The running joke in privacy circles is that the United States will get a comprehensive federal privacy law any year now. It has been any-year-now for a decade.
What gets missed in the waiting is that a national standard has already effectively formed — not in Washington, but in the aggregate of state laws.
The patchwork has a shape
Look across the state statutes and a common core emerges: access, deletion, correction, portability, opt-outs for sale and targeted advertising, and recognized universal opt-out signals. The details differ, the thresholds differ, the enforcers differ — but the obligations a large company actually implements have converged.
For a business operating nationally, the practical compliance target is simple:
- Build to the strictest common denominator.
- Honor universal opt-out signals everywhere, not just where required.
- Treat "sensitive data" as the broad category, not the narrow one.
Do that, and a future federal law is unlikely to surprise you. Most proposals on the table are less demanding than what a multi-state program already requires.
The strategic read
The interesting question is no longer "when will Congress act?" It is "what does the states' combined standard already require of me, and am I meeting it?" The patchwork is annoying, but annoyance is not the same as ambiguity. The standard is knowable today.
That is the kind of synthesis we will keep doing here: reading the whole landscape so you do not have to.