There was widespread sentiment six months ago that 2019 was the year when Congress would finally pass a comprehensive federal privacy law. There were several grounds for this view.
- Whatever the flaws of the General Data Protection Regulation (GDPR), the online ecosystem did not collapse following its May 2018 effective date, showing that implementing a broad privacy law was workable, at least in principle.
- A number of high-profile data breaches and concerns about the way major online platforms might be affecting the political process had captured the attention (and incurred the ire) of a bi-partisan group of members of Congress.
- The January 1, 2020 effective date of the California Consumer Privacy Act (CCPA) created a real-world deadline by which online entities would have to comply with significant—even onerous—new privacy-related obligations.
- Major industry groups and individual firms (notably but not exclusively Apple) publicly stated support for comprehensive federal legislation.
Building on these developments, a number of U.S. senators and representatives from both sides of the aisle introduced bills differing in important ways but that would, if enacted, fundamentally recast the federal privacy landscape. A bipartisan crew, at times comprising 4-6 members, repeatedly teased comprehensive federal legislation.
But by the summer recess, it seemed like momentum for a new law had stalled. As we await Congress’ return on September 9, should we write off the prospect of legislation this year?
Notwithstanding bipartisan belief that something needs to be done, online privacy is a thorny and multifaceted issue about which there are serious disagreements among industry, public interest groups, and legislators with different ideological predilections. Two of the big areas of disagreement are whether:
- A new federal privacy law should preempt potentially more stringent state-level laws, or merely establish minimum obligations to which states can add; and
- Private citizens should have the right to sue companies for violating the new standards, or whether enforcement should be limited to the FTC, supplemented, perhaps, by state Attorneys General.
Legislators disagree on many other points as well. For example, there’s no consensus whether opt-in consent should be limited to “sensitive” data, or—GDPR-like—should apply to all personal data by default. Some senators have suggested the notion of “consent” is itself suspect, due to possible manipulation by the architecture of online experiences.
Some of the proposed bills would directly regulate what online entities (and others, such as data brokers) can do with personal information. Other bills would simply require entities to fully disclose what they will do with information.
In addition, some legislators have proposed more focused bills that do not try to comprehensively address the entire privacy landscape. These more limited proposals include:
- Establishing ownership rights in one’s personal information, so that online entities would need a “license” to collect and use it;
- Placing limitations on what can be done with information about voters;
- Requiring entities using algorithms to make high-risk decisions about consumers to assess the operation and impact of those algorithms; and
- Requiring large publicly traded companies with significant troves of consumer information report the value of that information both to the SEC in public filings, and to each consumer about whom the company has data.
Further complicating things, there may not be consensus on what types of privacy “harm” Congress ought to mitigate. Large data breaches seem to get the most attention and generate the most public outrage, but the high-level solution to that problem—better data security—does not directly relate to GDPR-like or CCPA-like concerns over what online entities can do with the data they have, or what rights consumers have to get access to, delete, and restrict the sale or use of data about them.
All of this suggests that, despite earlier enthusiasm, federal privacy legislation isn’t going to happen in 2019.
One critical factor distinguishes privacy legislation from other issues where agreement cannot be reached: the impending effective date of the CCPA. In a normal legislative debate, those opposing new obligations have the advantage; it is a lot easier to kill a bill than it is to pass one, at least when killing a bill means that new obligations are, in fact, avoided.
In this case, though, if Congress fails to act, the CCPA goes into effect, imposing a wide range of complex, costly, and onerous obligations on (effectively) any entity doing business in California and collecting data about California consumers—which means, of course, most large consumer-facing entities in the country. And without federal preemption, any other state could follow suit, either for the online ecosystem as a whole, or (as Maine just did) for particular industry segments, like broadband ISPs.
But while many observers expected a number of states to follow California’s lead this year by enacting comprehensive privacy legislation, none did.
Given this, industry may well be concluding that accepting the burdens of the CCPA—and potentially other state legislation as well—is better than accepting whatever federal obligations would be included in a bill that would pass muster with the regulation-friendly legislators whose sign-off will ultimately be needed to actually pass a new federal privacy law.
After all, the private right of action contained in the CCPA is limited to data breaches, and efforts to expand it failed in the California legislature. Furthermore, industry might conclude that the inevitable problems that will arise once the CCPA goes into effect might provide evidence that regulation on that scale doesn’t work nearly as well as its proponents hope.
While this suggests that we won’t see a new law in 2019, industry may find that—with apologies to Samuel Johnson—the prospect of being subjected to the CCPA (and perhaps other state regulations as well) “focuses the mind wonderfully.” The Senate is scheduled to be in session up until Friday, December 13.
Until then, it is best to think of federal privacy legislation as resting, rather than actually dead.