Chapter 01: The Privacy You Trust Isn’t Real
Your Zip Code Decides Your Rights. And Nobody Told You.
Here is something most Americans have never been told, and the people profiting from your personal data are counting on you never finding out. The United States of America, the country founded on individual liberty, is the only G7 nation on Earth without a comprehensive federal privacy law. One hundred and forty four countries protect their citizens' personal data with national legislation. Ninety eight percent of developed nations guarantee their people baseline digital privacy rights. And the United States, in 2026, does not.
Your privacy rights in this country depend entirely on where you live. If you live in California, you hold a set of enforceable digital privacy rights in your hands right now. You can find out exactly what a company knows about you. You can order them to delete every piece of personal information they have collected. You can stop them from selling your data. And if they lose your data in a breach because they failed to protect your information, you can sue them.
If you live in Alabama, Mississippi, Georgia, New York, Pennsylvania, Massachusetts, or any of thirty one other states plus the District of Columbia, you have none of those rights. Zero. You have no legal way to find out what companies collect about you, no legal mechanism to tell them to delete your data, no legal authority to stop them from selling your most intimate details, and no ability to hold them accountable when they fail you.
Two people living in two different states can download the exact same app, hand over the exact same personal information, and face the exact same data breach. One of them has legal recourse. The other has nothing. The only difference between them is their address.
This did not happen by accident. Congress has debated, drafted, negotiated, and thrown away comprehensive privacy legislation for more than twenty five years. Every single time, the same forces killed the bill. The tech industry, which spent more than $250 million on federal lobbying in 2024 alone, fought to keep the system exactly as broken as it is. And here you are, clicking "I agree" hundreds of times a year on privacy policies nobody reads, believing you made a choice, when in reality the system was designed to make sure you never had one.
Twenty Five Years of Broken Promises
The Federal Trade Commission formally asked Congress to pass a comprehensive federal privacy law in May 2000. That was twenty six years ago. Every president since has acknowledged the problem. Not one has signed a solution.
President Obama released a Consumer Privacy Bill of Rights in 2012 with seven principles, including individual control, transparency, security, and accountability. The proposal was voluntary. Nobody in Congress even introduced the formal draft bill when the White House released legislative language in 2015. The Cambridge Analytica scandal exploded in 2018 and members of Congress introduced multiple privacy bills in the aftermath. Not a single one of those bills made it to a floor vote in either chamber.
The closest the country has ever come was the American Data Privacy and Protection Act in 2022. A bipartisan group of legislators from both parties sponsored the bill, and it passed the House Energy and Commerce Committee by a vote of 53 to 2. That was the first time in American history that a comprehensive federal privacy bill cleared a congressional committee. The bill included data minimization requirements, individual rights to access, correct, and delete personal data, algorithmic impact assessments, and the right for individuals to sue companies for violations.
Three forces killed the bill before it reached a full vote. The chair of the Senate Commerce Committee blocked the bill from advancing because she believed the enforcement provisions were too weak. The Speaker of the House prevented the bill from reaching the House floor because she wanted California to maintain its stronger protections. And the California delegation, including the governor, the attorney general, and the state's own privacy agency, opposed the bill because a federal law would have overridden California's pioneering protections.
A new version called the American Privacy Rights Act appeared in 2024 with sponsors who had been on opposite sides of the previous fight. For a moment, progress seemed possible. Then controversial revisions stripped out the bill's civil rights and algorithmic accountability provisions, major civil rights organizations withdrew their support, the scheduled committee vote was canceled, and the bill died when the 118th Congress ended.
The current Congress has not even introduced a comprehensive privacy bill. In early 2025, the House Energy and Commerce Committee created a privacy working group composed entirely of members from one party and issued a public request for information. The overwhelming majority of responses came from industry groups supporting the position that federal law should cap privacy protections at a single level and prevent states from going further. As of March 2026, we are right back where we started.
