In 2023, the US experienced a surge in consumer data privacy legislation, with over 350 bills introduced across 40 states and Puerto Rico. By mid-2024, 20 states had enacted comprehensive data privacy laws, creating a complex and evolving regulatory landscape that is expected to continue shifting through 2026. As these regulations are implemented, businesses will face new compliance challenges while balancing privacy protections with service quality and the need to innovate.
In a digital economy where data’s value as an asset and competitive advantage continues to grow, these evolving laws are poised to reshape market dynamics, influence competitive practices, and compel businesses to rethink their strategies for data management and consumer trust.
Together with data privacy, data portability—that is, users’ ability to access and transfer their personal data—data interoperability, and data reciprocity, all feature as top concerns related to users’ data rights and fair competition. While the ease of switching platforms can stimulate innovation in complementary services, regulatory oversight is crucial to maintain technical standards and ensure proper implementation. Regulations in this space have progressed from simply authorizing efforts to digitize and transfer records in finance and health care[1] to more comprehensive protections across digital services.
The ex-ante approach applied to Big Tech companies in recent regulations (such as the EU’s Digital Markets Act (DMA) and proposed US legislation) focuses on controlling company size rather than specific practices. While this is largely due to concerns about market share and monopolization, regulating monopolies’ use of data creates novel and unique challenges.
Google’s market dominance illustrates the difficulties in regulating data-driven monopolies. With 90 percent of US search queries, according to Reuters, and 95 percent of all mobile paid search ad clicks searches, Google’s vast search index and exclusive distribution agreements solidify its dominant market position. Considering the value of its data, regulators are now debating whether Google’s search index could qualify as an essential facility—a concept that once applied almost exclusively to physical infrastructure. This raises questions about whether valuable data such as click-through rates, user behavior, and search query trends should be shared to enable fair competition. In Google’s case, regulators question whether its search index belongs to Google or is merely a tool to sort content it doesn’t own. Google’s practice of scraping websites for data, also raises concerns about ownership and fair use, particularly considering that opting out of permitting Google to do so would mean losing significant visibility for websites featured by Google’s search index.
Another stream of efforts addresses the need to regulate specific practices to avoid dishonest or illegal data use by relatively smaller market players. Data minimization principles, as outlined in regulations like the European Union’s (EU’s) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, aim to ensure that only necessary data is collected. Simultaneously, heightened scrutiny measures are essential to protect data transfers against inherent security risks and privacy concerns. For instance, the EU-US Data Privacy Framework, implemented in 2023, includes enhanced oversight mechanisms to address these issues in transatlantic data flows, improving data reciprocity. The Center for European Policy Studies also emphasizes two other multilateral initiatives facilitating cross-border data flows, including the 2022 OECD Declaration on Government Access to Personal Data Held by Private Sector Entities and the G7’s Data Free Flow With Trust Initiative. Such regulations face the need to uphold interoperability and data mobility standards while considering concerns related to privacy and security that result from increased access to data.
On the industry side, consumer-facing platforms have resorted to mitigation of switching costs to increase the mobility of user’s data. In 2010, Facebook introduced “Download Your Data,” a social media feature allowing users to transfer their content. Google Takeout soon followed in 2011, a centralized portability service with broader capabilities for user control. With the growing awareness of data ownership and accompanying regulatory pressures, several Big Tech companies, including Apple, Google, Facebook, Microsoft, and X (formerly Twitter) partnered together in the Data Transfer Initiative, a multi-platform, open-source initiative to expand collaborative standards across digital ecosystems. Potential innovations like personal data stores and “data wallets” could also emerge from increased competition and interoperability.
However, increased integration heightens security risks tied to data collection and storage. As discussed by The Washington Post, Facebook’s handling of data privacy has faced growing scrutiny from lawmakers. Notably, the Cambridge Analytica scandal exposed how the unauthorized collection of millions of Facebook users’ data for political advertising during the 2016 US election heightened awareness of data value. This led to a $725 million settlement in 2022, the largest in US data privacy class action history. As of June 2024, CNN reports that the Supreme Court is set to consider an appeal regarding Facebook’s disclosure to investors. While clear insights into data usage are essential for informed consumer decisions, the lack of transparency—especially regarding hidden data collection—undermines true consent.
