Columbus, OH – On Thursday, The Buckeye Institute released a new policy report, Key Principles for State Data Privacy Laws, detailing a free-market approach states should take in passing data privacy laws and outlining the failed European approach that some states have explored.

“Data privacy protection requires tradeoffs and flexibility, and the one-size-fits-all European model that some states have pursued is doomed to fail,” said Logan Kolas, an economic policy analyst with the Economic Research Center at The Buckeye Institute and the report’s author. “Fortunately, there is another option. By adopting a free-market approach and following The Buckeye Institute’s principles, states can strike a better balance between consumer protections, market needs, and regulatory burdens.”

In the absence of comprehensive federal data privacy legislation, Kolas outlined eight principles that states should use as a guide in considering data privacy legislation. 

1. Grow the Online Economy by Adopting an Opt-Out Only Approach to Data Collection. Give consumers the option to opt out of sensitive data collection—but they must bear the market consequences of those decisions.
2. Protect Small Businesses by Narrowly Tailoring Data Privacy Laws. Data privacy laws should be narrowly tailored to shield small businesses from harm and to promote market competition.
3. Allow Businesses to Develop Flexible Pricing Models. Failing to let prices fluctuate will disrupt market signals, lead to lower quality services, and risk more failed businesses. 
4. Give Businesses Discretion in Notifying Consumers of Privacy Policies. Data privacy notices are written by lawyers for lawyers, not for consumers. Giving businesses more discretion will make policy notices more understandable to consumers.
5. Protect Against Data Breaches by Eliminating Data-Collection Mandates. The more data that is collected to comply with data privacy laws, the more sensitive information hackers can access, retrieve, and expose.
6. Incentivize Best Practices, Don’t Mandate Risk Assessments. States should avoid requirements that mandate costly risk assessments and instead encourage the adoption of sound internal privacy policies by providing an affirmative defense for compliance with National Institute of Standards and Technology (NIST) best practices.
7. Safeguard Responsible Businesses from Frivolous Lawsuits. Executive enforcement of data privacy laws should be the province of state attorneys general and avoid messy, expensive, and often frivolous lawsuits—but state law should limit executive power by clearly defining enforcement rules.
8. Keep Data Out of Government Hands. To quell fears over technology companies giving consumer data to the government, states should explicitly prohibit government agencies from collecting consumer and personal data from technology companies without a subpoena or warrant.

# # #