The three disputes killing every bill have stayed identical for a quarter century. Should federal law set a ceiling that prevents states like California from offering stronger protections, or should federal law set a floor that allows states to go further? Should individual Americans be able to sue companies for privacy violations, or should enforcement be left exclusively to regulators? How strictly should companies be limited in the data they collect about you? The tech industry has a preferred answer to each of these questions. And for twenty five years, the industry's preferred answer has won.
The Zip Code Lottery
Because Congress has refused to act, states have stepped in. Nineteen states have now passed comprehensive consumer data privacy laws. Five states led the way through 2022, including California, Virginia, Colorado, Connecticut, and Utah. Seven more followed in 2023. Another seven passed laws in 2024. 2025 was the first year since 2020 that no new state passed a comprehensive privacy law, though nine states updated their existing statutes.
These laws are not the same. They are not close to the same. They create a confusing patchwork where your rights depend on which side of a state border you happen to live on, and the differences between them matter enormously.
California stands alone with the broadest protections. California covers employee and business data, runs the country's only dedicated privacy enforcement agency, and gives residents a private right of action for data breaches with statutory damages of $100 to $750 per person per incident. That means a breach affecting a million people creates potential liability exceeding $375 million. California also created the DELETE Act, which launched a centralized platform in January 2026 called DROP. This platform allows Californians to submit a single deletion request that reaches all 545 registered data brokers at once. Before DROP existed, deleting your data from data brokers meant contacting hundreds of companies one by one. Nobody was doing that.
A handful of states occupy a second tier with notably strong provisions. Maryland prohibits companies from collecting data beyond what is strictly necessary for the service you requested, and Maryland bans the sale of sensitive data outright. Connecticut requires businesses to tell you if your data was used to train artificial intelligence models. Minnesota mandates data inventories and gives consumers the right to challenge profiling decisions.
The majority of states with privacy laws follow a more business friendly model. Attorney general enforcement only. Thirty day cure periods giving companies a month to fix violations before facing consequences. Standard consumer rights without the distinctive features California created. No private right of action for any violation.
Here is what this patchwork means in real life. In California, you can file a request to find out what a company knows about you, and that company must respond within 45 days with specific details about every piece of your personal information, where they got it, why they have it, and who they shared it with. In Alabama, you have no legal mechanism to compel any company to tell you anything.
In California, you can submit a deletion request that forces a company to delete your data and notify every third party that received your data to do the same. You can use DROP to wipe your information from the entire data broker industry with one request. In Alabama, you have no right to request deletion from anyone.
In California, if a company loses your data in a breach because they failed to maintain reasonable security, you can sue for statutory damages without having to prove you suffered a specific financial loss. In Alabama, you must pursue traditional negligence claims that require you to prove concrete injury. That bar is one most breach victims cannot clear.
Thirty one states plus the District of Columbia have no comprehensive consumer privacy law at all. New York, Illinois, Pennsylvania, Massachusetts, Washington, and Georgia are among the major states without one. Residents of those states have no legal right to find out what companies collect about them, no right to demand deletion, no right to opt out of data sales, and no way to hold companies accountable when their data is misused.
The narrow federal laws that exist, covering health data through HIPAA, children's data through COPPA, education records through FERPA, and financial data through the Gramm Leach Bliley Act, are riddled with gaps. They cover only specific sectors and specific types of data held by specific types of companies. They leave enormous categories of personal information entirely unprotected. And they do not come close to providing the kind of comprehensive coverage that citizens of 144 other countries already have.
The Grand Illusion of Clicking I Agree
Every time you sign up for an app, visit a website, or download software, a box pops up asking you to agree to a privacy policy. You click the button. You move on. You believe you made a choice.
You did not.
The entire system of "notice and consent" that supposedly protects your privacy is built on a fiction. The idea is straightforward enough. Companies tell you what they do with your data in a privacy policy. You read the policy. You understand the terms. You agree. Every single element of that idea is false.
The average American encounters approximately 1,462 unique websites per year, and each one has its own privacy policy. Those policies now routinely run 4,000 to 5,000 words or more. Reading every privacy policy you encounter in a year would take approximately 244 hours. That is 76 full work days. If every American internet user actually read every privacy policy they encountered, the aggregate time cost would be worth approximately $781 billion per year. That number exceeds the gross domestic product of the entire state of Florida.
