Privacy Pro dreams were shattered at the end of last week when the long-awaited federal privacy law v2.0, the American Privacy Rights Act (APRA), appeared to have been dealt a potentially fatal blow. After redlines were made to an updated draft of the proposed regulation, a scheduled markup was canceled on June 27, leaving the future of the law in question amid concerns it been had substantially weakened with the removal of civil rights protections and provisions intended to prevent algorithmic discrimination. However, this isn’t the first time this has happened to a proposed federal law. Seasoned privacy pros have seen this movie before with the ADPPA. Which begs the question: Will we see a comprehensive federal privacy law any time soon?  

🔮 Outlook Unclear

As we approach the second half of the year, it’s difficult to predict what exactly is around the corner for privacy pros. It’s already been six months full of surprises—the rise and possible demise of the APRA, White House Executive Orders on Sensitive Data, acclimating to the new California Regulations, and a substantial list of new state laws. After the events of last week, the only thing we can predict for the rest of the year is…more unpredictability.  

What we can tell you is that with a growing trend of regionalized, thematic, and disparate regulations emerging on a near-daily basis (state comprehensive, health, AI, consumer and content moderation to name a few), the landscape continues to get harder to navigate. As an example, it is no longer possible to have a one-size-fits-all privacy policy. Instead, requirements of state health privacy laws may require you have standalone policies. It means that overnight, the jigsaw puzzle goes from 100 pieces to 10,000 pieces, requiring delicate analysis and precision to get each section assembled in the right way. Applying consistent baselines and following the strictest approach may be possible for some areas of governance; however, for others, it can also result in potential conflict as well increasing the workload of an already under-resourced team.  

So, what is a privacy pro to do? The role feels increasingly challenging—so much so, that it makes me wonder if all privacy pros need to don a cape and eye mask before flying into problem-solving meetings. And this begs the question: will the U.S. see a super-law to solve these problems for us? 

How Would a Federal Privacy Law Change Things?

A federal privacy law could simplify the current patchwork of U.S. privacy laws by setting a national standard applicable to each state. This would help companies to operationalize programs with greater ease, applying the same standards across state boundaries. This would free up a privacy pro from juggling an obstacle course of compliance requirements, ready to take on the myriad of laws, and allow them to direct time currently spent tracking laws and updating systems toward uncovering and applying business insights. A federal law would also benefit consumers by promoting privacy equality across the country and allowing state neighbors to have the same rights and privileges over how they manage their data. If you are in California, you have the right to have your information corrected but this is not the case in Utah, though both states have privacy laws. Add to this that in two-thirds of US states, there are no privacy rights at all. 

Does the U.S. Need a Federal Law?

I think most privacy pros would agree that the United States needs a federal law, in some form. The data paints a frustrating picture: 70 percent of the nations in the world and 79 percent of the global population are protected by national privacy laws. Of the top 10 GDP nations in the world, the U.S. is alone in not having a federal law.  

To be blunt, it’s a bad look. With an economy dependent on international trade and a free exchange of data, the lack of a dependable data protection framework able to withstand international scrutiny is worrisome.   

And with increasing concerns over the level of protection afforded to sensitive information, such as health information or children’s data, and discussions about potential abuse by foreign state actors, the lack of federal privacy regulation is deeply troubling.  

However, not everyone agrees that a federal law is by default the right solution. Case in point: California. The California Privacy Protection Agency (CPPA) opposes APRA because it believes a federal law would weaken the protections Californians currently enjoy under the CCPA and the California Delete Act. They feel that a federal law prevailing over those state-level protections would weaken intentionally strict CA protections. And let’s not forget, those are protections that Californians voted in. With California being the most populous state in the US, its position is compelling and makes a lot of sense. But is it reason enough to forego a federal law that could potentially benefit the remainder? And why not adopt the CA protections as a baseline? Because those pro-privacy protections may be seen by other states as simply too progressive in a way that potentially harms business. For long-term success, taking a more radical approach at a federal level, straight out of the gate, may be too much; we simply may need time to evolve and get to that place. 

It is worth remembering, in the interests of fairness, that a federal law does not solve every problem. With a federal privacy law coming under the purview of a lone regulator, the FTC, it is easy to imagine the potential delays in enforcement that one single regulator could have. If that were to occur, perhaps a consequence of that is a focus on Big Tech that would dissuade programmatic change for smaller business where arguably, change is most needed.  

The Big Question: Will a Federal Privacy Act Ever Become Law? 

While a federal law has yet to make it through congress, we’ve had a few earnest attempts. But at this time, it remains to be seen if the U.S. will pass a federal law. As I write, the likelihood of the APRA passing seems low. Jointly proposed by Rep. Cathy McMorris Rodgers (R-WA) and Sen. Maria Cantwell (D-WA), this bi-partisan, bi-cameral bill sparked hope that it would make through Congress. But that hasn’t happened and the events of the past week seem to indicate that it won’t. Mounting disagreements and revisions may just be too much to overcome.  

What Can Privacy Pros Do? 

If the APRA doesn’t pass, it is, unfortunately, more wait and see for Privacy Pros on whether a federal law will emerge. We will likely we will see more bills in future. In 2024, 21 comprehensive privacy bills have been filed across 13 states. In 2023, 66 comprehensive privacy bills were filed across 31 states. There is clearly an appetite for wider privacy regulation that would support the idea of a federal regulation, but it is likely that concessions will have to be made. The two most strongly contested points appear to be on the right of preemption and the ability to raise a private right of action, but there is also the small matter of how to enforce. One potential compromise could be to enable regional regulatory supervision, using established agencies under FTC oversight. Or would that simply create more confusion? 

Time will tell what happens. However, in the interim, while we wait for that super law amid small but meaningful steps toward increased protection and enforcement, it is imperative that that those superhero privacy pros take steps now to strategize on their compliance programs. First, map or inventory your data so you know what you have and can understand what laws you need to be compliant with. Secondly, think through how you can operationalize priority areas to embed them in your business. This might be through training of privacy champions and adopting technology to automate privacy compliance obligations.  

Stay Informed About U.S. Privacy Regulations 

Federal privacy decisions in the U.S. are a waiting game we’re all playing. But while you’re waiting, you can stay up to date on the rapidly changing privacy landscape, with these Osano resources: 

• The Privacy Insider Podcast, Episode 3: The July episode of our podcast is entirely focused on the federal privacy landscape: Arlo Gilbert and I have a deeper discussion about the possibility of one U.S. privacy law and the dynamics around it. You can listen on Apple, Spotify, our site, or wherever you listen to podcasts.  

Hang in there, and stay tuned: In privacy, as in most things, the only constant is change.