In May of 2018, the European Union enacted the General Data Protection Rules, or GDPR, a legal framework that outlines not only how companies may collect and process personal information of EU residents, but how that data is stored and used. Since its enactment, GDPR has triggered a global push towards compliance with those standards. In the United States, there presently is no such national standard. However, California has enacted a law that has strong resemblances to GDPR, called the California Consumer Protection Act (CCPA), for which regulations go into effect in January 2020.
The concern, of course, is that instead of one federal standard, the CCPA could represent the beginning of a patchwork of state privacy laws that will make it more difficult for companies and consumers to understand their rights and to ensure compliance. The U.S. Senate’s Commerce Committee has been debating two proposed federal privacy statutes, one led by Senator Roger Wicker, R-Mississippi, who is the committee’s present chair, and the other proposal is being led by Senator Maria Cantwell, D-Wash., who is the committee’s ranking minority member. While there are significant differences in philosophy and breadth of the proposed legislations, all parties agree that federal privacy legislation is needed now.
While there is cause for optimism regarding the overall momentum, there are three main areas that keep the competing drafts of legislation from coming together to form a final bill, along with a myriad of smaller issues that have been debated as well. Those three areas are the idea of a private right of action, the possible preemption of state laws, and enforcement of the law.
Private Right of Action
Private right of action, or the ability for individuals to take legal action against entities that may have violated their rights, in this case, with regard to their personal data, has been a point of contention between the two bills in the Senate. The proposal from the Democrats contains this provision, while the Republican version does not. Democrats seek to include this provision, stating it is necessary to ensure that consumers can pursue recourse for violations. Republicans argue that it will allow ‘frivolous’ lawsuits to do irreparable harm to smaller businesses.
Preemption of State Law
Another bone of contention between the two draft bills is whether or not a federal privacy law would override state laws on the issue. The draft sponsored by the Democrats would allow state laws to continue to be enforced, and the Republican bill preempts state law. Democrats claim that allowing state laws to continue to be in effect could lead to greater protections and innovations as to how the laws are enforced. Critics state that creation of a patchwork of laws would be overly burdensome for businesses from a compliance standpoint, and confusing for consumers.
Lastly, the third important element up for debate is how such a federal law would be enforced. The concept of an independent agency has been discussed, but most conversation has centered on strengthening the Federal Trade Commission’s power to deal with claims centering on data privacy issues. Both bills grant the FTC greater authority and resources, although the Democratic proposal is more extensive, creating a new bureau within the FTC that deals with digital privacy matters.
Interestingly, both proposed pieces of legislation allow for state attorneys general to enforce the federal law. Therefore, no matter the form of the final legislation, the federal data privacy law, when it is finally enacted, will be enforced, in part, by each state, in addition to the FTC. As the debate moves forward in the US Senate, and possible final proposed legislation moves out of committee, we will keep you up to date on all developments.