In the wake of landmark privacy laws that have taken effect in California and the European Union during the past two years, pressure has been building on Congress to set uniform rules for protecting consumer data in the U.S. But while federal lawmakers generally agree that such legislation is necessary, they continue to contend over the breadth of companies' compliance obligations and how the law should be enforced, with Democrats proposing to allow states to enact stronger protections like California's and allowing individuals to sue for damages from data breaches, and Republicans taking the opposite approach.
"I don't think anyone, Republican or Democrat, is going to stand up and say they don't care about personal privacy," said Baker Botts LLP special counsel Cynthia Cole. "The big question is going to be, Who's got the pen?"
An outcome in which one party seizes control of the legislative and executive branches could go a long way toward breaking the preemption and private right of action stalemates that have long derailed these efforts, experts say.
"Congress made big strides this [session] by holding hearings, conducting oversight and authoring legislation," said Michelle Richardson, the director of the data and privacy project at the Center for Democracy and Technology. "A change in the White House or the Senate could speed up the process, though. There are still partisan differences on a few key issues, so there may need to be a change in leadership in one of the branches to dislodge the legislation."
During the past decade, federal lawmakers have held hearings and made various proposals to regulate companies' collection, use and sharing of a wide range of personal data. The most recent Congress has been no different, with the Republican chairman and Democratic ranking member of the influential Senate Commerce Committee late last year floating competing proposals to set a national consumer privacy standard.
Republicans again brought the issue to the forefront in September, when Commerce Chairman Roger Wicker of Mississippi led his GOP colleagues in unveiling their party's latest proposal, the SAFE DATA Act.
The legislation would require businesses to more prominently disclose their data collection, processing and transfer activities and allow consumers to access, correct, delete and easily move their data to other services. It would also develop new rules to expand what qualifies as sensitive data and hand the Federal Trade Commission new power to obtain monetary penalties for first-time consumer privacy violations.
"The momentum to enact federal privacy legislation is still there. It's basically just getting stuck as usual on preemption and the private right of action," said Laura Jehl, who heads the privacy and cybersecurity practice at McDermott Will & Emery LLP. "The election could clarify which side wins these debates in the short term, and if either side wins the election outright, it'll be interesting to see if that drives a compromise."
Both parties are proposing to establish new transparency and data access requirements that would require companies to overhaul how they handle personal data. Such a framework would answer calls from privacy groups to give consumers more control over what companies do with their personal information and respond to businesses' push to avoid having to comply with the patchwork of state laws that is expected to emerge in the wake of the recently enacted California Consumer Privacy Act and European Union's General Data Protection Regulation.
But the competing frameworks highlight the divide over between the parties over whether states can add extra protection and individuals can sue companies over privacy violations.
"Regardless of who wins the presidential election and control of the Senate, we'll continue to see a lot of debate on the preemption and penalty issues," said Mark Brennan, tech and telecoms sector group lead at Hogan Lovells.
Those on both sides of the debate expressed optimism that Congress would act on privacy legislation as soon as the dust from the election settles.
Craig Albright, vice president of legislative strategy at BSA: the Software Alliance, which represents large software makers, said the flurry of activity on the issue in the past year suggests lawmakers will manage to push legislation through during the next Congress.
"People will see that the success of 2020 has been that Congress has gotten a variety of proposals out into the public that all the different players have been able to comment on," Albright said. "That's a big change from the beginning of the current Congress and will hopefully help whoever's in control [in 2021] to be able to build on that progress and get something done."
BSA has advocated for a national standard that would preempt state laws and enhanced abilities for the FTC and state attorneys general to enforce the law. Constitutional-rights advocates such as the American Civil Liberties Union, on the other hand, are pushing for comprehensive consumer data privacy protections that would allow states to set stronger standards and allow consumers to supplement regulatory enforcement by bringing their own lawsuits against offenders.
"A private right of action would ensure that companies that are violating the law are held accountable in a way that's not just the cost of doing business and that they'll face real accountability for privacy violations," said Kate Ruane, senior legislative counsel at the ACLU.
Cole, the Baker Botts attorney, said she would be "shocked" if legislation were enacted that preempts state laws, given that Democrats are expected to retain control of the House and the powerful contingent of California representatives has already said it wouldn't support any measure that would invalidate the Golden State's strong privacy regulations.
"Companies want uniformity, but there's no way the representatives from California are going to take that lying down," Cole said.
California's privacy bill, which contains a narrow private right of action that allows consumers to sue over data breach-related claims, could also affect the enforcement mechanism debate. Consumers have already filed dozens of lawsuits under this provision of the CCPA, which took effect on Jan. 1, and how these claims play out in court could lend ammunition to the arguments both for and against extending such a mechanism nationwide, according to Cole.
Additionally, federal lawmakers may be prompted to act more quickly if California voters approve a ballot proposal to toughen the state's privacy laws, and if more states whose legislative sessions were derailed in 2020 by the COVID-19 pandemic move to follow the Golden State's lead, attorneys say.
"The passage of the CCPA two years ago led to discussions at the federal level that really narrowed open issues between the parties, so if the [ballot initiative] or a privacy law in somewhere like Washington state passes, that could move the dialogue further to closing the gap between the parties," Brennan said.
Neither President Donald Trump nor Democratic challenger Joe Biden has spoken much about consumer privacy issues on the campaign trial, although it's unlikely that either would discourage such legislation from being enacted.
"We hope that whoever wins would have a positive influence and be supportive of the issue," said the BSA's Albright, adding that "the only real question" is likely to be where consumer privacy "will stack up in relation to other priorities."
A Biden administration may be inclined to make the issue a higher priority, given that Biden's running mate, Sen. Kamala Harris of California, made consumer privacy a focus of her enforcement efforts when she was the state's attorney general from 2011 through 2017. In that role, Harris created a privacy enforcement unit and secured a first-of-its-kind agreement with tech giants including Apple Inc., Google Inc., Facebook Inc., Amazon.com Inc. and Microsoft Corp. that effectively established a nationwide, legally enforceable standard for mobile app privacy policies.
"Privacy was her signature issue in California that led her to the Senate, so she could certainly lend some momentum to the issue and help from the executive side to push forward some compromises," Jehl said.
As the legislative debate continues to unfold, both participants and observers say they will be watching to see whether regulation of certain data elements and practices that aren't contained in the CCPA are either included in comprehensive legislation or spun out into their own bill. The Senate Republicans' proposal contains novel provisions to protect consumers against deceptive user interfaces online known as "dark patterns," while other lawmakers have introduced separate legislation to address issues such as facial recognition and contact tracing.
While there doesn't seem to be as much momentum for enacting more targeted privacy legislation that would have a harder time evolving as technology advances, "if there's a stalemate on broader privacy legislation and the sides feel like they have to do something, that type of tech-specific legislation might be easier to get across," said Hogan Lovells partner Bret S. Cohen.
"When control of the Senate and House has been divided over the past couple years, Congress has had trouble enacting any kind of bipartisan legislation," Cohen said. "But if we have a circumstance where the same party had leadership of both chambers, that might bode well for the prospects of breaking through some of the issues that are blocking passage, and we may see the other side start to be more willing to compromise on key provisions if it looks like consumer privacy legislation has more of a chance of being enacted."
--Editing by Jill Coffey and Brian Baresch.
For a reprint of this article, please contact firstname.lastname@example.org.