The area where social media has undoubtedly been most actively regulated is in their data and privacy practices. While no serious critic has proposed a flat ban on data collection and use (since that would destroy the algorithms that drive social media), a number of important jurisdictions including the European Union and California have imposed important restrictions on how websites (including social media) collect, process, and disclose data. Some privacy regulations are clearly justified, but insofar as data privacy laws become so strict as to threaten advertising-driven business models, the result will be that social media (and search and many other basic internet features) will stop being free, to the detriment of most users. In addition, privacy laws (and related rules such as the “right to be forgotten”) by definition restrict the flow of information, and so burden free expression. Sometimes that burden is justified, but especially when applied to information about public figures, suppressing unfavorable information undermines democracy. The chapter concludes by arguing that one area where stricter regulation is needed is protecting children’s data.

Most of the existing privacy and security legal frameworks at both the federal and state level provide incomplete safeguards against many of the privacy and information security harms highlighted in earlier chapters. Many of these frameworks have long been critiqued by privacy law experts for their lack of effectiveness. The IoT amplifies these inadequacies as it compounds existing privacy and security challenges.

At the state level, the patchwork of privacy and security legislation creates varying obligations for businesses without consistently ensuring that individuals receive adequate privacy and cybersecurity protection. State legislation also suffers from several shortcomings and is often replete with gaping privacy and security holes. Even the CCPA, the first privacy statute of its kind in the United States, has several limitations. Further, varying state privacy and security legislation also enables unequal access to privacy and security between citizens of different states.

In 2015, the US Senate passed a resolution recommending the adoption of a national strategy for IoT development (IoT Resolution).1 Currently, the proposed Developing Innovation and Growing the Internet of Things Act (DIGIT) would establish a federal working group and a steering committee within the Department of Commerce.2 If the act is adopted, the working group, under the guidance of the steering committee, would be charged with evaluating and providing a report containing recommendations to Congress on multiple IoT aspects.3 These areas include identifying federal statutes and regulations that could inhibit IoT growth and impact consumer privacy and security.4