The last best hope for federal privacy legislation arrived with the introduction of dueling bills by Sen. Maria Cantwell (D-Wash.) and Sen. Roger Wicker (R-Miss.) toward the end of 2019, coupled with a bipartisan draft discussion bill in the House of Representatives. These initiatives all took more or less the same line on individuals’ rights to access and control their data. More surprising, and more encouraging, they opened the door to obligations for businesses not to abuse consumers’ information — rather than merely to ask before doing so. Ideally, lawmakers would reformulate these obligations as what advocates and academics have dubbed a duty of loyalty and a duty of care that, in turn, require reasonable policies and practices and prohibit harmful ones.

The fact that legislators have drawn so close together on so many aspects of privacy regulation proves they’ve done their homework navigating a mind-boggling surveillance economy. Two issues, however, still prove vexing: preemption, or whether federal rules should override state ones, and a potential private right of action by individuals who allege they have been harmed. There are ways to split the difference in each of these areas. The whole point of federal legislation is to avoid an unworkable patchwork of conflicting mandates; as long as a nationwide law is sufficiently robust, it should preempt state laws that are inconsistent, while still allowing local strictures that fill gaps to stand. As for the right to sue, individuals should be empowered to seek redress — but only under certain circumstances, including financial loss or a defined set of egregious violations of privacy.