The Current State of Privacy Regulation

The United States is experiencing a rapid proliferation of state-level privacy laws, creating an increasingly complex regulatory landscape. Since California pioneered comprehensive privacy legislation with the California Consumer Privacy Act (CCPA) in 2018, the trend has accelerated dramatically. Currently, 19 states have enacted their own privacy legislation, each with unique requirements, enforcement mechanisms, and compliance frameworks.

The layered approach that has emerged, with states each protecting their citizens, is creating problems. The internet’s inherently borderless nature means that companies must simultaneously comply with numerous, at times conflicting, regulatory regimes. This leads to substantial duplication of effort, bespoke legal reviews, and customized technical architectures, all of which drive up compliance costs. For large companies, this means building out expansive legal and engineering teams to keep up. For smaller firms, it often means pulling back from certain states entirely, simply because the cost of compliance outweighs the potential revenue.

The result is a regulatory environment where cost—not conduct—determines who can afford to participate. This, in turn, raises the barrier to entry, distorts competition, and undermines the original consumer protection goals of privacy legislation.

The House Energy and Commerce Committee deserves credit for reengaging federal privacy legislation. In a policy space that has long been stalled by jurisdictional turf wars and ideological standoffs, the Committee’s willingness to put forward a serious, bipartisan proposal represents a step forward. But this momentum should not obscure a hard truth: there are real costs to privacy regulation, no matter how well-designed. Any national standard, especially one that includes private rights of action, new enforcement authorities, and mandatory technical requirements, will carry financial and operational burdens, particularly for smaller firms. Lawmakers should proceed with humility, recognizing that even the best-intentioned privacy frameworks must be crafted with an eye toward economic sustainability and proportionality.