The recently unveiled American Privacy Rights Act, the latest in a series of bills to create a national standard for data privacy, contains some troubling provisions for the tech industry. It is vital to ensure individuals can protect sensitive personal information and easily learn how their data will be used if they choose to use a platform or service. Tech companies should do a better job with this on their own. Still, a one-size-fits-all national standard that undermines innovation without delivering privacy protections would be bad for consumers and the economy.
The bill’s “data minimization” component could severely inhibit companies’ ability to innovate with data, deliver efficient services, and grow the economy. Data minimization is the principle that websites and apps should collect, process, and store only the minimum amount of personal data necessary to achieve their purposes. For example, websites might collect addresses for shipping, but they cannot store and use that data for advertising. Under the proposed American Privacy Rights Act (APRA), businesses would have to justify all data collection practices, ensuring that every piece of data collected is “essential” and “not excessive,” both vague and subjective terms that will be left in the hands of regulators to define. This uncertainty could lead to confusion about what is permitted, potentially leading to a chilling effect on innovation.
Data minimization creates compliance costs because companies have strict obligations about what they can do with data. This also limits their ability to use data for activities unrelated to its “essential” purpose, like advertising or logistics. By examining similar data minimization policies implemented in the European Union (EU) under the General Data Protection Regulation (GDPR) passed in 2018, we can measure data minimization’s negative impact on investment, innovation, and economic growth in that region.
Within the first three years of GDPR, startup investment decreased by 36%, nearly one-third of all apps disappeared from app stores, and almost no technologically innovative firms have come out of the EU since. The EU lags in the development of AI, and the European Court of Auditors found that the overall AI investment gap between the United States and the EU more than doubled between 2018 and 2020.
The United States has also unleashed an abundance of AI products, such as personal assistants, manufacturing devices and processes, self-driving cars, self-checkout counters, and more products that already operate in the U.S. economy but are not as common in the EU. These products and services were innovated with data that may not have been essential to companies initially, but productive uses for the data were discovered through research and development.
But it isn’t just big firms that are punished by data minimization mandates; it makes startup activity and competition more difficult. Another study found that although small firms are exempt under GDPR, they still comply with the standard to avoid potential penalties if the company scales quickly. Small firms have, therefore, been forced to rethink operational strategy, hire roles dedicated to compliance, and delete vast swaths of data. A 2021 survey shows that 80% of global firms spent $1 million to comply with GDPR, while 40% spent more than $10 million, not including ongoing costs.
In the end, large firms may eventually absorb these costs and innovate in other areas, but startups and small businesses will be harmed the most, potentially leading to reduced competitiveness and even business closures. One study found that GDPR increased the concentration of ad spending at Google and Facebook by 17% because many smaller vendors dropped out of the industry due to compliance costs.
Data is a critical asset in the modern economy, supplementing marketing, customer service, and supply chain management. The digital advertising industry, for example, relies on data to target consumers effectively. Under strict data minimization rules, advertisers may struggle to reach their intended audiences or find innovative future approaches to online advertising under a data minimization regime of overly complicated and rigid rules. Data minimization policies could limit small businesses’ ability to leverage data for these purposes, resulting in less efficient advertising.
Digital advertising may be big business, but it’s also central to the marketing strategy of nearly every small business. One survey of small and medium-sized business owners about digital advertising found that 79% say it helps them compete with bigger businesses, 78% say they are more effective than offline ads, 61% spend more than $10,000 annually, 29% spend more than $100,000, and 69% believe new regulations could hurt their business. An additional 82% agree that digital ads are more effective than offline/traditional advertising, and 70% plan to spend more in the next two years than they did in the previous two. These statistics show how important digital advertising has become for small businesses, and the APRA could interfere with their ability to find customers and convert sales.
These are heavy prices for regulations that have not been proven to increase trust or data security. France, Spain, and the United Kingdom still rank among the top 10 countries for data breaches. One study found that the overall number of cookies, a technology used to track users for advertising, has not reduced significantly within the EU but has shifted from third parties to larger services like Google and Facebook. A law with such steep economic costs should have stronger guarantees that greater privacy will be achieved.
Instead of mimicking the GDPR, U.S. regulators should focus on increasing transparency about data use and modifying its risk-based approach. For sensitive data, such as personal financial and healthcare information, the United States should scrap its sectoral approach—where each sector of the economy, like healthcare and finance, has completely separate privacy laws—and implement a national framework that reasonably addresses risks for sensitive personal information. Personally identifiable but less sensitive information, such as browsing history, should retain its current status, where its use beyond its “essential” purpose remains legal as long as the terms are clearly presented and don’t run afoul of other laws. All data processes should be clearly explained in company policy, which the APRA gets right. Users should then decide if they want to use the service and the accompanying data practices themselves instead of using public policy to force websites into certain data practices.
This approach may incentivize privacy-enhancing innovations, like device filters, built-in operating system protections, cookie blockers, and cryptographic privacy, rather than deter investment and innovation with burdensome regulations.
While well-intentioned, APRA could have negative economic impacts as it limits innovation, saddles businesses with compliance costs, and reduces the industry’s ability to use data to achieve everyday tasks like advertising, logistics, and customer management. Instead, Congress should focus on creating transparency in data practices, employing a risk-based approach to data use, and crafting innovation-friendly regulation. Data minimization should be reserved for only the most sensitive forms of information as such regulation has done tremendous damage to the European Union and is likely to do the same to the United States if passed. Balancing privacy and innovation is crucial for fostering a vibrant, competitive economy.