The Federal Trade Commission warned Congress on the eve of the millennium that “technology has enhanced the capacity of online companies to collect, store, transfer, and analyze vast amounts of data from and about the consumers who visit their Web sites.” The 2000 report — released during the same year the Department of Defense decided to allow private use of GPS technology, more than a year ahead of the release of Apple’s first iPod, four years before the launch of Facebook, six years ahead of the Nintendo Wii, seven years prior to the first iPhone, and nine years in advance of Twitter’s appearance — urged Congress to enact legislation so “consumer concerns about online privacy” would be mitigated.
Since 2000, consumers have grown even more wary of the risks they face as a result of the government’s laissez-faire attitude toward personal information. Even as nearly 90% of Americans, as of 2016, have a computer or smartphone with online access, one January 2017 poll showed that “a majority of Americans have directly experienced some form of data theft or fraud” and “many lack confidence in various institutions to keep their personal data safe from misuse.” Another poll conducted in 2019 indicated that most Americans have little or no idea of how their personal data is used by companies that collect it and see more risk from commercial efforts to collect and use data than benefits.
Despite this trend showing consumer fears about data acquisition and use, and notwithstanding the passage of 20 years since the FTC’s landmark report, Congress has done essentially nothing to deal with the problem. Instead, California has taken the lead in adopting state laws that advance four key goals of online privacy advocates: rights to know about personal information that a business obtains about a person and how the company uses and shares that data; to delete most personal data that is collected; to prevent sale of personal information to third parties; and to be free from discrimination in access to, price or quality of products and services for choosing to exercise the other rights. The rising interest among states also mirrors a push by the European Community to regulate consumer data privacy.
While it is unclear whether the 117th Congress will finally adopt a federal privacy law, there are indications that interest in the issue is rising both among legislators, the technology industry and privacy advocates. Despite the growing clamor, divisions between large technology companies, some of their smaller competitors and privacy advocates over whether Congress should preempt state law and allow consumers to enforce their rights via civil lawsuits remain and threaten to derail efforts to secure national legislation.
The California Privacy Law
Any legislation considered on Capitol Hill will undoubtedly draw lessons, for better or worse, from California’s experience with regulation of consumer online privacy practices. In 2018 the Golden State enacted the California Consumer Privacy Act, the nation’s first such statutory scheme. Under the CCPA, for-profit businesses operating in California that generate at least $25 million in annual revenue, handle the personal information from at least 50,000 devices, households or individuals, or obtain at least half of their revenue from the sale of customer information are subject to a range of requirements. The broad definition of information under the law includes most data that “identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Legislators in Sacramento specified particular examples that are covered, including “identifiers” used by individuals in their personal and business affairs and commercial, biometric, Internet browsing, Internet search history, and geolocation data, educational background, employment and profession-related information and “inferences” that can “create a profile about a consumer.”
If covered by the law, entities that engage in data acquisition or transactions must comply with a lengthy list of obligations. Among them are duties to disclose the personal information collected and the ways it is used, allow consumers the right to obtain deletion of personal information; and provide an opt-out date for the sale of personal information.
The CCPA generally does not allow consumers to sue in an effort to enforce its provisions, limiting that right to cases of data breaches. Instead, the state’s attorney general is authorized to do so. “Though it could be even stronger, the California law is stronger than anything that exists at the federal level,” said Joseph Turow, a privacy scholar and professor of communication at the Annenberg School for Communication at the University of Pennsylvania, in an article published in Knowledge@Wharton. California voters amended the CCPA when they adopted Proposition 24 during the November 2020 election. That ballot initiative, known as the California Privacy Rights Act, expanded consumer control of their data and established a statewide privacy regulatory agency.
Since California enacted the CCPA, other states have begun to follow suit. In March, Virginia’s governor Ralph Northam signed into law a bill that is similar to California’s data privacy mandate and, according to a website maintained by the International Association of Privacy Professionals, at least 27 other states are in various stages of legislative consideration of kindred measures.
Those states include Colorado, where SB21-190 was introduced March 21. Like many of the other legislative proposals under discussion around the country, the Centennial State bill would basically track the CCPA and its 2020 voter-approved supplement, the CPRA. The Colorado bill would not provide consumers with a private cause of action to enforce its provisions. Instead, the state’s attorney general or district attorneys would be entrusted with that power.
Congressional Debate
The groundswell of state privacy bills has, during the past several years, helped to drive increased focus on the issue in Congress. During the past two to three years, several hearings focused on potential paths forward have been conducted and, according to the Brookings Institution, there are reasons to conclude that differences between the two parties about how to proceed are narrowing. Cameron Kerry, a visiting fellow at the organization and a former general counsel of the Department of Commerce, wrote in 2019 that the ongoing debate shows agreement on a “set of individual rights combined with boundaries on how businesses collect, use, and share information, all of which would be enforced through the Federal Trade Commission.”
