Americans lose privacy as data flows abroad and rules fall behind

Americans are waking up to a harsh reality: their most private communications are not always secure. Many phone calls, emails, and messages thought to be domestic are routed overseas, leaving them open to foreign data access and unclear legal protections.

Concern about privacy is nearly universal. According to a 2023 Pew Research Center survey, 81% of Americans said they are very or somewhat concerned about how companies use the data they collect about them and 71% expressed the same level of concern about government data use. Pew also found that three-quarters of adults feel they have very little or no control over what companies do with their information, and nearly the same share say they do not understand how data collection works.

The legal framework offers little clarity. As of 2025, the United States does not have a single federal privacy law. Instead, a patchwork of state-level statutes has emerged. California, Virginia, Colorado, and Connecticut already enforce their own privacy regimes, while new laws in Minnesota, Kentucky, and Rhode Island are set to take effect this year. Enforcement varies widely across states, creating gaps in protection.

At the federal level, surveillance rules add to the uncertainty. The CLOUD Act, passed in 2018, allows U.S. law enforcement to compel companies to hand over data stored abroad under certain conditions. The Foreign Intelligence Surveillance Act and its Section 702 authorize intercepting communications where one party is overseas, which can sweep up calls involving Americans. In 2024, Congress reauthorized Section 702 despite criticism that it permits warrantless monitoring of U.S. persons.

Commercial markets also play a role. Intelligence agencies have recently restricted the purchase of commercial data from app providers and brokers, but new rules still stop short of requiring warrants. Service providers and platforms remain major sources for governments and private buyers alike.

Experts warn the risks are underestimated. “People assume privacy failures come from hackers or breaches, but much of it is legal and systemic,” said Ashkan Soltani, executive director of the California Privacy Protection Agency. “Your personal data can be bought, sold, and repurposed in ways you never intended, often without meaningful consent.”

National security officials emphasize the other side of the debate. Michael Chertoff, former U.S. Secretary of Homeland Security, explained that “privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute. It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorized such access based on established legal standards.”

Technology itself complicates the picture. A 2025 study of smartphone users found that 54 percent underestimated how many apps had access to their data, and one in three did not know they could revoke permissions. Many only reconsidered after demonstrations showed how much location data can reveal.

Older laws such as the 1986 Electronic Communications Privacy Act still allow agencies to demand email content older than 180 days with reduced oversight. Privacy advocates say this leaves Americans in a world where their expectations of confidentiality are consistently undercut by outdated rules.

International comparisons underscore the gaps in U.S. policy. The European Union’s General Data Protection Regulation, enacted in 2018, created uniform rules across member states and gave consumers explicit rights over how their information is collected, stored, and erased. By contrast, American consumers still rely on state-by-state rules that vary widely in scope and enforcement. Privacy advocates say this leaves the United States behind its peers, with citizens afforded fewer protections than individuals in Europe or Canada. Businesses operating across borders often follow stricter foreign standards, illustrating how the U.S. framework has failed to keep pace.

Weak privacy protections also carry financial consequences. A 2024 survey by Cisco found that 76% of consumers said they would not buy from a company they did not trust with their data. Analysts warn that eroded confidence undermines not only consumer behavior but also the competitive position of American firms abroad. When trust declines, users turn to platforms they believe will protect them, which can shift revenue and market share. As digital trade grows, the lack of clear national standards risks weakening both consumer confidence and international credibility.

The consequences extend beyond abstract policy. A democracy depends on citizens being able to communicate freely and securely. Without stronger protections, the gap between what Americans believe is private and what actually is will continue to grow, leaving trust in government, technology, and institutions further eroded.

By Alex Fernandez