What Could a Federal Data Privacy Law Look Like?
About a month ago, we advised readers that they should look to the states, rather than Congress, to see substantial progress on data privacy legislation over the next few months. That assertion holds, but even with Congress’s hands full with spending bills, the border wall and healthcare, federal lawmakers will continue to debate data privacy legislation in the weeks ahead, even if it is incredibly unlikely that a data privacy bill is enacted into law anytime soon.
As we noted in August, bipartisan compromise will be difficult to forge, but there is a path forward. Today we take a deeper dive into where federal legislation stands, and where the discussion might end – when (and, perhaps more to the point, if) it does.
The necessity for federal data privacy standards has been around for as long as the internet, and lawmakers became all but frantic in the wake of the Cambridge Analytica affair. Additionally, with the California Consumer Privacy Act (CCPA) set to go into effect on January 1, 2020, and several other states either contemplating or having already enacted their own data privacy frameworks, Congress is feeling the heat.
Their eagerness has been tempered, as we have previously discussed, by the fact that Democrats want legislation that allows states – like California – to maintain higher standards on data privacy than federal rules might apply. Republicans, on the other hand, believe a patchwork of cumbersome state regulations will bog down companies’ abilities to adhere to privacy standards and are insisting that any federal data privacy standard preempt state law. (The notion that, in this instance, Democrats are arguing for states’ rights and Republicans are fighting for stronger authority at the federal level being simply the latest indicator of a topsy-turvy political environment.)
Republicans have an important ally in this fight. Industry advocates want a national standard for the very reasons GOP lawmakers do. Compliance across 50 states, many of which may have markedly different frameworks, would be an enormously difficult burden.
As a result, most of the legislation House and Senate offices have produced has focused on a national standard. The most popular of these bills are Sen. Marsha Blackburn’s (R-TN) BROWSER Act of 2019, Rep. Suzan DelBene’s (D-WA) Information Transparency and Personal Data Control Act, and the Social Media Privacy and Consumer Rights Act offered by Sens. Amy Klobuchar (D-MN) and John Kennedy (R-LA). House Energy and Commerce Committee Frank Pallone (D-NJ) and Senate Commerce Committee Chairman Roger Wicker (R-MS) also have offered legislation that would create a federal data privacy framework.
Even with some Democratic names attached to them, none of these measures have attracted enough support to push through the legislative process, mainly because Democratic leadership in the House believes they are not strong enough. These leaders, along with consumer groups and privacy advocates, repeatedly have said they will not support federal legislation that provides for the potential weakening of strong state standards, like the CCPA. For those advocating for a preemptive federal standard, it doesn’t help that the House Speaker, Nancy Pelosi (D-CA), is a Californian who has repeatedly praised the CCPA.
Work in the committees of jurisdiction also is slow-going.
In the Senate, the Commerce Committee – the panel with broad jurisdiction over consumer data – has had vague discussions about a path forward. Progress by the committee’s privacy working group has stalled, however. Other committees, including the Senate Banking panel, have held hearings that address discrete elements data privacy. That effort includes a July hearing that examined Facebook Libra’s proposed digital currency and the data privacy implications that it raises. The Senate Judiciary Committee also held a hearing this summer that addressed the notion of child privacy laws. Neither committee has yet produced a legislation to advance on either score.
In the lower chamber, the House Energy and Commerce Committee has, under the leadership of Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL), begun to push a separate bill with state preemption provisions not popular among Senate Republicans. This legislation could conceivably attract sufficient support from House Democrats to pass that chamber, but it will not see the light of day in the GOP-controlled Senate.
Nevertheless, leaders from both parties and in both chambers of Congress are adamant that they want a comprehensive, bipartisan bill to be introduced by the end of 2019. (A timeline that, again, acknowledges the importance of California’s standard.)
So – what would an eventual compromise look like?
Well, at its foundation, it probably will look awfully similar to the CCPA.
The CCPA considers the new digital landscape in which consumers interact and provides several tools to consumers to empower them to protect their data privacy, a common theme lawmakers, industry, and consumer advocates all embrace.
Specifically, the act allows consumers to opt out of the sale of their identifiable information while embracing their right to know, access, and delete what information companies hold about them. Californians will have the right to ask, free of charge, about what data has been collected about them in the past year as well as the third parties that have gained access to their personal information. The law includes protections for children and a 45-day grace period for businesses to comply with consumers’ requests.
Additionally, the CCPA imposes penalties on companies for privacy violations, including the ability for consumers to exercise private rights of action for a security breach.
To be clear: California lawmakers have introduced numerous bills since the CCPA became law to clarify the scope of the Act prior to implementation; the jockeying in Sacramento has been a boon to the California lobbying industry. Amendments to the law currently being considered include the removal of certain categories of data – namely employee and contractor information – from the scope of the law and the need to protect businesses’ preferred treatment of consumers who have opted into loyalty programs. It remains to be seen whether these changes will meet the fall deadlines for floor consideration, but they are debates federal lawmakers should – and are – watching.
Even with the CCPA as a guide, proponents of a federal standard are concerned about how far it should go to provide more consumer choice while not grinding online commerce to a halt. Federal legislation must strike an appropriate balance between supporting consumer empowerment and supporting strong protection standards for consumers and businesses alike.
Additionally – and significantly – a major question still exists in Washington regarding what federal agency should have authority over data privacy issues, and whether they should have the authority to establish rules or enforce current practices. In January, the Government Accountability Office (GAO) released a report that points to the Federal Trade Commission (FTC) as the most reasonable choice. Many in industry agree, citing the agency’s authority to weed out “unfair or deceptive” consumer practices and the FTC’s existing authority to issue and enforce regulations on the collection of data on children under 13 years old. In its report, however, the GAO does question whether the FTC has the bandwidth to oversee an issue as broad and impactful as consumer data, or if a new governing arm, similar to Canada’s Office of the Privacy Commission or the European Union’s European Data Protection Supervisor, should be established. (Legislation being contemplated by House Democrats would, for example, create a new federal agency whose sole focus would be consumer data protection.)
The most important issue facing federal lawmakers, though, is the need to protect innovation while also protecting consumers. Indeed, the GAO urges Congress to consider how to “balance consumers’ need for internet privacy with industry’s ability to provide services and innovate.” Strict privacy regulations may result in compliance challenges that are too cumbersome for businesses, and consumer skepticism increases when privacy protections are too lax. Europe is starting to feel the effects of the General Data Privacy Regulation’s (GDPR) inability to balance the two. Many U.S. businesses, for example, are not able to comply with the European regulation’s high bar for compliance or are scared off from offering their services in Europe due to the significant potential fines for non-compliance, which could be as high as four percent of a firm’s global annual revenue.
These are the issues facing lawmakers in Washington as they contemplate a federal data privacy standard, and the likely parameters of what one might look like. But for now, given the rancor and politicization of nearly every policy issue inside the Beltway, keep looking to the states to see progress on this score.