New Roadmap: Data Privacy Principles for Federal & State Policymakers

For several years, federal lawmakers have been unable to pass a comprehensive federal privacy law, leaving states to legislate a patchwork of data privacy regulations. Such decentralized regulation of something as connected as digital privacy leaves any attempt at consistent protections incomplete and disjointed.

That gap has real consequences for everyone, and especially for members of the LGBTQ+ community, whose most sensitive information can too easily be exposed and profiled without meaningful protection.

Today, LGBT Tech is releasing a new roadmap outlining seven core principles for stronger privacy legislation. The roadmap makes a simple but urgent point: data privacy law must reflect the modern digital economy and the real risks people face when personal data shapes access to care, work, education, housing, safety, and public life.

Core principles from the roadmap include:

• Data minimization must be the starting point, not the limit. Entities should collect and use only the personal data reasonably necessary for a specific and disclosed purpose, with clear limits on secondary uses and function creep.
  

• Sensitive data needs heightened protection that reflects current realities, including the risks associated with health data, location, biometrics, sexual orientation, gender identity, and other highly revealing information.

  
  

• Rights matter, but rights without usability are weak. Access, correction, deletion, portability, and opt-out rights must be realistic and easy for ordinary people to use.
  

• Profiling and automated decision-making need specific guardrails, particularly when automated systems shape access to housing, employment, education, healthcare, credit, or other essential private and public services.
  

• Youth privacy requires targeted protections, not overbroad identity checks, and lawmakers should be careful not to replace real privacy protections with age-verification or parental-access systems that create new risks.
  

• Data brokerage is a structural loophole that must be addressed directly, because privacy law remains incomplete if it leaves downstream resale and monetization untouched.
  

• A federal privacy law should provide a floor, not erase stronger protections, establishing a meaningful national baseline without preempting the strongest state safeguards now being built across the country.

Recent developments underscore just how fast this ecosystem is moving. In April, Virginia enacted SB 338, a move aligned with the roadmap’s data broker principle in restricting the sale of consumers’ precise geolocation data. In Congress, the recently released SECURE Data Act adopts some important privacy building blocks like data minimization and a federal data broker registry. But it also reflects several of the same tensions this roadmap identifies: gaps in sensitive data coverage, especially around gender identity and gender-affirming care; youth privacy protections routed through parental consent; limited automated decision safeguards; and broad federal preemption that could weaken stronger state laws.

Read LGBT Tech's full roadmap here.