Even if you tried to read them, you would struggle to understand them. Privacy policies are consistently written at a college reading level, with social media platform policies scoring at the difficulty level of academic journal articles. The average American reads at an eighth grade level. The policies are not written for you to understand. They are written for a company's lawyers to defend.
In practice, 78% of Americans routinely click agree without reading privacy policies. Among people aged 18 to 34, a staggering 97% consent to terms and conditions without reading them. In one academic experiment, 98% of participants agreed to a consent form that included a clause granting the researchers naming rights to their firstborn child. Even among the 11% of participants who claimed they usually read terms carefully, virtually all of them agreed to give away naming rights to their own child.
More than half of American adults do not even understand what the phrase "privacy policy" means. Many people believe a privacy policy is a promise that the company will keep their data private. One leading researcher in the field concluded plainly that informed consent at scale is a myth.
The academics and privacy law scholars who study this field have taken the system apart piece by piece. The cognitive problems include the fact that human beings cannot rationally evaluate thousands of separate privacy decisions across hundreds of companies over years of accumulated data collection. The structural problem goes deeper. Privacy harms come from the gradual accumulation of data over time by many different companies. No individual can assess the total risk of saying yes to any single consent screen because the danger comes from the combination of all of them over months and years.
One Princeton professor described the situation as "privacy theater." We pretend to have read the privacy policies. The companies pretend we understood and agreed. Everyone plays their part. And the data keeps flowing.
The Federal Trade Commission itself has admitted the system does not work. A former FTC Chair called the notice and consent framework "outdated and insufficient." Another commissioner stated that click through consent does not present a meaningful choice because consumers often have no real alternative. The FTC's 2022 rulemaking proceeding directly questioned whether consumer consent is an effective way to determine if a practice is unfair or deceptive.
While regulators publicly acknowledge the failure of notice and consent, companies are actively making it worse through what privacy experts call dark patterns. These are manipulative design elements engineered to trick you into giving up your data. A major international review found that 76% of websites and apps employed at least one dark pattern and 67% used multiple dark patterns. One company's cookie banner required two clicks to reject advertising cookies and only one click to accept them. Amazon's internal name for its Prime cancellation process was "Iliad," a reference to the long and grueling Trojan War epic. California's law now explicitly states that agreement obtained through dark patterns does not count as consent. The rest of the country has no such protection.
The Privacy Tool You Have Never Heard Of
Buried inside your browser settings is the single most practical privacy tool available to Americans right now. Almost nobody knows about it. And the companies collecting your data are perfectly happy to keep it that way.
Global Privacy Control, or GPC, is a web standard launched in 2020 that automatically tells every website you visit that you do not want your personal data sold or shared. You turn it on once, and from that moment forward, every website you visit receives an automatic signal communicating your opt out preference. The signal travels with every page you load. You never have to think about it again.
GPC was created by a coalition that included privacy researchers, the Electronic Frontier Foundation, Consumer Reports, major newspapers, and browser makers. In 2024, the World Wide Web Consortium adopted GPC as an official work item on the formal internet standards track. GPC carries legal force in a growing number of states. That is the critical difference between GPC and the failed Do Not Track standard from years ago. Do Not Track was voluntary. Companies ignored it. GPC has teeth.
Three browsers currently support GPC out of the box. Brave enables it by default with no way to turn it off. DuckDuckGo enables it by default. Firefox makes it available in your settings. Google Chrome, Apple Safari, and Microsoft Edge do not support it at all. Extensions like Privacy Badger and DuckDuckGo Privacy Essentials can add GPC to Chrome and other browsers. About 50 million people use GPC today, spread across the browsers and extensions that support it. That represents less than 10% of web users, because over 90% of people use browsers that do not offer GPC.
