Positioned for Progress: The Opportunity to Enact Consumer Privacy Legislation in the 117th Congress
“When nothing seems to help, I go and look at a stonecutter hammering away at his rock, perhaps a hundred times without as much as a crack showing in it. Yet at the hundred and first blow it will split in two, and I know it was not that last blow that did it, but all that had gone before.” – Jacob Riis
In recent years a sustained push to enact baseline consumer privacy legislation in the U.S. has been undertaken by bipartisan policymakers and supported by broad stakeholder coalitions. Ultimately, these efforts came up short during the previous Congressional session, leaving America at risk of emerging as the only major economic power without a comprehensive regime governing the collection and use of consumer data. However, building upon the insight and momentum of previous engagement can position the new Administration and Congress to move long-awaited privacy legislation over the finish line. To that end, today DisCo is launching a resource page tracking the key federal privacy bills, Congressional hearings, and stakeholder model laws that can help provide the groundwork for enacting a comprehensive U.S. privacy framework.
In the absence of a comprehensive federal privacy framework, the U.S. has historically enacted privacy laws governing particular economic sectors or uses of information. While this approach has had the benefit of targeting greater protections towards higher-risk practices such as the management of health and financial data, it has come under increasing stress as the scope of collection and usage of personal information has expanded. The lack of a unified nationwide approach to privacy has also triggered discordant legislative and regulatory processes at the state level, resulting in rapidly shifting compliance targets that threaten to erect significant burdens for businesses without the benefit of clear and consistent privacy rights and protections for American consumers. Abroad, the implementation of the European General Data Protection Regulation (GDPR) has spurred the ongoing enactment and review of similar privacy laws in scores of countries. As a result, America’s window to play a leading role in contributing to the development of global privacy standards in line with our democratic values is narrowing.
The reasons to prioritize enacting comprehensive privacy legislation are significant and noncontroversial. Clear guardrails to ensure fair and accountable data processing will protect individuals and groups against harmful uses of information and support the consumer trust that underpins the digital economy and data-driven innovation. Furthermore, enacting a globally interoperable privacy regime will also bolster American economic revival and leadership by facilitating the availability and security of the cross-border data flows that support both international trade and the provision of digitally-enabled services.
Where the U.S. Privacy Debate Stands
The value of individual privacy is ingrained in American law and society and many of the principles that animate global data protection regimes are rooted in privacy management frameworks originating in the U.S. Longstanding goals for enacting federal consumer privacy legislation received a boost in 2018 when a convergence of foreign and domestic influences raised privacy issues high on the Congressional tech agenda. These efforts enjoyed bipartisan support and encompassed an extended series of hearings and the introduction of over a dozen comprehensive privacy bills. The progression of these hearings and legislation demonstrate a clear elevation of lawmaker expertise on consumer privacy which has brought key issues into greater focus and moved Congressional leaders closer to a realizable privacy framework.
Several legislative contributions stand out as particularly significant. In the House Energy and Commerce Committee, bipartisan staff jointly developed a draft privacy bill for stakeholder input. In the Senate, a bipartisan working group of Commerce Committee members engaged on consumer privacy throughout much of 2019. Despite failing to coalesce behind a single legislative approach, this collaboration resulted in the development of two distinct bills from Committee leadership: Senator Wicker’s “SAFE DATA Act” and Senator Cantwell’s “Consumer Online Privacy Rights Act.” Analysis of these bills reveals that they share many similarities in both structure and substantive elements including:
- Scope of covered information and distinctions between sensitive and non-sensitive data.
- Consumer rights such as the ability to access, correct, and delete personal information and control over the use of sensitive personal information.
- Obligations for covered entities including transparency, risk assessments, and data security.
- Empowering the Federal Trade Commission (FTC) to serve as the primary privacy rulemaking and enforcement authority.
Ultimately, the ongoing COVID-19 crisis put broader consumer privacy efforts on hold for much of 2020. Nevertheless, public and private efforts to track and inform the public health response to the pandemic have spurred new thinking (and legislation) on how inherently sensitive but socially valuable categories of information such as health and location data can be safely used. The transition of many professional, social, and healthcare activities to a digital environment due to the pandemic has also underscored the need to protect the privacy and security of individuals’ data. Going forward, policymakers are well positioned to resume work on consumer privacy and tackle outstanding issues that have complicated prior efforts.
Overcoming Final Roadblocks
Despite bipartisan consensus on the necessity for enacting federal privacy legislation and broad agreement on many substantive privacy rights and organizational responsibilities that should animate an ideal law, efforts to pass a comprehensive framework have encountered persistent sticking points. The first is preemption, the extent to which a federal law should override contradictory and duplicative state laws governing data privacy. Second, whether a private right of action can be included in a privacy framework without opening the floodgates to a deluge of opportunistic litigation that skews compliance incentives away from substantive, risk-based privacy management.
While there is no single simple solution to these “endgame issues”, opportunities to break through the apparent impasse remain available. As FTC Commissioner Phillips has noted, in the scope of federal privacy legislation, the topics of preemption and private rights of action are “fundamentally secondary in the sense that they are mechanisms to effectuate the will of Congress.” Where stakeholders appear to be entrenched at odds, efforts should be made to reorient the discussion around the shared goals for privacy legislation implicated by these issues: to provide meaningful protections that retain necessary flexibility in an evolving technological environment. Furthermore, debate over these enforcement issues has largely occurred in the abstract and friction between stakeholders is likely to lessen when policymakers converge around substantive legislative text that provides for strong consumer rights and robust regulatory enforcement.
There is no doubt that the new Administration and Congress will face a series of urgent national priorities as well as pressures to act on contested topics both inside and outside the tech agenda. However, engagement on consumer privacy is a ‘shovel ready’ project, benefiting from a rare trifecta of bipartisan support, existing lawmaker expertise, and legislative groundwork. The opportunity for enacting comprehensive privacy legislation is available, but it shall be up to policymakers to strike the final blows necessary to finally enact a robust, flexible regime for the protection of personal information.