Security breaches involving the loss or theft of massive amounts of personal data have revived the call on Capitol Hill for some kind of security bill to preempt inconsistent action by the roughly 30 states now considering bills related to consumer data. Unfortunately, the whole furor has moved in the direction of reviving legislative interest in European-style data protection rules, which would broadly regulate the collection and use of consumer information by legitimate businesses.
This would be a very bad thing. People acting in the economy need information about other people to make good decisions. Startups and new businesses in particular, especially those going up against an established competitor who already has established consumer relationships,
need to know about the potential market for their product. Consumers need information too. Empirical studies have show how advertising and marketing help keep product quality high and prices low; even though ads are biased, they do give consumers basic information such as the name of the product and what it does, letting them know about alternatives. Furthermore, it would not improve security, because the theft of data is a problem quite distinct from the legitimate use of data in product development. Restricting the use of social security numbers as identifiers would increase the confusion of accounts with identical names.
It is hard for businesses to contend with 50 different inconsistent state laws. But adopting the European model would be a drastic mistake for consumers and small business.
For more, see