That is about to change. In October 2025, California's governor signed the Opt Me Out Act, which requires every browser operating in California to include built in opt out signal functionality by January 1, 2027. Chrome holds approximately 65% of global browser market share. Safari and Edge hold substantial shares of the rest. This law will force the biggest browsers in the world to give their users the ability to send a GPC signal or an equivalent with a single toggle.
Twelve states already require businesses to honor GPC signals. California, Colorado, Connecticut, Montana, Texas, Delaware, Oregon, Nebraska, New Hampshire, New Jersey, Minnesota, and Maryland all mandate compliance. Four of those states have named GPC specifically in their regulations.
Enforcement has been real. The first major California privacy enforcement action, a $1.2 million settlement with a beauty retailer in 2022, centered on the company's failure to honor GPC. When consumers activated GPC on the company's website, nothing happened. Data kept flowing to advertisers. In 2025, the California Privacy Protection Agency fined three companies a combined total exceeding $2.3 million for failing to honor opt out signals. A joint enforcement sweep involving the attorneys general of California, Colorado, and Connecticut marked the first multi state action targeting GPC noncompliance.
Here is the fact that should make you stop and think. When researchers offered people the option to enable GPC during browser setup, 94% chose to turn it on. The problem is not that people do not want privacy. The problem is that the most popular browsers in the world have not given people the option. The Opt Me Out Act changes that equation entirely.
If you are reading this, go to your browser settings right now and look for Global Privacy Control. If your browser supports it, turn it on. If your browser does not support it, download one that does, or install an extension that adds GPC. This is the single easiest step you can take today to exercise your privacy rights.
144 Countries Got There Before Us
At least 144 countries have enacted comprehensive national data protection laws. The European Union treats privacy as a fundamental human right and enforces data protection through independent agencies in every member state with fines reaching up to 4% of a company's global revenue. Cumulative fines under Europe's General Data Protection Regulation have reached approximately 6 billion euros, and eight of the ten largest fines have been imposed on American companies. One American social media company alone has been fined more than 2.2 billion euros.
Brazil passed a comprehensive data protection law in 2018. South Korea has one of the strictest data protection regimes in the world with penalties up to 3% of global revenue. Japan earned the first data adequacy decision from the European Union of any Asian country. India passed its national data protection law in 2023 as the nineteenth G20 country to do so. Australia enacted sweeping privacy reforms in December 2024.
The United States stands alone among its peers. And American companies are paying the price internationally. Roughly 63% of total European data protection fine value has been imposed on companies headquartered in the United States. The absence of strong domestic protections makes American companies easier targets for international enforcement.
The European Union has twice invalidated the legal framework for transferring personal data from Europe to the United States, each time concluding that American law does not adequately protect individuals from government surveillance and does not provide meaningful recourse. A current framework adopted in 2023 survived its first legal challenge in 2025, and further challenges are expected.
Every time an American company gets hit with a massive European privacy fine, that is a direct consequence of the fact that our own government has not required those companies to protect your data in the first place.
Forty People Standing Between You and an Entire Industry
Without a federal privacy law, the Federal Trade Commission has become the country's default privacy regulator by using a single provision of the FTC Act, Section 5, that does not even contain the word "privacy." The FTC has used its authority to pursue unfair and deceptive practices to bring privacy cases against some of the biggest companies in the world, including a $5 billion settlement with a major social media platform and a $520 million case against a video game company.
About 40 full time FTC staff members work on privacy issues. The United Kingdom's privacy enforcement office employs more than 700 people to serve a country one fifth the size of the United States. The FTC brings roughly 20 privacy cases per year across a digital economy that touches every single American, every single day. The agency cannot impose civil penalties for first time violations. It can only get a consent order and then penalize future violations.
Under the current administration, the FTC has pulled back from aggressive privacy enforcement. Staffing has been cut. The commercial surveillance rulemaking process that the agency launched in 2022 to create comprehensive privacy rules appears to have been shelved. The Privacy and Civil Liberties Oversight Board lost its quorum when its independent members were removed.
The Supreme Court provided a narrow form of digital privacy protection in 2018 when it ruled that the government needs a warrant to access historical cell phone location data. That decision recognized that such data reveals a detailed chronicle of a person's movements. The ruling was deliberately limited and did not address many other forms of digital surveillance.
