Observers of the debate around the potential for a new federal data privacy law know that dozens of relevant bills have been introduced and debated in U.S. Congress over the past couple of legislative sessions. While they make for good reading and discussion material, do any of them have a realistic shot at survival? If so, which of them are the most likely to eventually make their way into law?
As the IAPP continues to track these proposals, a very basic but important realization should come into focus: Given the current divided government in the U.S., any successful privacy legislation will require bipartisan support. Currently, only a handful of bills have sponsors from both parties.
Thus, this article distinguishes between pieces of federal data privacy legislation that have secured support only from one side of the political aisle and those that enjoy bipartisan support. It addresses a couple of provisions â€” private right of action and preemption â€” where the biggest partisan gap seems to exist. It also discusses the Consumer Online Privacy Rights Act, sponsored by Senate Committee on Commerce, Science, and Transportation Ranking Member Maria Cantwell, D-Wash., and the Consumer Data Privacy Act, sponsored by Chairman Roger Wicker, R-Miss., focusing on their areas of overlap and divergence. It concludes with a summary and analysis of all federal data privacy bills with bipartisan sponsorship that have been introduced this session of Congress â€” nine in total that I could identify as of the time of this writing â€” to see where agreement exists between Democrats and Republicans regarding privacy protection at the federal level.
Privacyâ€™s partisan provisions
Democrat-sponsored bills make up the bulk of federal privacy legislation introduced in this Congress.
Among the most recent bills, the Online Privacy Act was introduced in the House of Representatives by Reps. Anna Eshoo, D-Calif., and Zoe Lofgren, D-Calif. This bill would create a new Digital Privacy Agency with 1,600 employees; provide users with the rights to access, correction, deletion and data portability; and also allow private rights of action. While some advocates believe that a private right of action should be part of federal privacy legislation, it has thus far failed to secure bipartisan support. Wicker has reportedly referred to a private right of action as â€œtotally a non-starter.â€� Even â€œmoderate Democratsâ€� would be upset by the inclusion of a private right of action. Thus, it seems that the private right of action is unlikely to be included in a bipartisan bill, and any future bills that include it will have low chances of survival.
Another divide between Democrats and Republicans is whether and, if so, to what extent, federal data privacy legislation should preempt state law. The inclusion of preemption in a federal data privacy law has received disparate support from Democrats and Republicans. One of the rationales for preemption is that, in exchange for accepting a heavier compliance burden at the federal level, industry should be protected from additional, divergent privacy obligations at the state level. On the other hand, states have served as innovators in privacy law, paving the way for broader federal privacy protections. In addition, state attorneys general have served as â€œnimble privacy enforcement pioneers.â€� That being the case, the argument against preemption is that â€œstates should have the ability to offer greater protection of rights to their citizens.â€�
Democrats and Republicans seem to be at opposite ends of the preemption spectrum, with the latter supporting it and the former opposing it. In the context of these discussions, Republicans in both chambers â€œhave expressed strong interestâ€� in preemption. One congressional aide even suggested that members of Congress have come to the understanding that â€œpreemption language â€¦ would be necessary to pass a bill in this Congress.â€�
Some Democrats, meanwhile, particularly from the California caucus in the House, have been vocal about their opposition to preemption. Rep. Jackie Speier, D-Calif., told reporters that she would â€œlook askance at any measure that tried to preemptâ€� the California Consumer Privacy Act. Rep. Jan Schakowsky, D-Ill., has similarly stated that she is â€œgenerally against preemptionâ€� but indicated she would support a federal floor-style preemption that would not weaken state protections. Speaker Nancy Pelosi, D-Calif., has also reportedly said that the House would not pass preemptive federal data privacy legislation that weakens protections enshrined in the CCPA. In her words, preemption that weakens state law is something â€œthatâ€™s just not going to happen.â€� Democrats in the Senate, such as Sen. Ed Markey, D-Mass., however, have said they might accede to preemption in exchange for beefed-up enforcement powers for the FTC.
As Alston & Bird Senior Counsel Peter Swire has explained, preemption is a â€œtechnically complex, as well as politically controversial,â€� issue. To simplify things a bit, preemption has received its strongest support from Republicans, while Democrats have reacted to it in mixed ways, ranging from slight opposition to toleration to conditional support for certain types of preemption.