Kerry wrote that he believes “data access, correction, deletion, and portability, as well as notice and transparency,” are among the features of any legislation on which substantial accord has been achieved. Topics on which agreement is eventually likely include “the scope of data and entities covered, federal and state enforcement authority, measures for organizational accountability, and data security.”
Kerry’s assessment largely tracks with a “framework” for data privacy released in 2019 by Privacy for America, a lobbying coalition of advertising firms. “If those were the only issues, there would be more room for some compromise and something to happen,” said Brian Ray, a professor and the director of the Cybersecurity and Privacy Protection Center at Cleveland-Marshall College of Law. They are not, though, the only issues, or even perhaps the most important issues, to the parties and the stakeholders.
Where the two parties and the technology industry’s dominant giant firms and privacy advocates first diverge on core principles is on the questions of preemption. State-based privacy regulation is unappealing to the technology industry, for the obvious reason that they create the possibility of inconsistent or even conflicting mandates. “The desire of many businesses for a consistent national standard is understandable, and a single law can benefit consumers if the standard provides strong protection and simplifies the exercise of rights,” Kerry said in his 2019 Brookings post. The potentially haphazard nature of devolved data privacy law also might mean that consumer protections dramatically vary. “At the end of the day, you want the person who is driving from Biloxi to Seattle to have the same robust privacy protections wherever she or he goes,” said former FTC chairman Jon Liebowitz during the Sept. 23 Senate Commerce, Science and Transportation Committee hearing.
On the other hand, preemption of state laws would block states from addressing privacy issues in new and potentially more effective ways. “I would urge that you consider that we could set a standard, but just don’t make it the ceiling,” former California attorney general Xavier Becerra, who is now the Biden administration’s secretary of health and human services, said at the hearing. “Let it be the floor.” That view seems to align with those of Congressional Democrats, who have not included in various bills introduced during the 116th Congress or in the current Congress that opened in January provisions that would totally block state data privacy laws.
The other yawning gap between both legislators and interested parties has to do with whether consumers should be able to sue companies for violating privacy rights. Although the CCPA allows only private litigation that arises from a data breach, Ray said some technology industry participants worry about the prospect of “marginal” lawsuits.
Not every technology company agrees with that approach, though. Privacy-focused search engine DuckDuckGo and 22 other firms in the industry have publicly lauded private rights of action to enforce personal privacy rights. Democrats appear to view the issue of private lawsuits as one implicating regulatory effectiveness. “We will never be able to fully police the thousands and thousands of companies collecting consumer data if you are the only cop on the beat,” said Washington Sen. Maria Cantwell, addressing two former FTC commissioners at the Sept. 23 Senate committee hearing.
Republicans do not agree with that view. Whatever the extent of diverse industry opinion on the issue, Ray said that, for them, even a sharply constrained private right of action is a “nonstarter.” They would prefer to cabin any privacy law’s enforcement authority with a federal agency and, perhaps, state attorneys general.
One outcome of continued gridlock on these two sticking points is that the CCPA serves as a de facto national standard in the area of consumer data privacy. “The issue is you’ve got California as a leader out there,” Ray said. Some industry voices, he said, might be willing to accept a federal bill that leaves California’s requirements in place.
Thus far in the 117th Congress, one bill aimed at establishing a nationwide set of consumer data privacy rules has been introduced. Democratic Rep. Suzanne DelBene of Washington announced March 10 that she would introduce the proposed Information Transparency & Personal Data Control Act. Her bill would, according to a press release, require companies to set up a consumer “opt-in” system of data use, disclose the identities of entities and individuals with whom data is shared and the purpose of the sharing, and complete biannual privacy audits. The DelBene measure would preempt state laws and allow the FTC and state attorneys general to enforce the law. As of press time the actual text of DelBene’s bill is not available. House Democrats introduced two bills during the last Congress.
Numerous Senate comprehensive data privacy bills were introduced during the 116th Congress, including Republican measures by Sen. Roger Wicker of Mississippi and Sen. Jerry Moran of Kansas and separate Democratic bills, one sponsored by Cantwell, Amy Klobuchar of Minnesota, Edward Markey of Massachusetts and Brian Schatz of Hawaii and another sponsored by Kirsten Gillibrand of New York. As of press time no Senate bills that similarly attempt to address the consumer data privacy issue have been introduced during this Congress.