Privacy Laws

Proposed U.S. Privacy Legislation


The United States is now considering several bills to protect privacy. These bills are intended to address growing public concern about the absence of adequate legal protection in the United States for personal data. EPIC has been calling for comprehensive federal privacy legislation for over 20 years.

EPIC and a coalition of privacy and consumer privacy groups have long recommended that Congress enact a privacy law that:

  1. limits the collection and use of personal data;
  2. prohibits discriminatory uses of data;
  3. requires algorithmic fairness and accountability;
  4. bans manipulative design and unfair marketing practices;
  5. limits government access to personal data;
  6. provides for a private right of action;
  7. preserves states’ rights to enact stronger provisions; and
  8. establishes a federal data protection agency to enforce these new rules.

EPIC has been calling for comprehensive federal privacy legislation for over 20 years. In July 1999, then-EPIC Executive Director Marc Rotenberg testified before Congress and said:

[T]he recent developments in the online industry make clear the need for privacy legislation. For those who are willing to look closely, there is little indication that self-regulation is working. Privacy policies read more like warning notices and disclaimers. The proposed merger of Internet advertising giant Doubleclick and the largest catalog database firm Abacus demonstrates many of the shortcomings of the self- regulatory approach. The merger would significantly undermine online privacy as advertising is radically transformed. In the absence of a legal framework for online privacy, Internet-based services are also being offered without privacy protections that would otherwise be required. The Internet is quickly becoming a privacy-free zone, where companies can push new products past an unsuspecting public.

He went on to warn of what has become the surveillance advertising ecosystem of today:

In practical terms, advertising will be radically transformed. Where once advertisers could reach segmented markets and still allow potential customers who browsed a news magazine or watched a television show to safeguard their privacy, now advertisers will literally be watching potential customers even as those customers are reading web-based ads. Enormously detailed secret profiles of Internet users will be developed based on transactional records, purchase histories, and clickstream data.

But Congress failed to act in 1999 and in the over 20 years since then, and EPIC’s predictions unfortunately came true. Earlier this year, EPIC Deputy Director Caitriona Fitzgerald said in testimony before Congress:

The United States faces a data privacy crisis. Large and powerful technology companies invade our private lives, spy on our families, and gather the most intimate details about us for profit. […] These industries and systems have gone unregulated for more than two decades. And the result has been uncontrolled data collection, large scale data breaches, and an ecosystem dependent on a few large commercial surveillance platforms. […] We need comprehensive, baseline privacy protections for every person in the United States, changes to the business models that have led to today’s commercial surveillance systems, limits on government access to personal data, and strong enforcement of privacy protections.

EPIC's Experts on Proposed U.S. Privacy Legislation

Support Our Work

EPIC's work is funded by the support of individuals like you, who help us to continue to protect privacy, open government, and democratic values in the information age.