Posted by on October 6, 2020 9:27 am
Categories: Competition & Regulation

By Edward Longe, American Consumer Institute



The issue of data protection is never far from consumers’ minds, with 81% of Americans feeling as if they have very little control over the data private companies and the government collect about them. In the United States, these fears are not unfounded, as “there is no one comprehensive federal law that governs data privacy in the United States.” In the absence of a comprehensive federal law, many states have jumped in to pass privacy and data protection legislation on a balkanized state-by-state basis. What little federal legislation does exist focuses only on regulating specific industries.

The inconsistency among states and industries has led to a complex patchwork of privacy and data protection legislation that leaves consumers facing varying levels of protection. To ensure consumers across the country enjoy equal data protection and privacy, the federal government needs to pass privacy and data protection legislation that balances the rights of consumers but does not impose substantial burdens on companies, especially small companies with limited capital resources.


As it stands, data privacy is a matter left to individual states and this has created a zip code lottery of data collection and privacy laws.

The most robust of these can be found in California where the California Consumer Privacy Act (CCPA) allows consumers the right “to see all the information a company has saved on them as well as a full list of all the first parties that data is shared with.” CCPA also allows consumers the right to demand that companies delete any information they hold onto.

While California has one of the most robust data privacy laws in the country, a recent study showed that approximately twenty-six states have weak or nonexistent consumer data and privacy laws. Alabama, for example, only recently passed “its first data breach notification law” in 2018. Unlike California’s CCPA, Alabama’s Data Breach Notification Act provides significantly fewer protections, and only requires “certain entities to provide notice to certain persons upon a breach of security that results in the unauthorized acquisition of sensitive personally-identifying information.”

While the differences between data protection between California and Alabama are stark, the differences clearly show that consumers do not enjoy equal data protection or privacy laws, with varying levels of security depending on where consumers live.

The zip code lottery for data protection and privacy highlights why consumers need a federal data privacy law to ensure all receive equal protection and privacy rights.


While advocates of federalism will claim data privacy and security legislation should be left to the individual states, they miss the fact that states have often failed to pass the appropriate legislation to ensure consumer data is protected. Additionally, businesses that operate in multiple states will find it very costly to navigate a hodgepodge of differing regulations, potentially passing these costs onto consumers.

In March of 2020, the Washington legislature failed to pass S.B. 6281, a bill that would have provided comprehensive data protection for Washington residents and “allowed individuals to request that companies delete their data.” After the failure of SB 6281, consumers in Washington state were left with weak data protection and privacy laws that only provided limited rights when it comes to knowing what information companies hold on them or ensuring data is protected.

Citizens of Utah are in a similar position as the state senate failed to pass the Consumer Protection Act, S.B. 249, that would have given consumers the right “to know what personal information a business collects, how the business uses the personal information, and whether the business sells the personal information.” Like citizens of Washington, consumers in Utah are left with very limited data protection and privacy because of a failure of legislatures to act.


The inability of states such as Washington and Utah to pass legislation ensuring data privacy and protection further highlights why the federal government needs to pass a national data privacy and protection act.

The significant discrepancies that exist among states with regards to data protection and privacy coupled with the failure of state legislatures to pass appropriate data protection and privacy laws highlights the need for the federal government to step and harmonize the inconsistent patchwork of state laws that govern consumer data protection and privacy. Passing a federal data protection act will not only ensure that zip codes does not determine the degree of data protection or privacy, but it will also ensure the failure of state legislatures to pass the appropriate legislation does not harm consumers.

Consumers deserve better.

Edward Longe is a research associate at the American Consumer Institute, a nonprofit educational and research organization. For more information about the Institute, visit or follow us on Twitter @ConsumerPal