A National Approach to Data Protection is Critical for More Effective Digital Public Infrastructure

A national approach to data protections is long overdue. Recent actions from President Biden and Congress show momentum to prioritize greater online user protections nationwide. However, some states are already paving the way to better data privacy for millions of Americans, setting the foundation for a safer, healthier digital future.

Data safety and transparency are critical components for the development of effective digital public infrastructure (DPI), or the digital systems that enable society-wide functions like data exchange/sharing, identity verification, financial transactions, and information systems. As digital solutions become more deeply integrated into our lives, data protections are essential to improve user understanding of how their data is being used and to assure that personal and sensitive data moved between platforms, products, and services is secure.

Civil society-led development principles and resources, and the private-sector’s internal company-specific policies aren’t enough for large-scale, people-centered tech development. To more effectively safeguard users' data, governments should set standards, implement regulations, and model best practices for digital development. While implementing safety- and privacy-by-design measures or integrating privacy-enhancing technology can help make digital solutions more secure, supportive regulation is key to protecting data privacy. Regulation requirements for how companies collect, use, share, and maintain data creates transparency for users and can bolster trust in digital solutions like DPI.

Momentum Behind National Data Protections

In 2016, the European Union’s regional General Data Protection Regulation (GDPR) set a global standard. Countries like Australia, Brazil, South Africa, Thailand and others followed suit implementing their own data legislation. By comparison, the United States has lagged behind. While certain types of data, like health and financial data, have federal protections in place, the United States lacks a national approach for data protection.

That may not be the case for long.

During this year’s State of the Union address, President Biden reiterated his call for bipartisan action to support greater data protections and curb exploitative and extractive data practices, especially those targeting children. In Congress, previous attempts to move national regulation on this front have stalled. The American Data Privacy and Protection Act, which passed out of committee in July 2022, faced concerns that the bill would weaken California’s existing regulations despite ADPPA protections outweighing any state law. The House Energy and Commerce Committee recently showed renewed interest in moving the legislation forward during a hearing focused on a nation-wide data standard.

This growing momentum signals a better outlook for digital solution users and the field of DPI. While the future of federal data regulation is uncertain, some states are already taking action that will impact millions of Americans.

State Data Privacy Legislation in 2023

Five states—California, Colorado, Connecticut, Utah, and Virginia—passed data privacy regulations that are going into effect this year. These regulations could force greater protections nationwide as companies adapt to meet new requirements. While the specifics vary, each piece of legislation outlines four basic rights:

1. Right to access and confirm the personal data being held or processed by a company.
2. Right to delete or remove personal data being held or processed.
3. Right to data portability, or the right to obtain a copy of personal data in a readily moveable format.
4. Right to opt-out of data processing, particularly for targeted advertising and sales use.

In addition to these core rights, these regulations outline greater responsibilities for companies and data collectors, including mandatory risk assessments, non-discrimination policies, data minimization practices, and specification of data use.

Current state efforts are encouraging, but represent a fragmented approach. For example, each state uses different guidelines for determining which entities the regulations will apply, such as annual thresholds of revenue, the number of users an entity processes data for, or a combination of both. In addition, states may differ in how they define terminology or baseline practices for meeting requirements. With a growing number of states exploring data privacy proposals, a patchwork of regulations can complicate compliance for organizations and create confusion for people trying to understand their data rights.

A cohesive national approach is essential for all users and can enable more effective and secure digital public infrastructure, facilitating greater access to digital services without compromising user privacy.