According to the data presented by Atlas VPN, only 4 out of the 50 US states have enacted consumer data protection laws. Furthermore, the United States is falling behind third-world countries in establishing privacy laws that would protect its citizens.

The data is based on the International Association of Privacy Professionals (IAPP) US State Legislation Tracker and Global Privacy Directory. The research analyzes Legislation Tracker numbers updated on April 28, 2022.

Consumer data protection laws establish consumers' rights around access, deletion, and portability of personal information. Also, it provides the right to opt-out of targeted advertising and the sale of personal data.

California, Utah, Colorado, and Virginia are the only states with enacted consumer data protection laws. However, California is the only state with an effective Consumer Privacy Act. Data protection laws in the other states are set to take effect just in 2023. Utah governor signed the privacy bill on March 24, 2022, making Utah the latest addition to the club.

Connecticut passed the Data Privacy Act (CTDPA) on April 28, which is now headed to the state’s governor's hands for signature. Alaska, Louisiana, Massachusetts, Michigan, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Rhode Island, and Vermont data protection bills are moving through committees in their chambers of origin.

In all other states, the consumer privacy bills are inactive, or no comprehensive bills were introduced at all. The internet has been around for a quarter-century, yet the United States has yet to implement legislation forcing its businesses to comply with meaningful data-privacy regulations.

Privacy laws worldwide

General Data Protection Regulation (GDPR) implemented by the European Union (EU) in 2018 was a groundbreaking change for consumer data protection. This international privacy law impacts any organization that processes EU citizens' personal data. GDPR set the standard for privacy regulations worldwide.

Companies based in the US were required to comply with GDPR as they serve millions of EU citizens. Facebook, Google, Apple, and other tech giants had to revise their privacy policies and create tools for customers to give them more control over their data. However, US citizens would not have the same recourse.

The substantial increase in internet adoption across the globe has prompted several countries to enact data protection laws. The establishment of privacy acts in Africa, South America, and Asia has helped countries to align with the best global practices on data protection and privacy. 

So why and how have American consumer data protection laws fallen behind and are in the same category as countries like Iraq or Ethiopia? One of the reasons is that there is no agency in the US to enact privacy laws. The closest equivalent Federal Trade Commission (FTC) simply does not have such powers to enforce the rules over a range of businesses.

In addition, big tech giants in the US have been opposing data protection regulations for years. If a similar law to GDPR were to be implemented in the US, it would significantly affect their business. Tech giants would not be able to collect and control so much data about their customers.

Congress could establish a consumer data protection legislation that proactively reacts to the digital age challenges to create a broader vision of human well-being. The US cannot wait forever and will need to implement privacy laws sooner or later. The regulations they choose will have global consequences for data privacy.