Federal Privacy Law Debate Hinges on Preemption, Not Consumer Rights, New AEI Analysis Finds

Federal privacy legislation deadlock stems from federalism disputes over state preemption, not consumer rights, with 22 state laws creating compliance burdens that disproportionately harm smaller firms and consumers.

The ongoing fight over federal privacy legislation is fundamentally about federalism rather than consumer protections, according to a new analysis published June 8, 2026 by the American Enterprise Institute. The analysis, written by Senior Fellow Will Rinehart, examines the SECURE Data Act and the political stalemate preventing passage of a national privacy standard. Since California passed the Consumer Privacy Act in 2018, the landscape has fragmented dramatically: 22 different state privacy laws now exist, each with unique requirements and structures that force businesses to repeatedly adapt their compliance strategies.

The core political deadlock centers on preemption. Republicans support national privacy standards largely because those standards would override the growing patchwork of state laws, while Democrats resist any federal compromise that might preempt specific state legislation like Illinois's Biometric Information Privacy Act or Washington's My Health My Data Act. The SECURE Data Act includes provisions not found in state bills, including a federal data broker registry, parental controls and sensitive-data treatment for teens aged 13 to 16, extension to common carriers, and a Code of Conduct certification modeled on the Children's Online Privacy Protection Rule safe harbor. Even critics acknowledge the bill "closely resembles many of the existing state comprehensive privacy laws…in terms of its structure, terminology, consumer rights, and business obligations." The bill includes a litigation process to settle preemption disputes, though this doesn't guarantee which state laws would ultimately be overridden.

According to Rinehart, the debate over data minimization reveals deeper tensions about privacy regulation's real-world effects. Privacy advocates like Caitriona Fitzgerald of the Electronic Privacy Information Center testified that "a core weakness of the Secure Data Act is its lack of a real data minimization." But the report notes that research has found minimized datasets don't actually reduce privacy risk as imagined because datasets have correlations that make it possible to reconstruct minimized data. The report states that "the consensus in economics is that privacy laws create real compliance costs and real frictions in data use, which are not evenly distributed."

The analysis explains that privacy laws don't simply raise compliance costs—they fundamentally reshape market structures. Data serves as an input for advertising, credit, fraud prevention, product development, and competition itself, and when regulations limit that input, the costs fall hardest on smaller firms, new entrants, and consumers who benefit from data-enabled services. Collecting less data doesn't sever the correlations that create privacy risks, but it does prevent data from being used for new products. The tradeoff isn't between privacy and corporate profits—it's between different types of costs and who bears them. Under the current patchwork system, businesses face unpredictable compliance burdens that vary by state, making it harder for smaller companies to compete and raising barriers to entry across the market.

Rinehart argues that Congress needs to be honest about these tradeoffs: privacy rules protect consumers but simultaneously reshape markets, alter competition, and impose real costs on companies and consumers alike. A federal privacy law with meaningful preemption won't eliminate every cost of privacy regulation, but it would make those costs more predictable and uniform across all 50 states. The choice isn't between regulation and no regulation—it's between a single national standard and a sprawling system where companies navigate 22 different state regimes, with more likely to come.