Data privacy has been top of mind for consumers, policymakers, regulators, companies, and entrepreneurs for the past several years, in the wake of broad privacy rules in the EU, and action in several U.S. states. The U.S., which has long had a sectoral approach to privacy, remains without a comprehensive privacy framework, and many states have reacted by proposing, passing, and implementing their own varying—and potentially conflicting—comprehensive privacy laws. The Internet does not stop at state borders, and as more and more states pass unique privacy laws, the volume of rules for startups to keep up with is growing, threatening to bury resource-strapped startups under duplicative compliance costs, limit their scalability, and burden their chances of success. This report seeks to enumerate those impacts of the growing patchwork of privacy laws upon the startup ecosystem.

Startups should be a key consideration as policymakers advance privacy rules. They have to navigate the same legal and regulatory framework without the resources of their larger counterparts—but much of the conversation focuses on the practices of large Internet companies. To adequately include startups’ experiences in data privacy debates, policymakers need a window into startups’ responses to privacy laws, the resources they devote toward compliance, and an understanding of costs—direct and indirect—imposed on startups. This report can provide these insights for policymakers in statehouses and Congress alike.

The findings of this report could not be more clear: the U.S. needs a consistently-enforced, uniform federal privacy framework to create privacy protections for all Americans and certainty for the startups that serve them. Startups vehemently endeavor to comply with the rules that apply to them, but an inconsistent state-by-state patchwork is unworkable and unnecessarily saps limited resources that startups need for activities essential to their growth and survival. Congress has faced calls for many years from many corners—from privacy advocates to the startup community—to create a federal privacy law. Last Congress saw momentum toward a federal privacy law, and that work looks poised to continue this Congress. The findings of this report, coupled with an explosion of privacy law related activity in statehouses across the country should add to that momentum.

You can read the full report here.