The evolution of data as a form of capital in the digital economy has profound implications for consumer welfare, market competition, and privacy rights. As data collection increasingly encompasses personal information, browsing habits, and, CBS News reports, even biometric data, the power imbalance between users and tech companies becomes more pronounced.
While data portability could reduce switching costs and foster competition, it also risks redefining data control in a broader advertising ecosystem. Challenges remain in sharing infrastructure, addressing the high psychological and practical switching costs, and determining data ownership, as illustrated by the case of Google. In January 2021, the court consolidated two cases filed against Google by the US Justice Department and 38 states, Simpson and Thatcher reports, and on August 5 this year, a federal judge ruled that Google had acted anticompetitively as a monopolist to uphold its market power, as reported by The New York Times. This outcome is likely to significantly impact how datasets are treated and shared in the future, balancing a need for competition with concerns over privacy and innovation incentives. A Bloomberg article reports that remedies to Google’s monopoly currently under consideration include forced data sharing, banning exclusive contracts, or even a potential breakup—which would be the largest since AT&T’s dismantling in the 1980s.
Yet, the effectiveness of legal remedies in addressing data concerns has yet to be determined. Under the EU’s GDPR, for example, Google’s dominance did not weaken. Instead, Google’s market position became stronger relative to small and medium-sized enterprises, which were disproportionately affected by implementation costs and processing restrictions, according to a Taylor & Francis article. Jones Day states that as the US considers its first comprehensive federal data privacy and protection bill, lessons from Europe’s GDPR are relevant. The European experience shows that new privacy regulations could impose considerable costs on businesses of all sizes, not just Big Tech companies.
According to a Sage Journals article, data has evolved from a mere by-product of transactions to a form of capital across industries, with potential consequences ranging from targeted advertising to algorithmic decision-making that can affect credit scores, job prospects, and more, according to Forbes. This raises questions about meaningful consent and fair compensation when users lack the power to negotiate terms or effectively opt out without significantly limiting their digital participation. The absence of user agency in these agreements challenges the notion of truly free and voluntary participation in data sharing.
While most US users support increased data regulation and trust their own privacy decisions, according to the Pew Research Center, data from Europe show a discrepancy between consumers’ views and actions. In the UK, only 19 percent of consumers exercised GDPR data portability rights, compared to an average of 13 percent across the other 28 European countries, as shown in a Milken Institute 2019 survey. This discrepancy suggests that improving digital awareness alone is insufficient. Addressing the issue may require structural changes in the relationships between tech companies, regulators, consumers, and various industry stakeholders to effectively enhance data protection and user empowerment.
As state-level data privacy laws continue to be implemented through 2026, a new federal proposal, the American Privacy Rights Act (APRA), introduced in April 2024, aims to establish a uniform national data privacy standard. Reuters reports that the APRA proposes comprehensive privacy rights for consumers and compliance requirements for businesses, including data minimization and algorithmic impact assessments. While the bill offers stronger enforcement mechanisms like allowing individuals to sue companies for non-compliance, it faces challenges such as state preemption issues, particularly with California, as reported by Forbes.
Despite this federal effort, the patchwork of state regulations remains a significant challenge. If successfully passed, the ARPA will likely continue to necessitate the development of technical solutions for compliance and data portability. As the value of consumers’ data continues to rise, international data transfer agreements will remain crucial for securing cross-border data flows and setting a baseline for privacy commitments in a complex regulatory environment.
Welcome to the June edition of our newsletter! As we step into the vibrant month ahead, we're embracing the spirit of triumph over adversity. With the celebration of Juneteenth, Pride, and Immigrant...
As spring blossoms and the world awakens to vibrant colors, we look forward to celebrating a month filled with cultural richness and historical significance. May 1 marks International Workers' Day, a...
