After an extended pause due to the coronavirus and the 2020 election, the prospect of a federal privacy law is once again being raised by Congress. Discussions of the several existing bills that were effectively tabled for over a year are resuming, and one that seems to be gaining early traction is the Information Transparency and Personal Data Control Act. First introduced by Rep. Suzan DelBene (D-WA) in April of 2019, the bill covers personal data protection issues championed by Democrats while also attempting to appeal to the business issues raised by Republican legislators who have shown an interest in increased regulation of tech companies.
Is passage of a federal privacy law imminent?
DelBene’s proposed federal privacy law draws from elements of existing legislation, such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). It also makes some concessions to Republican positions such that it stands a better chance of getting at least some small amount of support from across the aisle, but ultimately lacks some of the key protections of those other laws.
The proposed federal privacy law has not been altered significantly since it was introduced nearly two years ago. The main reason for its improved fortunes is Democrat control of the legislative and executive branches. Nevertheless, there is bipartisan support for increased regulation of big tech and the bill will need to tap into that to pass. DelBene is well-positioned for this task as the head of the New Democrat Coalition, a caucus of moderate Democrats that position themselves as considerate of the needs of business.
In a statement to Vox’s Recode, DelBene said that it was critical to pass a federal privacy law not just for consumer rights but also to head off developing international challenges. One example would be the invalidation of the Privacy Shield agreement between the US and the EU, something that happened in large part due to a lack of federal privacy laws that are on par with the protections offered by the GDPR.
DelBene’s proposed federal privacy law would overlap with the GDPR to a great deal in its protections of sensitive personal information (such as Social Security numbers and location data) and consumer right to be notified of and opt out of data sharing. It also has a “plain language” provision that requires privacy policies to be clear and understandable to the average end user.
The bill would be enforced primarily by the Federal Trade Commission (FTC), with state attorneys general able to take up any cases the FTC might pass over. Businesses would be audited for compliance at least once every two years, and the FTC would have the ability to create additional regulations in the future. The FTC would also receive additional funding and manpower (500 new employees and $350 million per year) to tackle complaints.
In addition to an easier environment in which to pass Democrat legislation, DelBene benefits from career connections to the tech industry. Prior to being elected in 2012 she had a career as a tech executive for multiple companies including Microsoft. Those advantages do not make the bill a lock to pass, however. It was not previously considered a forerunner among the crop of proposed federal privacy laws that appeared in 2019, but there is hope that DelBene’s moderate position combined with the current political circumstances could get this one over the hump.
The bill also contains terms that are more favorable to Republicans that have expressed willingness to accept a federal privacy law, though these terms may dilute the level of consumer protection. While consumers have a solid range of opt-in and opt-out rights under the bill, it lacks language guaranteeing a right to access collected data for the purpose of changing or deleting it. The bill also preempts any state law that protects consumers (such as the CCPA) and would bar private right of action, meaning that a decision by the FTC or state regulators could not be used as a basis for a class-action lawsuit. It does add one exception to the state preemptions, however; laws that involve biometric information protection, such as the unique Illinois Biometric Information Privacy Act, would continue to be valid.
Support from Big Tech
There is a surprisingly strong movement of support from the private sector for this added regulation as well, though it comes from a different place than consumer concerns. Tech giants that operate across the nation would prefer a single comprehensive federal privacy law to the emerging patchwork of laws simply because the overall cost of compliance would be greatly reduced. But they also hope to embed themselves in the process and ultimately make the national standard’s terms favorable to them. Early reaction to the bill by the tech industry has been positive, with lobbying group NetChoice (which represents Facebook and Google among others) issuing a statement of general support with some caveats about specific elements.
Any federal privacy law that emerges must navigate not only a scrum of competing bills, but also a large collection of emerging state privacy laws. Several states already have some sort of applicable data privacy law on the books, and 15 more are presently considering one. The longer it takes the federal government to coalesce around a proposal, the more likely it is there will be opposition from states that do not wish to see their own laws preempted.
DelBene’s bill is leading the early discussions of federal privacy law, but it will face competition before all is said and done. Sen. Ron Wyden (D-OR)’s Mind Your Own Business Act was a leading contender in 2019 before the coronavirus derailment, and Wyden has said that he intends to reintroduce it. At least nine other members of Congress either had bills out in 2019 that may be reintroduced or have announced that they plan to introduce new bills this year.