In many ways we value what makes states unique and their authority to make their own laws. But long ago, our forefathers recognized that as one nation, interstate commerce—the ability to do business across state lines—is extremely important, and therefore restricted states from impairing it.

Imagine if the laws for driving were to suddenly and dramatically change when crossing state lines. Driving in Louisiana? Stay on the right side of the road and green means go. Driving in Texas? Stay on the left side of the road, accelerate when you see a red light, and stop on green. This would make it nearly impossible to drive in other states and discourage travel. This is exactly what’s occurring on the information superhighway as companies with an online presence work to comply with a rapidly increasing volume of different state online privacy laws.

The patchwork of laws means that companies must adjust their product for each state in order to comply. For example, ever wonder why you have to accept cookies every time you visit a website? You can thank the data privacy laws in California.

This month, a potential solution to the state patchwork was introduced in Congress. The proposed American Privacy Rights Act of 2024 (APRA) would create a national standard for online data privacy. With bipartisan support, the bill is timely when considering the increased concern over how Americans can control their private information.

If passed, it would dramatically simplify the rules of the road for the millions of companies with an online presence. The legislation is comprehensive, meaning it applies to all states. Americans are long overdue for clear and careful privacy protection standards, and the authors of APRA argue that broad preemption is the best route to a national standard. The APRA would preempt state laws, meaning that, save a few exclusions, state data privacy laws would no longer apply.

Bills almost always undergo amendments throughout the legislative process, and as originally drafted, the APRA could benefit from further improvement. The authors will no doubt have to carefully weigh what total vs. partial preemption will mean for the efficacy of the bill. Additionally, it requires that algorithms dealing with certain groups and subject matter receive special attention, among them minors. In practice, this could make it challenging for people under 17 to access the internet and its features. This might be welcome news for some who have called for greater protections of minors online, but rather than provide clarity on the issue, the legislation leaves it to the currently overzealous Federal Trade Commission to develop rules.

Additionally, the implementation of APRA could prove challenging for small businesses, which often lack resources to comply with complex regulations. The bill also includes a private right to action, which would make it easier for users to sue companies. An overly litigious environment could slow down innovation and raise costs for consumers as companies struggle to navigate a barrage of lawsuits. This would perpetuate the very problem the legislation seeks to address by creating an uneven playing field for those trying to follow the new rules.

A good privacy law will be clear, comprehensive, and empower consumers and companies, not the federal government. The draft of APRA is a step towards much needed clarity, but its authors would do well to evaluate provisions that pick favorites and concentrate power before it becomes law.