain expertise in global privacy, cybersecurity, and crisis and incident response. Rachael is an IAPP FIP and has previously served on the IAPP CIPM exam development board. She has a personal interest in privacy risk issues associated with emerging technologies. 
