In the absence of a federal data privacy framework, many states have introduced or passed state-specific legislation, often incorporating ideas from the European Union’s stringent General Data Protection Regulation (GDPR). In a new insight, Technology and Innovation Policy Analyst Joshua Levine and John Belton explain how these differing state laws have created a complex and costly environment for U.S. businesses, harming startups and consumers alike.

Levine and Belton conclude:

With the lack of a federal data privacy framework, multiple states have implemented their own versions of privacy legislation to accompany the host of national sector-specific laws. This complicated system will continue to make compliance both challenging and expensive, particularly for small businesses. While some lawmakers are looking to the European Union’s GDPR as a model for a U.S. framework, research has shown that the overly burdensome law is already harming innovation and competition in Europe. Congress should instead work from the framework laid out in American Data Privacy Protection Act, which will benefit consumers and reduce costs for businesses.

Read the analysis