Data and Consumer Privacy


Policy Note

The new digital economy presents a myriad of opportunities for individual consumers and companies to achieve better products, services, and information.

As the economics of personal data and access to personal data grow, there is a need to better understand and communicate the importance of how data is collected, shared, and used to provide consumers with products and services that improve their lives.

In this policy note, the Consumer Choice Center presents several recommendations to lawmakers and regulators in key jurisdictions, hoping to better inform the next generation of legislation related to data and consumer privacy. This builds on our previous primer on consumer privacy and data security, released in 2019.


Several legislative efforts on data brokers, privacy, and data collection have been implemented in states such as California and Vermont, as well as the General Data Protection Regulation in the European Union, but they take the position of taking it more complex and convoluted to handle consumer data for firms and consumers alike.

These existing data laws limit the opportunities for consumers and entrepreneurs to benefit from the exchange of data that have proven integral to providing value in all of our lives, especially in the midst of a pandemic. What’s more, these rules often target entrepreneurs and legal businesses while downsizing the significant impact of piracy, hackers, and criminal activity.

What consumers need and want from the data economy are high levels of assurance when it comes to privacy, stewardship, accessibility, encryption, and portability. Many private-sector solutions exist, and we should champion the best to provide the best options for consumers. We should also try to avoid laws that would encourage frivolous lawsuits, create a patchwork of rules across jurisdictions, and facilitate identity and intellectual property theft.

In this policy note, the Consumer Choice Center presents several recommendations to lawmakers and regulators in key jurisdictions, hoping to better inform the next generation of legislation related to data and consumer privacy. This builds on our previous primer on consumer privacy and data security, released in 2019.


  • Champion Innovation

  • Defend Portability

  • Allow Interoperability

  • Embrace Technological Neutrality

  • Avoid patchwork legislation

  • Promote and allow strong encryption


In California, the Consumer Privacy Act of 2018 requires that companies calculate the value of individual data, provide opt-outs, require companies to inform consumers if their data is being sold, allow consumers to request data be deleted (right to be forgotten), and allow consumers access to the data collected by said firms in readable formats.

Vermont’s privacy law requires companies to inform consumers of data breaches directly, and also prohibits some forms of targeted advertising specifically when it comes to students.

Both of these laws contain elements of the EU’s GDPR, which has now been in effect for close to 3 years. As has been noted by several analysts, the enormous compliance costs and efforts have meant a significant reduction in both investment and market activity from small and medium-sized firms that relate to data. What’s more, European users have since been cut-off or blocked from using many services outside EU jurisdiction as firms are avoiding running afoul of the strict regulation. That has resulted in fewer products and services able to European citizens.

These previous attempts at privacy laws are flawed for the following reasons:

First, many parts of these laws stymie and prevent innovation. By making it more difficult and costly for firms to handle consumer data, companies are less incentivized to invest resources in innovative consumer services and offerings, resulting in less consumer choice and a higher barrier of entry for new competitors.

Second, at least in the cases of Vermont and California, these laws create a patchwork of regulation that makes compliance difficult or nearly impossible for firms operating in both the national and global marketplace, thereby driving up costs and depriving consumers of these firms’ services irrespective of which state they reside in. A national law or widely adopted (and ideally global) industry self-regulation, which protects consumer privacy and also champions innovation, would be preferred.

Third, calculating data value for each and every firm’s customer and detailing every aspect of how that data is used is nearly impossible, vastly increasing costs for services that will inevitably be passed on to consumers.

Fourth,  these laws do not take into consideration existing business practices that already provide adequate consumer and data protection, and have thus been used as industry standards. They also thwart innovation practices such as targeted advertising, geo-targeting, and personalization, which consumers prefer.

Last, each of these privacy laws further emboldens litigiousness, sparking new lawsuits and trials that would serve to vastly increase the cost of normal consumer products and services.


