By Claudia James and Beth Inadomi
As the 115th Congress winds down, digital privacy policy is heating up driven by a new California privacy law and the European Union’s implementation of the General Data Protection Regulation (GDPR) – a digital privacy framework which impacts US companies doing business in Europe. And while executives from Facebook and Twitter were back in the hot seat last week testifying on their respective companies’ privacy policies and the handling of consumer data, there seems to be an evolving consensus among industry that a federal bipartisan solution may be preferable to a patchwork of state laws. Recent news reports that the US Chamber of Commerce is working on a federal privacy proposal signals that industry may be weighing the impact of California’s comprehensive online privacy bill against federal privacy legislation that preempts state laws.
California’s New Model
While past legislative and regulatory efforts ran into intractable stakeholder interests from consumer groups and business, the California Consumer Privacy Act – signed into law on June 28, 2018 – may do what California legislation does often – serve as a catalyst for federal action. As the nation’s first sweeping privacy law, the Act provides to consumers several rights related to access, use and storage of their personal data including the right to know what personal information is being sold or disclosed; the right to delete personal data; and, the right to stop a business from selling their information. The law also prohibits companies from charging or treating customers differently if they opt out of having their data sold. In a victory for child privacy advocates, the law also restricts sharing and selling of data for consumers under the age of 16.
The California Consumer Privacy Act applies only to residents of the state, though the law has broad impacts. Online data is collected by companies across sectors. Further, many companies that deal with consumer data have business interests in California, the fifth largest global economy. It may be more cost-effective for companies doing business in California to choose to apply the state’s stricter privacy standards across borders rather than try to adhere to other individual state requirements that are less stringent.
The new California privacy law was remarkable in that it was introduced, considered and passed by both the Assembly and Senate and signed into law within a week. It was the focused compromise among legislators and stakeholders to head off a popular initiative that, if adopted by Californians this November, would have made subsequent changes onerous if not impossible. The Act’s effective date is January 1, 2020, ensuring that for the next several months California will be hashing out amendments to its new privacy law and serving as center stage for the implementation of a digital privacy framework in the United States. Privacy advocates, emboldened by success in the Golden State, are working to introduce bills and amend existing statutes in other jurisdictions to give consumers greater say over their personal data.
Federal Legislation and Preemption
The road to federal privacy legislation has been fraught with roadblocks and potholes. Legislative efforts began over 16 years ago but bills have stalled at various points along the way.
However, there have been recent attempts to reignite the debate. Sens. John Kennedy (R-LA) and Amy Klobuchar (D-MN) introduced a bipartisan bill in April to strengthen privacy policy disclosure requirements for companies and ensure the right to allow people to opt out of data collection; Sens. Ed Markey (D-MA) and Richard Blumenthal (D-CT) also introduced a bill in April that would require opt-in consent for companies to collect or use personal data; and, Senate Commerce Committee Chairman John Thune (R-SD) as well as other Commerce Committee colleagues are working on data privacy legislation. Should Democrats gain control of the House of Representatives in the midterm elections, the House could embark on legislating a strong federal privacy bill in the new congress.
Like efforts to address data breaches, federal policymakers have grappled for years with what level of federal regulation to impose and whether to include preemption. Privacy advocates will press for the federal bill to be a floor, allowing states to go further. Industry will want preemption to agree to a federal statute and will differ with privacy proponents on the amount of federal regulation. This tension has contributed to the demise of previous privacy legislative efforts.
Administration Action
As the 115th Congress draws to a close, the Administration is stepping up its activity on privacy policy. The National Telecommunications and Information Administration (NTIA), part of the Department of Commerce, is developing its policy approach on consumer data privacy and its final product will undoubtedly impact congressional policymaking deliberations in the new Congress. The National Institute of Standards and Technology (NIST), also part of Commerce, recently announced it will be developing a privacy policy framework with voluntary guidelines for protecting privacy amid new technologies such as the Internet of Things and artificial intelligence.
Concurrently, the Federal Trade Commission (FTC) is pursuing its own path. Starting this week, the FTC will embark on a series of hearings regarding competition and consumer protection in the 21st century and include consumer privacy issues. According to the FTC, the extensive review is driven by broad-based changes in the economy, new technologies, changing business practices and international developments. The review “may identify areas for enforcement and policy guidance, including improvements to the agency’s investigation and law enforcement processes, as well as areas that warrant additional study.”
What to Anticipate
In a poll this spring, 71 percent of consumers in the US are concerned about how companies use and protect their personal data. As attention turns to the midterm elections, digital privacy issues will simmer but ongoing and unaddressed issues of data breaches, unregulated selling of personal data to third parties, implementation of the EU’s GDPR and the recent enactment of the first comprehensive digital privacy act in California together may provide the critical mass necessary to carry forward a federal digital privacy framework in the 116th Congress. Whether the next move is at the state, federal or international level, Cogent Strategies is engaged in the privacy policy debate, helping clients to navigate the everchanging roadmap for this dynamic issue.
Claudia James leads Cogent Strategies’ technology, telecommunications, media and intellectual property practice. She has extensive working relationships with the judiciary and commerce committees in both the US Senate. Claudia was previously the vice president for government relations and associate general counsel at the American Newspaper Publishers Association. For Claudia’s complete bio, click here.
Beth Inadomi provides strategic and political guidance to Cogent Strategies’ clients based in or doing business in California, as well as those clients who are interested in doing business in California. A recognized leader in technology policy, she offers expert counsel on issues related to clean technology, information technology, biotechnology and aerospace. She also serves as the firm’s nexus in Sacramento. For Beth’s complete bio, click here.