Is This the Congress to Pass Privacy Legislation?
Enacting a national consumer privacy framework is a clear priority among leaders on Capitol Hill in both parties and with the incoming Biden-Harris administration. Following the election in November, the NAI held a great panel discussion exploring the outlook for a national consumer privacy framework in 2021, with a focus on key issues for digital advertising. (If you missed it, you can watch the recording here).
The results of the recent Senate runoff elections in Georgia are likely to have a major impact on the national privacy debate. After Joe Biden and Kamala Harris are inaugurated, Democrats will take control of all the major tech policy apparatus in Washington—the White House, both houses of Congress and Federal Trade Commission (FTC). That will impact the direction of draft legislation coming out of the gates. As the 117th Congress gears up, these are the key issues we are tracking.
Major Areas of Agreement
First, and most importantly, belief in the need for a federal privacy law remains strong on both sides of the aisle. Incoming Senate Commerce Committee Chairwoman Maria Cantwell (D-WA) introduced the Democratic proposal, the Consumer Online Privacy Rights Act (S. 2968) in the last Congress. Last fall, then-Senate Commerce Committee Chairman Roger Wicker (R-MS) introduced the Republican proposal, the SAFE DATA Act (S 4626). While these proposals don’t line up exactly, there is general agreement on multiple key issues, such as establishing a clear set of “rights” for consumers, including enhanced data transparency requirements and consumer control over their data (generally this includes access, deletion and portability, and in some cases, correction). In the wake of the California Consumer Privacy Act (CCPA), these rights aren’t likely to require too much wrangling or pushback from the business community.
There is also agreement on key aspects of enforcement. Both proposals would empower the FTC as a strong lead regulator, and provide for joint enforcement with state attorneys general, with penalties for privacy violations. These are key elements that will benefit consumers and businesses alike.
Challenges and Potential Pitfalls
It’s no secret that federal preemption and a private right of action are the two major fault lines threatening consensus for a national privacy framework. If preemption is going to happen, the House Speaker Nancy Pelosi (D-CA) and the 52 members of the House from California need to be confident that the law is a lasting improvement over not only the CCPA, but also the recently enacted California Privacy Rights Act (CPRA). And if the third time is the charm for the Washington Privacy Act, Chairwoman Cantwell will need sufficient motivation to preempt her state’s new law. So the bar could be getting higher on preemption. Given that the CCPA already has a limited private right of action for data breaches, and a new Washington law could provide a new right for Washingtonians, it would be difficult for a national privacy law to take these rights away.
Beyond these major issues, there are several others where alignment will be necessary. The role of consent will continue to be a major area of debate. Despite widespread agreement among privacy experts and policymakers that broad consumer consent requirements have limited value, both Republican and Democratic Senate proposals doubled down on this approach in the last Congress. Not only are broad consent requirements for data collected via the internet likely to be a key component of any federal law, it also is likely to include protections from “dark patterns,” or deceptive business practices that mislead consumers or coerce consent.
There is also debate about the role of large tech platforms; the use of algorithms; and the elephant in the room, online content moderation. If congressional drafters of a national privacy framework dive into this rabbit hole, the likelihood of passage during the 117th Congress is quite low.
To get to an effective national privacy law, Congress and the new administration should focus keenly on the role of the FTC as a strong national regulator. While there is agreement on this conceptually, there needs to be more focus on specific reforms and new regulatory authority for the FTC to effectively protect consumers from unexpected and harmful misuses of their personal data. If Democrats and Republicans can reach consensus on this key issue, including substantial additional resources, it could take substantial pressure off the preemption debate, obviate the need for a private right of action, and provide the type of national regulatory oversight—in conjunction with state AG enforcement—that is much needed, but that the states are ill-equipped to provide through a patchwork of laws.