Outlook on federal efforts
Congress is taking up the challenge of trying to establish a single national standard for consumer privacy. As part of the process, some members are reviewing the GDPR and CCPA for potential leading practices and lessons learned. While there is a chance that a comprehensive privacy bill could move forward and be signed into law this year, legislating will be difficult because:
- Multiple congressional committees have legislative jurisdiction over privacy.
- States with stricter rules (e.g., California) often resist federal preemption of their rules.
- Policymakers in Washington have limited expertise and understanding about the operational and technical implications of related policy decisions.
- The long-standing populist nature of the issue has divided the Republican and Democratic caucuses.
- The increasingly partisan environment also creates additional hurdles in the lead-up to an election year.
Several members of Congress have introduced data privacy bills, but so far these have been viewed as “messaging” positions and are not expected to advance. Some concepts embodied in these bills could be included in a final agreement as details are negotiated; however, it is the chairmen of the committees with primary jurisdiction over consumer privacy — i.e., the Senate Commerce and House Energy and Commerce Committees — who will drive the process.
As Congress considers privacy legislation, the following concepts are expected to be a part of the debate:
- National preemption
- Application to all industries
- Private rights of action
- Consumer rights
- Consumer choice or consent
- Rulemaking authority
The Republicans control the Senate but still need to meet the 60-vote requirement to pass legislation. Given the current breakdown, at least eight Senate Democrats would need to support a bill for it to pass and be sent to the House for consideration. The Senate Commerce Committee is undertaking efforts to develop a bipartisan draft bill, but timing and the path forward are not clear. Other committees are also considering their role in consumer privacy reform, e.g., the Senate Banking Committee.
Democrats control the House, and many members, including Speaker Pelosi, are likely to have significant concerns about a federal law that would preempt the CCPA or their own state’s efforts (see further discussion in the US state activities section). Many moderate Democrats support preemption. As a result, there appears to be a divide within the party on the foundational issue of preemption.
Some Democrats support the CCPA or GDPR as the floor for federal legislation, others oppose federal preemption and many members have not had enough time to fully consider the issue. There is also disagreement among Democratic leaders on the Energy and Commerce Committee, which has primary jurisdiction over consumer privacy in the House. This is likely to further slow the process. Some House Democrats have suggested that they may have to wait for a bipartisan bill to come from the Senate before the House is able to act.
Trump administration efforts
Heeding concerns from the business community and various privacy stakeholders, the Trump administration announced its support for a national unified privacy standard and called on Congress to establish it after a series of listening sessions driven by the White House’s National Economic Council.
The administration also announced that the National Institute of Standards and Technology (NIST) would undertake an effort to develop voluntary enterprise-level standards designed to help organizations manage privacy risk. NIST released its initial discussion draft of the framework for feedback. Comments will not be made public, and the process is meant to inform NIST’s ongoing stakeholder engagement efforts.
In a parallel and coordinated effort, the Commerce Department’s National Telecommunications and Information Administration (NTIA) released a broad framework outlining the administration’s approach to privacy and invited stakeholders to comment. The NTIA framework was viewed as a signal to the global market about the direction the White House wanted Congress to pursue.
US state activities
About 30 states are in the process of considering consumer data privacy, biometric data rules or updates to data breach statutes. Most of the proposed legislation is not focused on creating consumer privacy legislation as comprehensive as the CCPA. Instead, many states are considering laws that focus on one specific area or industry, such as data brokers. For example, Vermont became the first state to regulate data brokers that collect and sell personal information about consumers with a law that went into effect 1 January 2019.
There are several states, however, that are following in California’s footsteps and considering comprehensive consumer privacy legislation. More details should come into focus as states move forward with their legislative processes.
International developments: GDPR remains most consequential
To date, more than three dozen countries have adopted policies and rules aimed at protecting consumer data privacy, and many more are considering proposals. Of these, the EU’s GDPR is the most impactful. In effect since May 2018, the GDPR includes requirements related to privacy impact assessments, privacy by design, enhanced consent requirements, new data subject rights, appointment of a data protection officer in certain circumstances, new obligations imposed on data processors, 72-hour breach notifications and new accountability requirements.
The GDPR applies to organizations that are established in the EU, where personal data is processed in the context of its EU establishment’s activities. Separately, the GDPR also applies to non-EU established organizations that target or monitor EU data subjects. Most EU Member States have implemented their own privacy and data protection laws that align with the GDPR, with minor and permitted exemptions.
EU Member States’ data protection authorities (DPAs) have taken different approaches to enforcement, and there has been little clarity on the methods used when determining fine amounts. Fines for a breach can be substantial under the regulation — up to 4% of total annual worldwide turnover or €20 million. However, only a relatively small number of reported breaches have been investigated and subject to fines. In these cases, there has been a large disparity in fine amounts, ranging from less than €5,000 to more than €50 million.