High growth companies, tech startups, and companies forging markets that didn't exist five to ten years ago have all been faced with growing pressure surrounding any number of issues. Those are particularly acute when it comes to privacy and data protection.
The legislative debate surrounding that isn't showing any sign of letting up soon. In a year that's starting off with uncertainty due to an election let alone the impeachment trial, CQ News previews what might happen on data privacy this year.
For more than a year, technology companies and privacy advocates have been pushing lawmakers to pass a federal data privacy bill to protect consumers whose information is hacked, or used improperly by online companies. In the absence of one, companies and advocates have argued, a state-by-state patchwork will create confusion over the rules of online commerce.
Where It Stands
Wide swaths of the tech industry as well as privacy advocates have been urging Congress since the summer of 2019 to pass a federal data privacy bill.
Back in 2015 when the Obama administration tried to float a privacy bill, tech companies successfully scuttled the effort.
The recent push for federal legislation to protect the privacy of American consumers online gathered steam after the European Union began implementing data privacy rules known as General Data Protection Regulation, or GDPR, in May 2018, and then California passed a Consumer Protection Act that took effect Jan. 1.
The GDPR and California privacy laws offer affirmative rights to consumers about data being collected on them by online companies. These include the right to know what is being collected; to access such data; delete, correct, or erase data; carry one’s data from one company to another; and in California’s case, the right to opt out of one’s information being sold to other entities.
The California law is more expansive in its definition of personal information to include information collected by companies from members of a household. Among other remedies the state law also allows consumers to pursue a private lawsuit against companies.
After months of congressional hearings in both chambers, lawmakers have proposed as many as 35 bills that deal with various aspects of data privacy, and some key lawmakers have draft proposals that have yet to be formally introduced.
Key legislative proposals include a draft bill prepared by the staff for Sen. Roger Wicker, the Mississippi Republican who chairs the Commerce, Science and Transportation Committee, and a bill sponsored by Washington Sen. Maria Cantwell (S 2968) that’s backed by fellow Democrats Amy Klobuchar of Minnesota, Edward J. Markey of Massachusetts and Brian Schatz of Hawaii.
The Wicker and Cantwell proposals join others from House members. In November, two California Democrats, Zoe Lofgren and Anna Eshoo, unveiled a data privacy bill (HR 4978) that would go further than other similar measures.
Most of the bills broadly agree on the kinds of data that would be included in the definition of private information, and give consumers rights both to opt in as well as opt out of specific online collection and dissemination practices.
Wicker’s draft and Cantwell’s bill also would require companies to conduct assessments of whether algorithm-based decision-making by companies creates bias against any categories of people, and require the Federal Trade Commission to publish periodic reports on such assessments.
Most bills also would address ways to expand the size and scope of the FTC to write new rules, supervise companies and hold them accountable for violations. Lawmakers generally agree that in addition to the FTC, state attorneys general would have the authority to enforce a federal data privacy law.
Some bills like the Lofgren-Eshoo proposal would create a new federal Digital Privacy Agency that would enforce users’ privacy rights, modeled along the lines of similar government entities in Europe. The agency would employ as many as 1,600 employees and be an independent entity, the lawmakers have said.
The key difference between Republican and Democratic proposals is whether consumers would have the private right to sue companies, as the California law provides, or whether the federal law should take away such a right.
Tech companies and their advocates are asking lawmakers to do away with private right of action while consumer advocacy groups are pushing to preserve it, arguing that consumers should have the right to sue in limited circumstances when a company flouts privacy protections in an egregious manner.
Democrats and Republicans have said a federal data privacy law is imperative. In early December, Wicker said, “it is clear that Congress needs to act now to provide stronger and more meaningful data protections to consumers and address the privacy risks that threaten the prosperity of the nation’s digital economy.”
A federal data privacy bill is likely to be one of the few bipartisan measures to emerge in the first half of 2020 after Congress is done handling President Donald Trump’s impeachment proceedings.