Considering that thousands of firms have both safeguarded and used consumer data responsibly, lawmakers should seek to create clear and uniform rules that respect current standards, allow innovation, and provide clarity to both firms and consumers. Privacy rules that place an undue burden on companies following the law, rather than target the most blatant examples of data breaches and impropriety, will end up raising the cost of doing business and thus raise prices for consumers.

There should be recognition that consumers willingly give data to firms in order to receive a final service or good that will be useful to them. As long as proper procedures are followed, and no data is leaked or changes hands without authorization, there should be no additional regulatory requirements that would serve to complicate a consumer’s voluntary relationship with a firm.


Consumer-friendly data portability should be a reasonable standard applied to most firms that complete data transactions. Most of today’s firms allow personal data to be exported for review, but should also remain confidential and secure to avoid potential exploitation. If portability standards are kept too lax, this would be an invitation to hackers and pirates looking to profit from identity or intellectual property theft. 

Given the fast pace this environment changes, industry standards might be a more agile way of enforcing portability as compared to regulation.


Where necessary, firms should be incentivized to maintain open data standards that can be used between platforms where necessary. However, considering the fast-moving nature of data structures and standards, lawmakers should avoid favoring a particular method of data collection or export, whether that be JSON, HTML, or otherwise. 

Rather, a broad principle of “technological neutrality” would allow the best standards to naturally evolve rather than be arbitrarily determined by regulatory bodies. Enforcement of interoperability standards would therefore be agreed to by firms handling data, and not necessarily determined by law. Consumers should ultimately decide if they want a service or product that either allows interoperability or not. The wide acceptance of apps and standards such as Apple CarPlay shows that most companies favor such standards that allow consumers to benefit by “plugging in”.


Because standards and technologies change so quickly, lawmakers should avoid legislation that favors a particular method or technology in data privacy rules. Applying a uniform rule on the format or process of technology would serve to limit the amount of innovation and natural evolution that currently defines our existing tech sector.

In all cases, legislation should embrace and encourage competition and consumer preference to determine the best technology. Technology changes too quickly and too much regulation might limit new technologies and standards from emerging as fast as they could within a more flexible framework.


Due to the ever-growing consumer base across both state lines and international borders, state-by-state regulations that would impose different rules on different residents should be avoided. This patchwork of legislation would increase the cost of delivering services in an efficient manner, and would likely stunt the availability of various products or services to consumers in various jurisdictions.

As such, a broad and agile uniform standard should be agreed to at the federal level, rather than individual states or municipalities.


The use of encryption by both individuals and firms is essential to our digital rights online. Many legislative proposals since the 1990s have attempted to outlaw cryptographic methods of securing and encrypting data. Most of these proposals have been justified on national security and law enforcement grounds. That said, existing laws on judicial warrants and Fourth Amendment protections apply to firms, and there is no reason to believe that a ban on encryption would make this easier or more productive. 

Lawmakers should recognize citizens’ rights to encrypt and protect information and should extend this to the proprietary encryption methods that firms and companies use that serve their customers. Protecting rights to encryption is a safe and effective method to ensure consumer and data privacy can be upheld, whether that be medical data, personally-identifiable information, or financial data.


As we have outlined, there are examples of existing laws on data and consumer privacy that go far beyond the scope of consumer protection. Often, these laws service to thwart innovation and slow down the progress that firms and companies can deliver to their customers. What’s more, a regulatory approach that is far too restrictive or cumbersome will serve large incumbent players that can afford the additional costs while locking out start-ups and new competitors.

If the legislative recommendations of championing innovation, defending portability, allowing interoperability, embracing technological neutrality, and protecting strong encryption are followed, consumers can be assured that their data and information can be protected, kept secure, and can be responsibility utilized by firms and companies to provide all of us with the value that we seek.



<a href="">Yaël Ossowski</a>

Yaël Ossowski

Deputy Director
<a href="">David Clement</a>

David Clement

North American Affairs Manager

Scroll to top