As more state privacy laws come into force, the U.S. digital economy risks becoming increasingly fragmented. This growing regulatory fragmentation threatens to weaken innovation, create new barriers to digital trade, and undermine U.S. international economic relations. Congress must pass well-designed privacy legislation with strong preemption power that harmonizes privacy rules across business sectors and state boundaries.

Unlike other major jurisdictions — such as the European Union, the United Kingdom and Japan — the United States does not have a comprehensive privacy law. Instead, more than a dozen federal laws provide the legal framework for privacy rules in financial services and healthcare sectors. For instance, the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act impose certain privacy obligations for financial institutions. At the same time, the Family Educational Rights and Privacy Act creates privacy rules for educational institutions. Such sector-specific statutes have created a patchwork of privacy rules and a complex division of regulatory powers between federal and state regulators.

Without a comprehensive federal privacy law, many states have sought to pass privacy legislation. California, Colorado, Connecticut and Virginia have created laws already in effect. At the same time, eight other states have passed legislation set to become active between now and January 2026. Meanwhile, three states have introduced privacy legislation that is currently active.

Despite some similarities, the divergent regulatory requirements of these state-level laws risk exacerbating regulatory confusion and uncertainty for U.S. and foreign businesses alike. While many businesses are unaware of increasingly complex compliance requirements, these challenges will only be exacerbated as more laws come into effect — as was the case for Connecticut and Colorado’s privacy statutes this month.

As state privacy laws exacerbate an already confusing privacy landscape, the U.S. regulatory environment risks becoming less business-friendly than its international counterparts. Since the European Union’s General Data Protection Regulation (GDPR) became law in 2018, many U.S. and European businesses have rightly voiced concerns about certain overly restrictive provisions of the measure. However, U.S. privacy rules appear increasingly more complicated by comparison as U.S. and foreign businesses must grapple with divergent, ever-changing business obligations imposed by overlapping federal and state statutes. Consequently, without a federal privacy law with preemption powers, proliferating state-level laws could increase transaction costs, create new trade barriers, and make America’s regulatory environment less attractive for foreign businesses.

Against this backdrop, Congress sought to pass a data privacy law last year. However, the well-intentioned but flawed American Data Privacy and Protection Act — which proposed only limited preemption powers for existing federal statutes and certain state-privacy laws — wouldn’t have done enough to create uniform privacy rules across different sectors.

Meanwhile, more U.S. lawmakers advocate a data privacy law modeled on California’s privacy legislation. Not only are certain aspects of such proposals more restrictive than the European Union legislation but they also exclude some of the GDPR’s positive aspects, like limitations on how government entities access and process private data.

As the threat of an increasingly fragmented digital economy looms, the United States needs federal privacy legislation. Congress must ensure that such a law does not create more problems than it solves.

To that end, a federal privacy law should follow three basic principles.

First, it should preempt the growing patchwork of state and federal statutes that create different rules for different sectors and jurisdictions.

Second, it should establish the same legal standards for all industries but create distinct rules and liabilities for different data types. For example, a consumer’s music streaming preferences do not carry the same privacy risks as sensitive financial and medical data, and privacy law should create distinct rules accordingly.

Congress should distinguish between non-sensitive and sensitive data — such as educational records and biometric data. Likewise, an ideal privacy law should create different rules for data to provide non-critical and critical services. The strictest privacy standard should apply to sensitive data used to deliver critical services like surgeries, while the least strict standard should apply to non-sensitive data used to provide non-critical services, like music streaming services.

Third, federal privacy legislation should develop separate rules based on the risk level of how companies process, use and store consumer data. Allowing businesses to use certain privacy-enhancing technologies — such as differential privacy techniques — under a lightened regulatory framework can promote innovation while reducing privacy risks.

As more state privacy laws come into force, now is the time for carefully designed principles-based federal privacy legislation. Otherwise, increasingly divergent privacy rules will create trade barriers while sowing more confusion for consumers about how their data is processed and used across state lines. Congress can help with a pro-consumer, innovation-friendly privacy framework that can help promote U.S. economic competitiveness and trade while reducing privacy risks.