Pressure mounts for Congress to come to bipartisan agreement on privacy.
Pressure for federal privacy legislation has been building in Washington, D.C.
Despite efforts to craft a single, bipartisan bill, the U.S. Senate now has before it two competing—but similar—proposals, one from Senators of each party. If legislation is to pass, Democrats and Republicans must find agreement on two issues over which the two competing bills diverge: preemption and private rights of action.
Pressures for federal privacy legislation emanate from three sources. First, 75 percent of Americans want more government regulation over what companies can do with personal data. As Cambridge Analytica, data breaches, and other scandals have mounted in recent years, consumers have lost trust in companies’ use of their data. Advocates have called on the U.S. Congress to fix the “failure” of the current privacy regime.
In addition, companies themselves, especially big tech, have pushed Congress to pass privacy law to establish a national privacy framework to “enable continued innovation” and “ensure that American companies continue to lead a globally competitive market.”
In 2019, private tech firms struggled to comply with the European Union’s new General Data Protection Regulation (GDPR) requirements, and they braced for the first comprehensive privacy law passed in the United States—the California Consumer Privacy Act (CCPA)—which took effect at the beginning of this year.
It is estimated that companies could collectively spend up to $55 billion on initial CCPA compliance, including legal, technical, and operational costs. They could also face even higher compliance costs, however, if other states adopt their own laws that differ from California’s. Several states are actively considering new privacy laws, which, if adopted, would force companies to comply with new, complicated requirements. For this reason, CEOs have urged Congress to pass legislation that would create uniform national standards and preempt state laws.
Federal agencies will not be able to meet the need for uniformity. The Federal Trade Commission (FTC) would be the obvious agency to standardize privacy rules across the country, but its chair, Joseph Simons, has told Congress that the FTC cannot further protect privacy unless Congress gives the agency new authority.
“We have a 100-year-old statute that was not in any way designed to anticipate the privacy issues we face today,” Simons explained during a U.S. House of Representatives subcommittee hearing. “If you want us to do more on the privacy front, then we need help from you,” Simons said.
In response, several legislators introduced privacy legislation in 2019—none of which gained significant traction. At the same time, members of the U.S. Senate Committee on Commerce, Science, and Transportation worked toward reaching agreement on a strong bipartisan proposal.
But negotiations broke down at the end of the year, and Senators instead have released two dueling proposals: Democrats’ Consumer Online Privacy Rights Act (COPRA), and Republicans’ United States Consumer Data Privacy Act of 2019 (CDPA).
The two bills contain “important similarities,” according to Cameron Kerry, a fellow at the Brookings Institution. “Both adopt the same general framework: a set of individual rights combined with boundaries on how businesses collect, use, and share information, all of which would be enforced through the Federal Trade Commission,” Kerry explains. To strengthen enforcement, both bills would expand FTC enforcement authority and give state attorneys general enforcement authority.
In addition, several details in the proposals overlap. For example, both bills would define covered data as “linked or reasonably linkable” to an individual or device. Each would exclude employee data, de-identified data, and public records, and the Republican bill would also exempt publicly available information.
Transparency is also an issue of substantial agreement across both bills. The bills would require companies to disclose privacy policies covering data collected and transferred, processing purposes, retention practices, and how consumers can exercise their rights. The Democratic bill would also require disclosure of the identities of all third parties to which data is transferred.
These minor differences should not be difficult to resolve, Kerry says. But the proposals diverge significantly on two issues that are likely to prove difficult to resolve. If legislation is to pass, Democrats and Republicans must agree on whether to empower individuals to sue companies over privacy violations and whether federal law would override state privacy laws.
The Democratic bill would create a private right of action for individuals to bring civil actions, while the Republican bill would not allow individuals to sue.
Public interest organizations argue that private rights of action are necessary to address civil rights concerns. “Historically, marginalized communities could not rely on government actors to protect their rights; this is why most civil rights laws contain a private right of action,” a coalition wrote in a letter to Congress. Privacy legislation that does not allow individuals to protect their interests should be rejected, they argue.
But some experts, such as Maureen K. Ohlhausen of the 21st Century Privacy Coalition, oppose a private right of action because they “often result in class actions that primarily benefit attorneys while providing little, if any relief to actual victims.” In addition, litigation often forces companies to divert resources away from compliance, which can increase risks to consumer privacy, Ohlhausen says.
The Republican bill would override state privacy and security laws except data breach notification laws. In contrast, the Democratic bill would preempt only directly conflicting state laws and would not preempt state laws that afford greater protections.
Proponents of preemption, such as the Business Roundtable, argue that privacy laws should be applied consistently and uniformly across the country. A patchwork of state laws, they argue, could prevent consumers from understanding their rights and would threaten companies’ ability to remain competitive, as many resources would go towards compliance.
Organizations such as the Electronic Frontier Foundation assert that the only reason many companies are pushing for federal legislation is because states have acted “aggressively” to protect privacy. Federal preemption, they argue, is a means for businesses to avoid tough state laws.
Across the Capitol, members of the House Committee on Energy and Commerce released a bipartisan discussion draft, but the draft does not address private rights of action or preemption—the issues that prevented bipartisan agreement in the Senate.
Lawmakers maintained recently that they remain dedicated to bipartisan negotiations and reportedly are making progress. Three out of four Americans, however, are not confident that the government will hold companies that misuse their personal information accountable. Perhaps Congress will prove them wrong.