In Samuel Beckett's play "Waiting for Godot," the two main characters wait the entire production for a mysterious man named Godot who continuously sends word that he will appear but never does. A major theme for this existentialist story is that life is absurd, including the suffering involved in waiting for something that may never arrive.

Each time a new U.S. state privacy law is passed, or a regulatory body announces a new data protection enforcement action, I am reminded of this play and how privacy professionals keep waiting for a federal comprehensive privacy law — but continue to be disappointed.

Unlike the characters in "Waiting for Godot," maybe we don't have to sit around and wait for something that will never arrive. Perhaps we should consider alternative solutions — ones that have worked in the past when other policy debates have stalled. Using a piecemeal approach instead of comprehensive federal policy could be the solution to gain more clarity and certainty in privacy governance.

Having witnessed policymaking up close for many years while working in U.S. Congress, I've learned some progress is better than no progress with such an important issue. A former member of Congress used to say, "Don't let the perfect be the enemy of the good." I learned on the Hill that you often have to consider a different approach to achieve the goal.

If the holistic approach isn't working, try it piece by piece.

Current federal privacy laws are sector-specific. Privacy professionals are already accustomed to the segmented regulatory environment with the Children's Online Privacy Protection Act for online services directed toward children, the Health Insurance Portability and Accountability Act for patient health information, and the Family Educational Rights and Privacy Act for access to educational records, just to name a few.

As states fill the void with consumer rights legislation, and in the absence of overarching federal legislation, we should consider pivoting our efforts to codifying the best of those state laws into small victories at the federal level.

If asked, many members of Congress would agree they prefer single-subject legislation, so let's give them some. Let's pull the best and most tightly drawn ideas from state bills and deploy them at the federal level, one at a time. For example, a 2023 Pew Research Center opinion survey showed 67% of Americans did not understand what companies are doing with their data. This supports the need for strong notice and transparency requirements for businesses that are found in many consumer privacy protection laws passed at the state level.

The ability for a consumer to access personal information collected by companies, correct that information and have that data deleted upon request is a staple of state-passed privacy laws. Providing a consumer the right to control their data is noncontroversial and if this policy were put before the U.S. Congress it would pass with overwhelming majority in both the House and Senate.

We are all familiar with the "Unsubscribe" link at the bottom of businesses' email solicitations. This ability to opt-out of having personal data processed for advertising purposes is another commonly found provision in state-passed privacy laws. Opt-in provisions are also prevalent but with more nuances. Addressing the opt-out and opt-in rights of consumers at a federal level would offer certainty to consumers and clarity to businesses on how personal data should be treated.

A comprehensive national privacy law is our "Godot" and unlikely to arrive any time soon. Once we understand this, we should look for victories where we can find them. Difficult at best to get through Congress at any time, a comprehensive bill becomes an impossibility during a presidential election year. Pivoting to alternative solutions is something we owe consumers, who just want to know they are protected in this digital age.