This Cybersecurity Awareness Month, attacks are again on the rise across the U.S. and the world, and Congress must act to protect Americans’ information online nationwide. The Identity Theft Resource Center reported that over 1.7 billion data breach notices were sent to consumers in 2024.
Sadly, this includes cyberattacks on children, as a report from the Center for Internet Security shows 82% of K-12 schools experienced one between July 2023 and December 2024. And research from digital regulation expert Shoshana Weissmann and child safety advocate Maureen Flatley found that children are the number one targets for identity theft, with 25% expected to experience it before they turn 18. What’s more, an investigation of three Los Angeles school cyberattacks showed public officials were not being transparent with the public about the extent to which they are impacting schools and the private information of students.
These are only a few examples of the frequent targeting we’re seeing today from cybercriminals, and the safety of our data and our families’ data is too important to keep setting aside. The need is clear for Congress to pass a nationwide, uniform privacy standard so all Americans have equal data protections online and businesses across the country can navigate clear, concise rules.
Lacking a sensible national standard for data privacy, various states have introduced many wide-ranging standards for privacy. This has created a patchwork of many different digital rules where rights change every time we cross state borders. Due to the interstate nature of how we use the internet, this fractured regulatory system makes it difficult for online businesses, especially small ones, to comply. What’s more, hackers and data brokers exploit this patchwork, further threatening our cybersecurity.
In NetChoice’s Digital Safety Shield for America, we’ve included a provision urging Congress to step up and do the hard work of negotiating and passing a federal standard for data privacy so all Americans and our families can receive amplified security and equal protections online, no matter where we live.
Some federal lawmakers have tried to overcome political hurdles on this issue, but roadblocks have repeatedly derailed the process, especially when it comes to setting federal rules that supersede state ones. For example, California has been active in implementing far-reaching, overly-restrictive rules on privacy. The California Consumer Privacy Act and subsequent California Privacy Rights Act created the state’s Privacy Protection Agency (CPPA) and its regulatory framework with broad and clumsy definitions for compliance burdens that hurt small businesses the most while doing little to improve consumer privacy. What’s more, businesses across the country spend massive amounts on complying with all the different state laws instead of innovating for consumers.
Not every state has implemented poorly crafted rules with a massive regulatory structure, though. Texas’ data privacy law strikes a good balance between protecting consumers and promoting innovation and should be considered as a model for Congress to follow.
But even good state laws don’t eliminate the fundamental problem: the interstate nature of the internet means that Congress must fix this patchwork problem so businesses and consumers aren’t stuck wading through piles of conflicting compliance. Sacramento shouldn’t be setting nationwide standards, and Americans should not have to suffer under a less competitive and less secure digital landscape.
The details of a federal privacy standard matter a lot, too. If Congress creates a complex bureaucracy that imposes burdensome, vague requirements that make it difficult and costly for businesses to comply, we will be stuck in a similar situation.
Here are a few key components of a privacy law that would be good for consumers and businesses:
- Data security-forward: Requirements for covered entities and service providers to protect the confidentiality, integrity and accessibility of covered data.
- Creating a true national standard: Any bill must not carve out specific states. Doing so will prevent the establishment of a single privacy law across the U.S.
- A “right to cure” for injunctive relief: Giving covered businesses the opportunity to remedy alleged violations before individuals can seek injunctive relief or actual damages, so compliance can be the goal, rather than punishment for honest accidents.
- Avoiding putting a civil litigation target on small businesses: Exploitative and frivolous lawsuits, compliance and red tape will drown small businesses, opening the door for the trial bar to exploit the system for profit rather than making it easier for covered entities to focus on protecting consumers.
- Ensuring consumers can still benefit from positive data sharing: There are many good ways companies use consumer data, such as providing discounts, recommending relevant advertisements and content and making products better for customers in the R&D process.
Congress has the express power to regulate interstate commerce, and the way data flows between borders falls squarely under that constitutional authority. As such, Americans’ data privacy protections shouldn’t end at one state’s borders.