The largest privacy enforcement victories in the country have come not from federal action, but from state laws. A $1.4 billion settlement against a major social media company for facial recognition violations came under Texas state law. A $51.75 million settlement against a facial recognition company for scraping 60 billion images from the internet came under an Illinois state law. These outcomes are possible because a few states decided to act. They are not available to the 190 million Americans living in states without those protections.
What You Want, What You Deserve, and What You Are Not Getting
Eighty one percent of Americans say they are concerned about how companies use their data. Seventy three percent say they have little or no control over what companies do with their personal information. Seventy two percent want more government regulation of corporate data practices, a position supported by majorities of both Republicans and Democrats. Eighty four percent support stricter federal data privacy laws. This is one of the most bipartisan issues in the country.
A federal privacy law based on the bills Congress has already drafted and debated would change your daily life in ways you would feel immediately. Companies would be prohibited from collecting more data than they need to provide the service you asked for. Every American would have the right to find out what data companies hold, to correct mistakes, to delete their information, and to stop their data from being sold to third parties and advertisers. A single setting in your browser would legally require every company in the country to stop selling your data. If an algorithm denied you a loan or insurance, you would have the right to know why and to challenge the decision. Data brokers would have to register with the government and comply with deletion requests. If a company lost your data because they failed to maintain reasonable security, you could hold them accountable in court no matter what state you live in.
Health apps would be barred from selling your prescription information to advertisers. Companies could not collect your face scan, fingerprint, or voiceprint without your explicit permission. The right to sue for privacy violations would belong to every American, not only people who happen to live in California. Data brokers, the invisible companies that compile detailed profiles about you including your home address, your income, your health conditions, and your political views, would finally face real accountability.
This is not a wish list. Every one of these provisions has already appeared in a bill that received bipartisan support in Congress. They did not become law because the industries profiting from the current broken system spent hundreds of millions of dollars making sure they did not.
What Comes Next Is Up to You
You did not choose this. Nobody asked you whether you wanted a country where your privacy depends on your zip code. Nobody asked you whether you wanted to live under a system where 78% of people click "I agree" without reading privacy policies because the alternative would take 76 work days per year. Nobody asked you whether companies should be allowed to collect, sell, and lose your most personal information with no meaningful consequences.
The absence of a federal privacy law is not an oversight. For twenty five years, the same industries that profit from unregulated data collection have spent billions of dollars to block the same legislation that 84% of Americans say they want. Every year that Congress fails to act, your personal data becomes more exposed, more collected, more bought and sold, and more at risk.
One hundred and ninety million Americans live in states with no comprehensive privacy protection at all. If you are one of them, you currently have no legal right to know what companies collect about you, no right to stop the sale of your personal information, and no way to hold them accountable when things go wrong.
You can start protecting yourself today. Turn on Global Privacy Control in your browser. If your browser does not support it, switch to one that does. If you live in California, use the DROP platform to delete your data from all registered data brokers at once. If you live in a state without a privacy law, call your state representative and ask them why you have fewer rights than someone living one state over.
The most important thing you can take from this chapter is the knowledge that the system was not built to protect you. It was built to extract from you. The privacy policies you click through are not choices. They are rituals designed to make you feel like you agreed when you never had a meaningful option. The patchwork of state laws is not a solution. It is a symptom of a Congress that has chosen industry donors over the people it represents for a quarter of a century.
This fight is about more than your data. It is about whether you have the right to live a life that is not recorded, profiled, scored, and sold without your knowledge. It is about whether your children and grandchildren grow up in a country where their personal information is their own, or where their entire digital existence belongs to whoever can afford to buy it. And it is about whether our democracy can function when the people who are supposed to represent us keep choosing the interests of the companies harvesting our lives over the clear and overwhelming will of the American public.
You deserve the same protections that citizens of 144 other countries already have. Congress knows this. The data proves this. Eighty four percent of your fellow Americans agree.
Now the question is what you are going to do about it.