A federal privacy law is still a blip on the horizon.
But listening to members of the Senate Commerce Committee dig into the details on legislative proposals to protect consumer data privacy at a hearing on the topic held Wednesday morning, you wouldn’t be laughed out of a room if you said that a bipartisan consumer protection law is at least a possibility in 2020.
“We have a lot of bills, but we have no federal law – I want a law,” said Sen. Richard Blumenthal, D-Conn. “[Here’s] a bulletin from outside the Beltway: People are angry and scared more than ever before.”
That’s why we’re seeing states making attempts to pass privacy laws of their own – there are more than a dozen with bills and proposals at varying stages of completion, beyond California and Nevada, which both successfully passed privacy legislation this year.
The idea of a national privacy regulation has been knocking around DC for a long time. The House of Representatives first convened a bipartisan privacy working group way back in 2013, pointed out Sen. Marsha Blackburn, R-Tenn.
“To think that it’s taken so long to move in this direction is really surprising,” she said.
The recent flurry of privacy bills and regulatory framework proposals shows that the bus might actually be starting to accelerate.
In October, Democratic Reps. Anna Eshoo and Zoe Lofgren of California introduced the Online Privacy Act. In mid-November, top Democrats in the Senate released a series of principles designed underpin a framework for federal privacy legislation. The following week, Sen. Maria Cantwell, D-Wash., ranking member on the Senate Commerce Committee, introed the Consumer Online Priva cy Rights Act, which aims, among other things, to establish a clear set of consumer data rights.
On the other side of the aisle, Sen. Roger Wicker, R-Miss., is drafting a privacy bill that would give consumers more control over their data, but also override state-based laws, like the CCPA.
On top of that, lobbying groups and trade associations are also drafting legislative frameworks including, most recently, Privacy for America, a coalition comprised of the 4A’s, ANA, IAB and NAI, which is pushing for legislation that relies more on consumer protection rather than notice and choice.
The purpose of the hearing on Wednesday was to sift through the growing heap of proposals and gather information on what should make it into a national law, and what should hit the cutting room floor.
These are a few of the top remaining open questions:
Should a federal privacy law preempt state-based laws, like CCPA? Most Republicans are in favor, while most Democrats would only support preemption as long as the eventual national standard isn’t watered down in any way.
Private right of action
Should consumers have the right to sue – or participate in class-action lawsuits – if a company violates the law? As of now, a limited private right of action under CCPA allows consumers to take action in the event of a breach. Any other enforcement action is at the pleasure of the attorney general.
Point: “When you have strong laws that give the FTC additional powers and tools, empower 50 AGs to bring these actions – I don’t see how [a private right of action] gives consumers any additional benefit,” said Maureen Ohlhausen, former acting chair of the Federal Trade Commission and co-chair of the 21st Century Privacy Coalition.
Counterpoint: “Now is not the time for a light-touch approach … the true force multiplier would be to have a private right of action,” said Laura Moy, executive director and associate professor of law at the Georgetown Law Center on Privacy & Technology.
In order to be enforceable – and understandable to the average consumer – a federal privacy law needs to clearly define its terms. But what counts as substantial injury? How do you define harm? Who is a reasonable user?
“There is a difference between the collection of data and the fact that some people find that creepy and a harm in and of itself, and a data breach – they are two different things,” said Sen. Mike Lee, R-Utah. “How would you characterize the harm or injury consumers experience through the transfer of data vs. a data breach?”
A national privacy regulation is only as good as its enforcement mechanisms. Most lawmakers agree that the FTC should be given extra powers and resources to carry out the tenets of the law, but the agency will need a heck of a lot more than it’s got.
The FTC only has somewhere between 40 and 60 people working on data privacy and security issues. For comparison’s sake, the United Kingdom’s Information Commissioner’s Office has 500 people, while the data protection authority (DPA) in Ireland has around 100 employees. And simply giving the state AGs the power to enforce a federal privacy law within their jurisdictions won’t help much. The California AG’s office has said it only has enough resources to prosecute around three privacy-related cases a year.
In Microsoft corporate VP and deputy general counsel Julie Brill’s opinion, the FTC needs at least 500 people focused on consumer data and privacy in order to do its job properly.
“Most DPAs for much smaller countries are much better staffed than the FTC,” said Brill, a former commissioner of the FTC. “When you try and do it on a per capita basis, it gets scary – the paltry resources the FTC can devote to this issue.”