The US is the only major democracy without a federal privacy law. A $323 billion data broker industry extracts your life for profit — your location, your health, your purchases, your relationships — and sells it to anyone willing to pay.
We're a policy platform with 50 researched positions on every major issue. This page breaks down our internet privacy plan — but there's much more to explore.
The United States is the only major democracy on Earth without a comprehensive federal privacy law. The European Union passed GDPR in 2018. The UK, Canada, Brazil, Australia, Japan, South Korea, and India all have federal data protection laws. America does not. The reason is straightforward: the tech industry has spent over $500 million on lobbying since 2018 to make sure it stays that way.
What the US has instead is a patchwork of narrow, sector-specific laws that leave massive gaps. HIPAA covers health data held by healthcare providers — but not health data collected by fitness apps, period-tracking apps, or DNA testing services. FERPA covers education records — but not data collected by edtech companies. COPPA covers children under 13 — but offers zero protection for teenagers. The result is that most of the personal data generated by most Americans in most contexts has no federal protection whatsoever.
Some states have tried to fill the gap. California's CCPA (Consumer Privacy Act, 2018) was the first comprehensive state privacy law, giving Californians the right to know what data is collected, request deletion, and opt out of data sales. Since then, a growing number of states have passed similar laws — but most Americans live in states with no privacy protections at all. And even in states with laws, enforcement is inconsistent and under-resourced.
The tech industry's lobbying strategy is not to openly oppose privacy. It's to support weak federal legislation that preempts stronger state laws. Every major privacy bill introduced in Congress has been weakened by industry lobbying until it was either too weak to matter or too controversial to pass. The American Data Privacy and Protection Act (ADPPA) came close in 2022 — it passed a House committee with bipartisan support — before being killed by industry pressure and preemption disputes.
The comparison with Europe is instructive. GDPR passed because the EU treated privacy as a fundamental right, not a business negotiation. It imposed real fines — up to 4% of global revenue — and created an independent enforcement authority. The result was not the death of the European tech industry, as lobbyists predicted. It was a shift toward business models that respect user consent. For more on corporate influence on policy, see the corporate power page.
The data broker industry is worth $323 billion. Its product is you. Your location, your health conditions, your financial situation, your political views, your relationships, your daily routines — all packaged and sold to anyone willing to pay. The average American's data is sold or shared 747 times per day.
Data brokers compile information from hundreds of sources — public records, purchase histories, social media activity, app usage, website visits, loyalty programs, voter registration files, court records, and location data from your phone. They aggregate this into detailed profiles that can include your estimated income, net worth, credit score range, health conditions, prescription medications, religious affiliation, political party, sexual orientation, pregnancy status, and the precise GPS coordinates of everywhere you've been for the last several years.
Location tracking is particularly invasive. Your phone broadcasts your precise location through GPS, Wi-Fi, Bluetooth, and cell tower connections. Apps harvest this data and sell it to data brokers, who in turn sell it to advertisers, hedge funds, insurance companies, and government agencies. A 2021 investigation revealed that the US military purchased location data from Muslim Pro, a prayer app used by nearly 100 million people. Law enforcement agencies routinely purchase location data to track individuals without warrants — circumventing the Fourth Amendment by buying what they cannot legally seize.
Health data outside of HIPAA-covered providers has no federal protection. Period-tracking apps, mental health apps, fitness trackers, and genetic testing services collect intimate health data that can be — and is — sold to data brokers, insurance companies, and employers. After the Dobbs decision, prosecutors in some states sought period- tracking data as evidence in abortion cases. The apps had no legal obligation to refuse.
Children's data is collected at an industrial scale. Social media platforms, gaming companies, and edtech providers build behavioral profiles on minors that follow them for life. COPPA's age limit of 13 is routinely circumvented, and teenagers have no federal privacy protections at all. A 2023 report found that the average child has 1,500 data points collected about them before their 13th birthday. For more on protecting children online, see the education policy page.
The Common Good privacy plan establishes a comprehensive federal privacy law — modeled on GDPR but designed for American law — that treats personal data as belonging to you, not to the companies that collect it. The plan covers data brokers, Big Tech, children's data, algorithmic transparency, and broadband access.
The plan is built on eight core provisions, each targeting a specific failure in how America currently handles digital rights. Together, they give Americans control over their own data for the first time.
For the complete plan with legislative detail, cost projections, and sourcing, see the full internet privacy issue page.
