We’ve all experienced the pang of dread at news of another data breach or the hacking of sensitive personal information. Was my personal information leaked? Was my private data hacked? The only thing more nerve-wracking than being the one whose personal data was leaked is being the business that was hacked, and having to publicly break the bad news to thousands of customers.

As president of the Connecticut Retail Merchants Association, I work with our members to do everything we can to avoid that pang of dread. Unfortunately, there is no national policy framework governing data privacy. It’s clear that America is overdue for new regulations that protect our personal data, as technology continues to change the way we connect and do business.
Negligent management of consumer data has led to a disturbing pattern of data leaks and mishandling of sensitive information. Our names, ages, email addresses, credit card numbers, photographs, and even home addresses have been left unprotected. Often they are easily accessible online to identity thieves and criminals. It is time for comprehensive reform to end these criminal activities, without leaving small businesses stuck with costly compliance procedures.
Democrats and Republicans in Congress agree that we need ground rules when it comes to handling sensitive personal information online – but the path to getting there is not yet clear. Some want to punt on the issue by leaving data privacy decisions to the various states. Others believe we need a concrete framework on the federal level. Only one of these options is viable: To meaningfully address this issue we need one set of rules across the nation. We need Congress to pass legislation.
A federal approach to this issue would universally and fairly protect consumers while preserving technological innovation. Furthermore, it is the only way to ensure regulatory consistency and ethical practices across the board. A state-based approach risks creating a complicated patchwork of solutions with inconsistent guidelines. Dozens of different state approaches would mean dozens of different sets of rules for companies and consumers to navigate.
Imagine if companies could sell your information to anonymous third parties in the state where they are headquartered, even if they are not allowed to sell such data in the state where you live. What if only some states required encryption of sensitive user data, like credit card information? Would companies migrate to the states that have unrestrained privacy policies letting them collect and sell our data more freely and for a greater profit? These are just a few reasons that a patchwork of different state privacy rules would be unruly, and would not sufficiently protect American consumers.
In a time when people, devices and businesses are more connected online than ever, we need laws that apply fairly and consistently – not rules arbitrarily based on state borders. Only strong legislative action from our elected officials in Washington can accomplish that.
As a consumer, I don’t want a system full of loopholes when it comes to companies handling my sensitive information. And as a representative of retail businesses across the state, I want customers to know that their data is being stored securely and used responsibly, regardless of where they live. That’s why I encourage Congress to pass a comprehensive federal law to modernize our digital privacy policy.
Tim Phelan is President of the Connecticut Retail Merchants Association.