Nothing can happen with a major compromise, and that’s what I offer here. I don’t have a fully comprehensive solution, but I suggest a way to address most of the major concerns of the multinational business community and the advocacy community. Those two interest groups might be enough to move a bill through the process, especially if other stakeholders have no basis for objection.

I propose an opt-in, federal privacy law for the commercial sector. The law will only apply to companies that affirmatively choose to comply with its terms. The model here comes from arbitration. Laws define, support, and provide for the enforcement of arbitration agreements, but the parties to a contract usually decide whether they want to use arbitration. If they do not, then arbitration laws do not apply. The Privacy Shield, now available to solve some problems with U.S. companies that need to meet EU standards, is an opt-in program. Among its shortcomings is a failure to provide any protections for Americans.

With an opt-in privacy law, the data controller chooses to comply. There is no need for agreement from data subjects. Data subjects become the beneficiary of the decision along with the data controller.

Read more on IAPP, where you can also find Bob’s previous 3-part series of articles on the long and difficult road to a U.S. privacy law.