Data Privacy Regulations
In an increasingly digital world, governments globally at all levels are enacting internet privacy rules proving to be complex and burdensome, particularly for many Small Businesses.
In addition to global rules, as of 2025, 20 states have enacted their own privacy laws, forming a patchwork of complex regulations to which businesses must adhere.
There is currently no federal law governing data privacy, despite numerous congressional efforts to pass one.
Small Businesses need clear guidelines that fit the U.S. legal system, one that targets abuses, encourages innovation, and permits reasonable flexibility.
Working solutions
NSBA supports a federal data privacy standard that provides uniformity and clarity for America’s Small Businesses. In the absence of congressional action, federal agencies, primarily the Federal Trade Commission (FTC), have been left to their own discretion to enforce privacy-related rules within their jurisdiction.
In short, the current system is capricious and lacks the clarity sought by Small Business. NSBA recommends that Congress consider the following in any future efforts to create a federal data privacy law:
- Strong preemption language so that there is little confusion that the federal law supersedes state laws that address privacy. Only this language will provide uniformity in privacy standards and undo the complex patchwork of data-privacy policies in the U.S.
- Enforcement of a federal data privacy standard should be left to agencies and state attorneys general rather than individuals through a private right of action to protect Small Businesses from frivolous litigation.
- If a federal privacy standard includes a Small-Business carveout, that carveout must be clear and unequivocal.
Small-Business owners overwhelmingly handle their online security themselves.