Lydia Rudden
Federal data privacy legislation is necessary to safeguard consumer data against privacy breaches by tech companies with increasingly intrusive data practices. In 2018, California pioneered its own comprehensive data privacy legislation, the California Consumer Privacy Act (CCPA). Currently, with nearly half of U.S. states in the process of formulating their own digital privacy laws, businesses are struggling to maintain compliance, causing financial difficulties and harming innovation. Piecemeal state legislation also leaves consumers with disparate protection depending on where they live. Without a comprehensive and uniform federal law, Big Tech lobbyists shift their focus to securing industry-friendly regulations from particular states, which undercuts the consumer protection purpose of data privacy reform. In May 2022, Congress introduced a federal data privacy bill, the American Data Privacy Protection Act (ADPPA), but the bill failed because of opposition to provisions granting a private right of action and state preemption. This Article suggests that the way to compromise on these two issues, such that a federal data privacy bill may proceed without unduly hindering tech companies or threatening consumers’ privacy rights, is to craft a law that: (1) initially preempts existing state laws but allows new state laws to move forward under certain conditions, and (2) limits an individual’s private right of action to specific circumstances to limit any potential abuse of this right.