Data privacy laws are reshaping the digital economy — but not always in expected ways. While some policymakers frame them as essential safeguards against “commercial surveillance,” their unintended consequences are quietly undermining the tools small businesses rely on to grow. In the rush to rein in “Big Tech,” lawmakers are building legal barriers that burden the very entrepreneurs, creators, and startups that have driven innovation — and benefited most from an open, affordable internet.
One of the biggest challenges? A growing patchwork of conflicting state laws that creates confusion, compliance burdens, and rising costs. This fragmented regulatory landscape favors large companies with legal teams and leaves small businesses stuck in limbo.
Congress must act now to pass a comprehensive federal privacy law that preempts state laws and provides a consistent, national framework. Without it, small businesses will continue to face mounting uncertainty, higher costs, and growing pressure to scale back — or abandon — the very digital tools that help them compete and connect with customers.
Digital advertising is no longer a single platform or tactic — it’s a tightly woven ecosystem. From websites and social media to email, customer service, and analytics, small businesses use digital tools to engage customers, streamline operations, and grow. But new privacy laws — many of them broadly written and overly complex — threaten to sever these connections and push businesses toward outdated, more expensive methods.
Ironically, while these laws are framed as checks on Big Tech, it’s the small players — those without legal teams or lobbying power — who face the greatest risks.
The High Cost of Fragmentation
Small businesses across America are facing a growing problem — not from inflation or supply chains, but from an increasingly complex web of state-by-state data privacy laws. Today, a business advertising online must navigate a patchwork of rules in California, Colorado, Virginia, and 17 other states. While large corporations can afford dedicated legal teams to manage this patchwork, small businesses cannot.
According to the Information Technology and Innovation Foundation (ITIF), this regulatory fragmentation could cost U.S. businesses $1 trillion over the next decade. For many small firms, annual compliance costs already exceed $50,000 — more than they spend on hiring. California’s Consumer Privacy Act (CCPA) alone cost businesses $55 billion in initial compliance. The EU’s General Data Protection Regulation (GDPR) has cost large companies millions — some as high as $10 million to $16 million each — while smaller competitors often can’t keep up.
Community-based businesses like Cupola Animal Hospitals in Tennessee, Sunset Berry Farm in West Virginia, and Dakota Film Company in South Dakota depend on digital advertising to reach their audiences. If privacy laws make data-driven marketing harder or more expensive, they’re not just at a disadvantage — they risk going dark in a digital-first economy.
Personalization Powers the Modern Internet
The same technology that delivers your favorite news, music, and streaming shows also helps personalize your entire online experience — including advertising. Contrary to the negative framing often seen in political discourse, surveys show most consumers value personalized ads — especially when they come from trusted brands. More than 80% say personalization helps them discover products they actually want.
Despite this, Washington’s approach to privacy often overlooks how personalization supports both user experience and small business growth. Lawmakers have rightly recognized that the state-by-state patchwork is unsustainable — but in trying to fix it, Congress has considered proposals that mirror the worst parts of state laws and the EU’s GDPR, rather than building a smarter, simpler national framework.
Ironically, as the U.S. debates these measures, the European Union is now moving in the opposite direction — seeking to simplify EU regulations in response to the negative effects on innovation, investment, and small business success.
The unintended consequences of some federal proposals? Vague, overly broad legislation that benefits regulators and litigators — not consumers. That’s why Internet for Growth opposes including a “private right of action” in federal privacy bills. Allowing individuals to sue businesses directly would flood the courts with excessive and often frivolous lawsuits. For small businesses, the legal risk and uncertainty would be overwhelming. Many proposals also layer on additional fines and penalties at both the state and federal levels — only increasing the burden.
The Small Business Carveout That Isn’t
Proponents of legislation like the American Data Privacy Protection Act (ADPPA) and the American Privacy Rights Act (APRA) in Congress often point to small business exemptions as proof these laws won’t hurt Main Street. But these carveouts are largely meaningless in practice. That’s because they define “small business” by how much data a company collects — not by revenue or number of employees.
Even modest digital engagement — like tracking basic website metrics or maintaining a small email list — can trigger compliance requirements. In other words, the more a small business grows, the more likely it is to be swept under the full weight of the law. These bills risk penalizing success, forcing businesses to choose between scaling online or staying compliant.
An Opportunity for Smart Reform
Fortunately, Congress is listening. Leaders like Chairman Brett Guthrie (R-KY) and members of the House Energy & Commerce Committee’s new privacy working group are engaging directly with small business advocates, including Internet for Growth, to better understand how federal privacy law can work for everyone. There’s growing recognition that protecting consumers and supporting small businesses are not mutually exclusive goals.
Rather than importing the most rigid elements of state laws or the EU’s GDPR, the group is exploring practical solutions that reflect how the modern internet actually works. That includes harmonizing the growing patchwork of state laws — most of which offer similar core protections — while addressing key differences in how sensitive data is defined, how data minimization is enforced, and how businesses are held accountable.
Smart federal reform can provide consistent standards while still delivering meaningful privacy protections. It can clarify expectations, reduce legal complexity, and give businesses of all sizes the confidence to grow and innovate online. This is a chance to build a national privacy framework that supports both trust and economic growth.
The Time to Act Is Now
The longer Congress waits, the harder the problem becomes. More states will pass conflicting laws. More businesses will struggle to navigate the chaos. More consumers will experience a fractured internet — with no real improvement to their privacy or security.
But the right federal law can change that. It can empower small businesses, protect consumers, and ensure the digital economy stays open and competitive. Congress has a rare opportunity to lead — not by copying flawed models, but by crafting legislation that works for the real world.
Getting privacy right isn’t just a legal challenge — it’s an economic imperative. And this time, Washington appears ready to rise to the occasion.
BRENDAN THOMAS is the executive director of Internet for Growth, an initiative of the Interactive Advertising Bureau (IAB) that promotes the crucial role digital advertising plays in the success of America’s small businesses.
