One year in, the impact of the General Data Protection Regulation (GDPR) has been widespread. Europe’s new data protection laws have resulted in 281,000 breaches and 55 million euros ($61 million) in fines to some of the world’s biggest tech companies over the mishandling of personal information. Furthermore, the legislation has drawn a line in the sand as to what companies can and cannot do when it comes to sensitive user data.

While GDPR has somewhat clarified the murky rules surrounding consumer data in Europe, the same cannot be said in the United States. 

Legislation in the U.S. varies from state to state, rather than having unified standards from country to country. As states like California and New York begin to legislate for consumer data rights, the risk of differing rules could result in weaker federal data laws.

Why? Because a patchwork of protections legislated at the state level makes for an uneven and confusing legal environment. Without a formal federal position, differing state rules could translate into privacy that is complex and onerous for any company.

California Makes the First Move

No movement on the federal front means U.S. states must take privacy protection into their own hands, and California is the first to take a stand. The California Consumer Privacy Act comes into effect in 2020 and grants consumers insight into and control over their personal information collected online.

As reported by Wired, the sweeping law gives Californian residents the ability to request the data that businesses collect on them, demand that it be deleted and opt out of having that data sold to third parties. Tech companies are clearly worried about the changes and have lobbied hard for their watering down — with legislative bodies, backed by major tech bodies, advancing a series of changes in April that would offer exemptions for certain categories of businesses.

The law will ultimately result in strict control of consumer data use from corporate entities, as well as major fines for tech companies that do not comply. Fines will total $7,500 per violation and $750 for each record compromised — which could add up to a considerable sum for smaller business. Major corporations have already begun to prepare for the incoming rules, but smaller online businesses could be hit hard if they are not ready when the laws come into effect. 

New York Follows With a Tough Approach

The Californian overhaul has been praised by privacy advocates for its hardline stance on the issue — though the law has since been overshadowed by the even tougher stance made by the state of New York. The New York Privacy Act entered the state senate last month and, if approved, would grant the strictest controls over personal data in the U.S.

This bill shares similarities with the Californian law in that the user can better understand who holds what data and request that any such information be deleted or corrected. However, the East Coast approach would give New Yorkers the right to sue companies directly over privacy violations. On the West Coast, this element of law enforcement is left to the state’s office and only applies to businesses that gross more than $25 million annually. New York’s act would allow for personal litigation against any company of any size — something that could hold major repercussions for those who do not play by the rules.

Perhaps unsurprisingly, privacy proponents have praised the bill, while tech representatives have all but trashed it. A director for the Internet Association, which represents the likes of Facebook, Google, Amazon and Microsoft, has called the act “unworkable” and questioned whether the legislation actually provides “meaningful control” over personal data. 

The reactions mirror those of the Californian law rollout, and one can only predict that similar battles on either side of the debate will continue to play out, while there remains no formal federal position. It begs the question, where is privacy protection headed on a national scale?

The U.S. needs federal oversight because competing data laws will only result in weaker laws across the board.

Other States Are Following Suit

Since the federal government currently has no position on privacy protections, it seems that state-by-state legislature will continue to be the way forward for the time being. 

Maine and Nevada already have consumer privacy protections signed into law. While both pale in comparison to the protections presented by California and New York, they are a start. The citizens of Maine, under the Act to Protect the Privacy of Online Consumer Information, are protected from broadband providers using, selling, distributing or permitting access to customer personal information for purposes other than providing services. Meanwhile, Nevada’s Senate Bill 220 amends the state’s existing law to require websites and online services to post privacy notices to users regarding access to their information. 

Other states seem to be following similar paths — though none are as strong as the protections put forward by California or New York. Maryland’s Online Consumer Protection Act, if passed, would force companies to demand access to user data and disclose when user data is being collected and what user data is being sold. 

Texas has decided to revise its provisions relating to security breaches by creating the Texas Privacy Protection Advisory Council. North Dakota, similarly, has chosen to provide a legislative management study of consumer personal data disclosures.

The Problems Inherent in a State-by-State Approach

First, differing governmental battlegrounds make for higher susceptibility to corporate lobbying. Lobby groups have already played a big part in the legislature push in California and New York, so one can only imagine smaller, less affluent states being prime targets for big tech lobbyists.

Second, a patchwork of protections legislated at the state level makes for an uneven and confusing legal environment. Different rules in Nebraska from Idaho could translate into privacy that is complex and onerous for any company. Again, this would be to the detriment of smaller companies without the resources nor legalese to operate across differing privacy expectations. 

Third, the right to privacy is fundamental for many. 

Protecting privacy on state lines will only make for uneven rules that are more difficult to enforce. Further, they will simply be more difficult to understand for both consumers and companies. As evidenced by the GDPR, one rule for one region works. 

The Need for Federal Oversight

The U.S. needs federal oversight on something as important as citizen digital privacy to ensure one standard for many — competing data laws will only result in weaker laws across the board. 

This is an issue that will only grow in importance as internet-of-things devices continue to take over our homes and our lives in the coming years. These devices, which often use susceptible connections between the server and receiver, have the potential to reveal sensitive details of unsuspecting users. 

This should be especially concerning when many of these devices have the ability to collect countless data points through microphones, cameras and sensors. 

California and New York have created two sets of laws, which, by and large, do protect user privacy. In the absence of federal oversight, both states have acted to ensure the rights of their respective citizens. However, this does not detract from the need for federal action on this issue. Fifty different approaches to privacy will not improve upon one strong, national standard — the future of the nation’s citizens depends on it.