American business is aligned on the importance of user privacy. Lobbying groups from TechNet to the Internet Association have laid out explicit priorities for federal legislation. However, the high compliance costs for small and medium businesses, as well as the effects of GDPR on entrepreneurship have been a point of concern for American business interests. Some believe that the US should pioneer an alternative method of privacy legislation, rooted in a data controller's duty of care, rather than relying on ex-ante compliance. However, on the other hand, many chief executives have praised GDPR, and called for similar legislation to be passed in the United States.
Both Democrats and Republicans support a federal privacy bill. However, the form of this federal privacy bill is not likely to be modeled off of GDPR -- rather, it is likely to be a compromise of the COPRA proposed by Senate Democrats, and the SAFE DATA Act proposed by Senate Republicans. The two bills both expand FTC power, putting forward individual rights for consumers, and limit companies' ability to collect, use, and share consumer data. However, they differ in two key ways. First, the SAFE DATA Act proposes federal privacy law be treated as a "ceiling" for how far privacy law can go, while COPRA proposes federal privacy law be treated as a "floor", a baseline level of privacy protections that states can expand. Second, they differ on whether or not a private right of action should be included, i.e. whether individuals can sue for violations of their privacy. COPRA includes this provision while the SAFE DATA Act does not. These two issues will need to be resolved by both parties, but we do seem to be "on the cusp", as Will DeVries puts it, of broader privacy legislation in the United States.
Given that our interviewees in academia come from a variety of backgrounds, it follows that they had somewhat differing perspectives on what privacy legislation should look like. From the legal perspective: GDPR and CCPA were seen as good starting points for a federal privacy law in the US. From the technical perspective: GDPR and CCPA were viewed as fundamentally incompatible with the U.S. economy and system of governance. They had the wrong starting point-- focusing on data processing and access rather than data misuse. From the economic perspective, governments should carefully weigh the risks of their intervention when establishing consumer privacy rights, and favor letting market pressures or changes in consumer preferences naturally incentivize businesses to develop solutions to consumer privacy concerns.
A majority of individuals do not believe that their privacy and data is fully protected. They are worried about the use of their personal data and are certainly aware of current problematic practices when it comes to data collection and use by technology companies. While many reported a sense of confusion about what could be done to protect user privacy in the United States, some concluded that legislation similar to GDPR or the establishment of an explicit right to privacy would assuage some of their fears.
Ultimately, while the question of how to practically protect privacy in the U.S. remains challenging, it is far less nebulous than we initially believed, and our research has made us far more optimistic about what is to come. Policymakers, business leaders, and scholars are roughly on the same page about the nuances of a federal privacy law, and are aware of where their opinions differ. With time and political compromise, we are hopeful that the U.S. will pass a federal privacy law that will provide businesses with practical incentives to protect consumer privacy.