The Looming Cost of a Patchwork of State Privacy Laws

In the absence of a comprehensive federal law, a handful of large states have passed or begun to enact data privacy legislation. More states are likely to pass similar laws in the coming years, which would create a patchwork of different and sometimes conflicting state privacy laws regulating the commercial collection and use of personal data. Not only do these laws create significant costs for in-state businesses, both in terms of direct compliance costs and decreases in productivity, but they also raise costs for out-of-state businesses that can find themselves subject to multiple and duplicative rules and create confusion for consumers. The Information Technology and Innovation Foundation (ITIF) has estimated that, in the absence of Congress passing privacy legislation, state privacy laws could impose out-of-state costs of $98 billion and $112 billion annually. Over a 10-year period, these costs would exceed $1 trillion. The burden on small businesses would be substantial, with U.S. small businesses bearing $20–23 billion annually. ITIF’s economic model also shows the impact of privacy laws on each state. These estimates highlight the high costs of states creating a patchwork of privacy laws and the need for Congress to move quickly to pass legislation to create a national privacy framework that streamlines regulation, preempts state laws, establishes basic consumer data rights, and minimizes the impact on innovation.