Today, Americans' personal information can spread all over the internet, often without their knowledge or consent.
And policymakers are taking note. To date, states like Virginia, California, and Colorado have passed data privacy laws that grant individuals greater control over their personal information, securing their residents' right to take steps such as opting out of sharing data for certain uses. But despite efforts by Congress to date – and with 70% of countries around the world already having enacted a national privacy standard – there still remains a pressing need in the United States for federal data privacy legislation that addresses how all Americans' data is collected, used, and shared.
The recent U.S. Senate passage and subsequent House markup of the Kids Online Safety Act (KOSA) and the Children's and Teens Online Privacy Protection Act (COPPA 2.0) represent positive, bipartisan steps to prioritize users' well-being over engagement or profit, but they are only part of the solution. Data brokers are still combing the internet and public records, collecting personal data without user notice or permission, analyzing it, and selling it to others.
This unchecked collection and sale of data poses significant risks. Data brokers compile detailed profiles on individuals without their knowledge. Then, when data breaches occur, criminals steal sensitive information, exposing Americans to identity theft, fraud, and manipulation.
Take, for example, the AT&T data breach this past July, where the call and text records of tens of millions of Americans were exposed, and the National Public Data data breach in August, in which billions of pieces of personal information were compromised. These incidents are not isolated; they highlight the broader issue of companies collecting and using data without transparency. Individuals often have no idea how much of their personal information is being collected, profiled, and shared, or with whom.
As Congress looks beyond Election Day, it needs to prioritize comprehensive legislation to help all Americans retake control of their data. Nearly three in four Americans think the government is failing to protect their personal data with privacy laws. Any legislation should advance both security and privacy and mitigate the risks of data breaches and other challenges posed by data brokers' practices.
A key principle in future federal data privacy legislation should be user choice – a prerogative ID.me has long championed. User choice means giving individuals the right to access, rectify, and request deletion of their data. It also means requiring explicit opt-in consent for data collection and sharing with third parties.
User choice benefits both individuals and businesses. For individuals, it offers peace of mind and control over their digital identities. For businesses, it fosters trust and encourages responsible data collection practices. When users feel confident that their data is secure and that they are in control, they are more likely to engage with digital platforms.
The American Privacy Rights Act (APRA) was the latest effort to protect Americans from invasive monitoring and unfettered data collection by establishing a national standard for data privacy. However, like similar bills in the past, its prospects for passage were plagued by disagreement, with the legislation being pulled from consideration before the House Energy and Commerce Committee this past June. Policymakers remained split on their approach, including over provisions of the bill that could eliminate the use of biometric data, an important tool for combating fraud. Despite this debate – which will no doubt continue into the 119th Congress – some states have already adopted policies like those outlined in APRA.
Critics of federal data privacy legislation argue that it could place an undue burden on businesses or stifle innovation. Well-crafted legislation, however, can take business needs into account. Plus, the patchwork of state policies established in the absence of a federal standard can be even harder to navigate for businesses. Now, 19 states have passed their own data privacy laws, with 12 such laws taking effect over the next two years.
Effective data privacy laws can provide clear guidelines that help businesses navigate the complexities of data management while upholding user privacy and trust. For example, legislation can mandate transparency in data collection practices and allow businesses to innovate within a framework that prioritizes user control.
ID.me and others in the private sector have consistently advocated for federal data privacy legislation. Privacy need not be a partisan issue – it is a fundamental right.
For our part, ID.me will continue to put users in control of their data by providing a secure way for them to verify and manage their digital identities and helping them access online services without the need for multiple usernames and passwords. Users benefit from our privacy bill of rights, which promises that we won't share users' information without their consent and guarantees their right to revoke access to their data, an approach that stands in stark contrast to the practices of data brokers.
Looking to a new Congress in 2025, lawmakers need to take decisive action on data privacy legislation that prioritizes user choice and control.
I'm optimistic about the future of data privacy. With the passage of a federal data privacy bill and continued leadership from companies like ID.me, we can create a digital world in which Americans control their own data.
Comment
Show comments
Hide Comments