The United States stands alone among major democracies in having no comprehensive federal privacy law. Every peer nation has enacted data protection legislation. The US has not. The comparison is not flattering.
| Country | Federal Law | Consent Model | Right to Delete | Data Broker Rules | Max Fine | Children |
|---|---|---|---|---|---|---|
| United States | None | Opt-out | No (federal) | Unregulated | N/A | Under 13 only |
| EU (GDPR) | GDPR (2018) | Opt-in | Yes | Regulated | 4% revenue | Under 16 |
| United Kingdom | UK GDPR | Opt-in | Yes | Regulated | 4% revenue | Under 13 |
| Canada | PIPEDA | Opt-in | Yes | Regulated | C$10M | All minors |
| Australia | Privacy Act | Mixed | Yes | Regulated | A$50M | All minors |
| Brazil | LGPD (2020) | Opt-in | Yes | Regulated | 2% revenue | All minors |
The pattern is stark. Every major democracy has a federal privacy law. Every major democracy regulates data brokers. Every major democracy gives citizens the right to delete their data. The United States does none of these things at the federal level. American citizens have fewer data rights than citizens of Brazil, which passed its privacy law in 2020 with a fraction of America's resources.
The tech industry's argument that privacy regulation kills innovation is refuted by the data. The EU's tech sector has continued to grow since GDPR. What changed was not innovation — it was the specific practice of harvesting and selling personal data without consent. For a comparison of party positions, see the Compare Parties page.
Section 230 of the Communications Decency Act is the 26-word law that shaped the modern internet. It says that websites are not liable for content posted by their users. It's both the internet's founding principle and its most controversial legal shield.
What Section 230 does: It provides two protections. First, it says that platforms (like Facebook, YouTube, or Reddit) are not treated as the publisher of user-generated content — meaning they can't be sued for what their users post. Second, it says that platforms can moderate content — removing posts, banning users — without losing that legal protection. Without Section 230, platforms would face a choice: either moderate nothing (and be flooded with abuse, harassment, and illegal content) or moderate everything (and become editors liable for every post, which would make user- generated content impossible at scale).
What Section 230 doesn't do: It does not protect platforms from liability for their own conduct. If a platform creates illegal content, Section 230 doesn't apply. It does not override federal criminal law — platforms can still be prosecuted for hosting child sexual abuse material, for example. And it does not prevent platforms from being held accountable for their algorithms and design choices — though courts have been inconsistent on this point.
The reform debate centers on whether platforms should retain Section 230 protection when their algorithms actively amplify harmful content. There's a difference between passively hosting user content and actively pushing that content to millions through engagement-maximizing recommendation engines. The Common Good position is that Section 230 protection should remain for passive hosting but should not extend to algorithmic amplification — particularly when platforms know their algorithms are promoting content that causes harm.
Content moderation is a separate issue from Section 230, though the two are often conflated. Both the left and right have grievances about platform moderation decisions. The Common Good approach is transparency: platforms should be required to publish clear content policies, apply them consistently, and provide meaningful appeals processes. The government should not dictate what content platforms allow — but platforms should not be able to hide their moderation decisions from public scrutiny. For more on media and press freedom, see the full issue page.
The tech industry and data broker lobby have spent years crafting narratives designed to make Americans accept the status quo. Here are the four most persistent myths — and what the evidence actually shows.
Myth: "I have nothing to hide."
Reality: Privacy isn't about hiding wrongdoing. It's about control over your own life. Data brokers sell information about your health conditions to insurance companies that can raise your rates. Employers purchase background data that can cost you a job. Political campaigns use psychological profiles to manipulate your vote. Stalkers and abusers purchase location data to track victims. "Nothing to hide" assumes that everyone who accesses your data will use it benevolently — a dangerous assumption in a world where data breaches exposed 353 million records in 2023 alone.
Myth: "Privacy laws kill innovation."
Reality: The European tech sector has continued to grow since GDPR took effect in 2018. Companies like Spotify, Wise, Klarna, and hundreds of startups thrive under strong privacy rules. What GDPR disrupted was not innovation — it disrupted the specific business model of harvesting and selling personal data without consent. Apple has built privacy into a competitive advantage, proving that strong privacy and strong business are not mutually exclusive. The innovation argument is lobbying, not economics. See the AI and technology page for more on responsible tech policy.
Myth: "Companies will self-regulate on privacy."
Reality: They've had thirty years to self-regulate and the result is a $323 billion surveillance industry. Facebook promised to protect user data after the Cambridge Analytica scandal — then was caught sharing data with other companies anyway. Google settled with the FTC for $391 million over location-tracking deception. Every major tech company has been fined, sued, or investigated for privacy violations they committed while publicly pledging to protect user data. Self-regulation in the data industry has the same track record as self-regulation in the tobacco industry.
Myth: "It's too late — our data is already out there."
Reality: It's not too late. GDPR gave Europeans the right to delete data that had been collected for decades — and companies complied, because the alternative was a fine of up to 4% of global revenue. The right to delete works. Data minimization works. Opt-in consent works. The data broker industry exists because it's legal and profitable, not because it's inevitable. Change the law, and the business model changes with it. Every day without a privacy law is another day your data is collected, sold, and used without your consent. The sooner we act, the less there is to undo. For the full policy framework, see the internet privacy issue page.
Click any question to expand the answer.
Have a question not answered here? Read the full internet privacy issue page or visit our site-wide FAQ.
Check back soon for policy analysis of privacy news.
America is the only major democracy without a privacy law. A $323 billion industry profits from your data without your consent. Read the full plan to take back control.