Data Privacy, Or the Lack Thereof
You have no secrets that the Internet does not know about you. Data containing your basic information, like your birthday, phone number, license plate number or last five addresses, has been scraped from government websites or social media platforms. To feed predictive algorithms and targeted ad software, as well as anyone else willing to buy your data, your hobbies, interests, fears, questions and digital habits have been tracked and noted.
It isn’t a secret that users pay for “free” services like Instagram or Google through their data. Oftentimes, this is a mutually-beneficial relationship. Data collection begets personalized social media feeds, search results and advertisements, making the online experience more enjoyable. However, data collection also begets leaks of personal information to people outside of these major technology companies and a total loss of control or knowledge about your data.
In response, many governments worldwide have passed far-reaching data protection laws. The European Union’s General Data Protection Regulation (GDPR) is the most comprehensive, outlining people’s rights to be informed about and control their personal data. Most notably, their Right to be Forgotten clause allows people to choose to delete parts of their personal information off of the Internet if they so choose. South Korea’s Personal Information Protection Act (PIPA) established a Personal Information Protection Commission (PIPC) that aggressively regulates potential data leaks, especially cross-boarder cases. In India, companies that are found violating their Digital Personal Data Protection Act (DPDPA) are fined up to $30 million. In fact, out of all of the major technology players in the world, the United States is one of the only nations without a robust federal data privacy framework.
Despite the lack of regulation, data privacy is a relatively big policy issue in the US. Twenty states separately have robust data privacy laws. California’s California Consumer Privacy Act (CCPA) gives California residents the right to opt out of providing for-profit technology businesses with their data and to correct online personal information about them. Colorado also allows residents to opt out of data-intensive services, and they are particularly strong in regulating artificial intelligence, and Texas aggressively keeps big technology companies accountable when it comes to how they handle user data, famously reaching a $1.3B settlement with Google in 2025 over their geolocation, biometric data and incognito mode data practices. Federally, data privacy laws, such as SAFE DATA Act in 2021, the American Data Privacy and Protection Act in 2022, the American Privacy Rights Act in 2024 and, most recently in this year, the SECURE Data Act, have been proposed and often receive bipartisan support. Yet, none of them have passed.
What, then, stops the US from enacting nationwide data protection measures? Economically, it’s because big technology and advertisement technology companies have massive power. The US data economy, which includes behavioral advertisements, data brokerage, and, recently, AI training data, is dominated by big tech and ad tech. Collectively, the industry is worth roughly a quarter trillion dollars, and many of the US’ largest companies, such as Google, Amazon, NVIDIA and Apple, have business models that significantly revolve around the data economy in some way. Enforcing large-scale regulations on how data is handled would undoubtedly harm these lucrative data companies. Currently, the industry standard is assuming that, by default, people consent to their data being used and selling data is legal. The fact that there is virtually no friction in the data flow from user to collection company to data sale is what allows the advertising industry to be so specialized and software developers to have enough data to train artificial intelligence models. To protect the status quo, big tech companies invest upwards of $70 million annually to lobby against federal privacy measures.
On the politics side, there is little incentive for people to advocate for change either, and politicians who run on robust technology platforms or come from states with their own data privacy laws are actually often unwilling to support national measures. One such politician is former Speaker from California Nancy Pelosi, who supported California’s CCPA but opposed the national ADPPA. This phenomenon is a result of the uneven state-by-state regulation landscape the US currently has. Federal law would override state legislation, but any federal data privacy act will, by nature, be less comprehensive than more aggressive state laws. Thus, states who theoretically would be major supporters of a data privacy law, such as California, are unwilling to give up on provisions they already have in order to accommodate a less thorough national policy.
Structurally, the federal government itself depends on aggressive data collection practices. In 2022, the Office of the Director of National Intelligence declassified a report noting that government agencies like the Department of Defence, Internal Revenue Service and Federal Bureau of Intelligence purchase data from commercial data brokers. Typically, due to the 4th Amendment, government agencies would need warrants to obtain personal information such as real-time location data, financial information and communication records. However, all of the aforementioned information is available for sale through companies that collect online data, allowing the government to bypass the standard bureaucratic procedure. For example, LexisNexis has a multi-year $22.1 million contract with Immigration and Customs Enforcement to provide the government organization with a database of personal information pulling from upwards of 10,000 sources. The government also has partnered with private tech companies to create products, largely surveillance-related, that indirectly rely on unregulated data collection. Palantir’s ImmigrationOS, an AI platform built for ICE, uses commercially-sourced data to create an AI model that allows ICE to identify, track, process and manage immigration cases in one system.
Given the data economy’s fundamentally embedded position within the federal government, it is unlikely that the US will have any substantial regulation on the matter in the foreseeable future. Yet, data privacy is still an issue that touches American’s everyday lives.
According to Javelin Strategy & Research’s 23rd edition of their Identity Fraud Study, published earlier this year, online scams affected 36 million Americans within the last year, and personal data leak-related losses amounted to a staggering $35 billion. Currently, 22% of Americans fall victim to personal data-related scams in their lifetime, but, as long as they use social media and the Internet, virtually anyone is susceptible. Because technology companies that collect data, such as those who operate social media sites or search engines, outsource data sorting to third parties that may also sell data to other companies, it’s currently impossible to trace where any individual’s personal data is at any moment. As a result, people-search websites like CheckPeople and InfoTracer that are unvetted by the government or even reputable technology companies can make sensitive information about thousands of people readily available for users.
Ultimately, the US’ inability to pass comprehensive data privacy laws on the federal level is reflective of a deeply entrenched personal data economy that fundamentally relies on unrestricted data flow. Without the current unregulated state of data collection and sales, big tech and ad tech, as well as the digital economies that rely on them, such as AI development, would not be able to flourish to the degree that they currently do. However, this is done at the cost of everyday people’s privacy and safety. Through an increasing amount of data breaches, identity theft scams, personal information leaks, and, on a larger scale, surveillance technology trained on massive amounts of unconsenting people’s data, Internet users pay much more than what they bargain for in order to use “free” online services. Yet, because there is a lack of federal regulation, it’s impossible to truly gauge how serious the issue is, and it is currently impossible to create an effective solution to the problem of data privacy.
Credits: Panumas Nikhomkhai via pexels
Grace Xie is a rising sophomore at Gallatin studying technology development & policy. Originally, she is from Georgia, and she loves spending time outside exploring NYC’s parks and piers. In her free time, she enjoys erhu music, skateboarding and dance, and she’s always open to a new book recommendation!
