The Republican and Democratic parties, business, and tech lobbyists say the latest Congressional session has the best opportunity that's come along in years to enact data privacy legislation with teeth. However, that still may not give it the best odds.
California's Leadership Role
The widespread belief is that California's new laws, passed last year, regarding data privacy, combined with congruent legislation passed by the European Union, will spur the U.S. Congress to pass privacy protection laws at the federal level. Another impetus comes from the scandals rocking Silicon Valley giants regarding the misuse of private information obtained through social media.
Under California's new rules, effective in 2020, users can request to be informed whenever personal information is sold or shared with another entity, including the identification of the entity that obtained data about the user. Under the new law, consumers can ask companies to delete their data. It also paves the way for individuals to sue companies in breach of personal data.
While some companies pushed for the bill, others whose business model relies on collecting and selling user data would like to see a federal law scale it back. Businesses might find it easier to deal with a single set of laws than the conglomeration of state bills and EU regulations. These laws require getting "informed and unambiguous" consent to collect personal information and force data collection companies to tell consumers when breaches occur.
California's Data Privacy Protection Law
In 2018, California passed a bill that increases consumers' control over how entities use their personal information. The new rules take effect in 2020. Here are the provisions included in the law:
- Web users can ask businesses to tell them what information is being collected and when it's going to be sold or shared, as well as to whom.
- Consumers can demand that a company delete their information.
- Parental permission is required for an online service, website, or mobile app to sell the kids’ user data.
- Individuals can sue companies that don't adequately protect their personal data, known as a data breach.
- The rules apply widely to all for-profits companies that store user data--including Facebook, Google, and electronic retailers.
The European Union's GDPR
A number of global companies already comply with the European Union's digital privacy law that was passed in May 2018 and is known as the General Data Protection Regulation. Its assumptions include:
- Personal data consists of names, IP addresses or ID numbers.
- People should be able to exercise a “right to be forgotten.” Consumers can request that their personal information is removed when a company has no need for it. The burden of proof falls on the company.
- Companies must get “informed and unambiguous” consent before processing personal data.
- Data collectors are required to report breaches.
Violations may cost companies up to $24 million or 4 percent of the corporation's total revenue. Privacy advocates want to make the most of the current environment and strengthen federal legislation--using California's strict rules as a minimum requirement.
What's Standing in the Way of a Federal Digital Privacy Bill
Although there's a desire to come to an agreement, several points may stand in the way of a federal bill. One issue is that many states already have their own laws, which could derail attempts to come up with a federal policy everyone can live with. Unfortunately, Congress isn't likely to pass a law accompanied by a lot of contention.
There are many lawmakers that continue to work on the project, hoping there's a real opportunity for change. Such a measure is likely to land on the President's desk for a final decision.
Who's Fighting for a Federal Digital Privacy Law?
The Republican Senator from Kansas, Jerry Moran, and the Democratic Senators from Hawaii and Connecticut, Brian Schatz and Richard Blumenthal, respectively, have drafted legislation. It seems to be making progress on the Capitol. But only time can tell if it gathers enough support to pass both houses.
The House is less certain than the Senate, but the Democrats are likely to pass some kind of privacy law. Anna Eshoo, Rep. from Palo Alto, CA, is on the Energy and Commerce Committee. Eshoo is drafting legislation with Zoe Lofgren, San Jose Democrat representative. Key members of Congress are expected to help with the legislation.
There Are Also Skeptics
Skeptics have raised questions and remain pessimistic. Congress has ongoing difficulty passing any bill. In fact, breaches have been more common for several years. However, Congress, although it has tried passing a bill to protect consumers, wasn't able to agree on a federal stance on data breach protection laws. As a result, most states have independently passed their own data breach and privacy legislation.
The attorneys general of a number of states met in Washington for a privacy conference. They predicted that California would lead the movement for data privacy as well as data breach laws, with a federal law based on the California model. Vermont Attorney General T.J. Donovan has expressed doubts of Congress reaching a consensus. Until that happens, it will be up to the states to pass their own laws. The states will have to be willing to relinquish their individual rules once the federal legislation does pass, which could be another point of contention.
Compliance Issues Posed By State Laws
How companies handle users’ data impacts their systems infrastructure. It affects how websites are built and how the company models its business. The various state laws present a real challenge to online companies, which may find it nearly impossible to follow different laws for each state.
Democrats and privacy advocates are fighting to ensure that, whatever happens at the federal level, the state's aren't prevented from enacting stricter laws. Connecticut's Attorney General Blumenthal, who's been involved in the fight for privacy legislation for two decades, believes a sea-level change in the industry is needed for federal regulations to pass. When an industry faces various laws in the different states, they typically apply pressure for Congress to enact federal legislation that simplifies the compliance process.
What's Happening in Washington?
Several approaches are making the rounds in D.C. Privacy advocates say that the responsibility lies with the companies. This would prevent companies from discriminating against users based on their data. They also support letting users sue companies over infringements. Advocates argue that consumers own their data and have the right to delete it and rescind permission to use it.
Both the Information Technology Industry Council and U.S. Chamber of Commerce support legislation for additional transparency. This would include how data is collected and require consumer consent on how data is used.
Many are wondering how the state laws will be impacted. Republicans and representatives of various industries want any laws passed by Congress to override state laws. Democrats and privacy advocates will only agree if a federal law approaches California's system in terms of the amount of protection provided for consumers. How the two sides will hash things out remains a mystery.
A History of Following California
"As California goes, so goes the nation," is a common political say. Eshoo said that whatever Congress does shouldn't weaken the California model for consumer protection. She wants the federal government to use her state's work for instruction. Since California's are the strictest and most comprehensive laws, this may avoid a patchwork of laws that defy understanding.
Those who worked to pass California's laws didn't want to wait for Washington to make up its mind. Common Sense Media is a consumer advocate that wants to help families navigate the complexity of technology and media, and its leaders believe that the California model is a landmark bill that should be replicated at the federal level.
So far, everyone seems to place their doubt on whether Congress could come to a consensus about such a complex issue. Lawmakers and industry representatives wonder if Washington can put aside partisan politics for these critical issues. Although everyone seems to agree that something should be done at the federal level, there's a deep divide on how strict the rules pertaining to the companies that collect data should be.
The California Model Would Deliver a Stricter Federal Privacy Bill
Any law that weakens the California one would likely draw criticism and dissent from those supporting the move to follow the Golden State's regulations. Failing this, advocates are bound to focus on individual states. They may concentrate on convincing state congresses to follow a strict code with strong penalties for companies that don't do enough to protect consumers.
Alastair Mactaggart, a San Francisco housing developer, led the movement for a ballot spurring the California bill. Mactaggart went to Washington in March 2018 to talk with several senators known for their stances as privacy hawks. He also met with officials from the Trump administration. Mactaggart has documented missteps by the tech companies. He cited Facebook's creation of an app used to collect personal data and the fact that the social media giant was paying people, including teens, to use it. This provided the perfect backdrop for his concerns and underlined the dependence on personal data of modern Internet marketing and advertising.
As long as Congress tends to move slowly or not at all on most issues, support of a federal bill is uncertain. Supporters are clinging to the hope that debating unsuccessful legislation would at least start the conversation and advance the cause.
It will be interesting to see what, if anything, comes out of all the discussions, a flurry of state laws and numerous appeals to Congress to give weight to digital privacy and security legislation.
If you're looking to hire more talent for what's ahead, contact ICS. We have a stellar list of candidates to improve your organization. Click below to get started!