Privacy and politics
It is almost a tautology to say that lawmaking is a political process. Legislative possibilities are at least partially determined by which party controls the two chambers of Congress and the White House. That is, regardless of the merits of these individual bills and the hard work that went into crafting them, the current political reality of a divided Congress would seem to dictate that bills sponsored by members from only one party have a lower chance of passage than bills sponsored by a coalition of members from both parties.
Thus, with these facts in mind, it is worth focusing on those privacy bills that have bipartisan support or count both Democrats and Republicans among their cosponsors. So, where does bipartisan agreement exist regarding federal data privacy legislation?
Bipartisan data privacy bills
COPRA and CDPA
Introduced or circulated publicly in late November, the Consumer Online Privacy Rights ActÂ and Consumer Data Privacy Act provide some of the best indication to date of the consensus on federal privacy legislation that has emerged between Democrats and Republicans on the Senate Committee on Commerce, Science, and Transportation. Both are comprehensive proposals for a consumer privacy law that would span a broad swath of the economy and enshrine fundamental privacy protections at the federal level. In addition to their similarities in scope, both bills would require covered entities to obtain â€œaffirmative express consentâ€� from individuals before processing or transferring their sensitive covered data. In addition, they would both require covered entities to provide transparent privacy policies, maintain â€œreasonable data security practices,â€� designate privacy officers and data security officers, conduct annual privacy impact/risk assessments, and not deny goods or services to individuals who seek to exercise a privacy right.
Yet, while many of their provisions are nearly identical, there are several notable differences between the two texts. In several ways, such as regarding the definitions of â€œcovered dataâ€� and â€œsensitive covered data,â€� COPRA and CDPA are neither in perfect harmony nor completely out of tune. Within these gray areas, the two bills employ similar or even identical language up to a point but then diverge in ways that would be critical to how they would likely be enforced.
A couple of the clearest-cut differences between COPRA and CDPA are the preemption of state law and a private right of action. While CDPA would preempt any state law related to data privacy or security (with the exception of data breach laws), COPRA would leave in place state laws that afford a greater level of protection than it does. The private right of action is another issue where the two bills sit on opposite sides of the fence. For anyone interested in a more detailed analysis of COPRA and CDPA, please see my latest white paper, which examines these issues in greater depth.
Filter Bubble Transparency Act
On Oct. 31, the Filter Bubble Transparency Act was introduced in the Senate by Sen. John Thune, R-S.D., and is co-sponsored by Sens. Richard Blumenthal, D-Conn., Mark Warner, D-Va., Jerry Moran, R-Kan., and Marsha Blackburn, R-Tenn. This bill requires websites that use personal data to filter search results or order news feeds to notify users that they do so. It also requires them to offer users an unadulterated version of their search results or news feeds that are not based on any personal data. This bill has been referred to the Senate Committee on Commerce, Science, and Transportation. Of all the bipartisan bills, this one has also gained the most co-sponsors â€” four â€” to date.
Social Media Privacy Protection and Consumer Rights Act
Introduced in January, the Social Media Privacy Protection and Consumer Rights Act of 2019 is sponsored by Sen. Amy Klobuchar, D-Minn., and co-sponsored by Sens. John Kennedy, R-La., Richard Burr, R-N.C., and Joe Manchin III, D-W.Va. This bill requires online platform operators to provide notice to users that their data is being collected and used by the operator, as well as any third parties. It would also give users a right of access to a copy of their data and require operators to notify users in the event of a data breach. This bill has been referred to the Senate Committee on Commerce, Science, and Transportation. With three co-sponsors, this bill ranks second in terms of number of co-sponsors.
Do Not Track Act
The Do Not Track Act, introduced in May by Sen. Joshua Hawley, R-Mo., and co-sponsored by Sens. Dianne Feinstein, D-Calif., and Warner, requires the FTC to establish and enforce a Do Not Track system. Under the bill, covered entities are prevented from collecting data from users that send DNT signals (â€œother than such data as is necessaryâ€� for the operation of its website, service or application), using that data for a secondary purpose, such as targeted advertising, or sharing the data with third parties unless the user â€œexpressly consents.â€� Covered entities are also prohibited from denying access to services or providing different levels of access or service to users who employ the DNT signal. This bill has been referred to the Senate Committee on Commerce, Science, and Transportation.
The Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data Act was introduced in June by Sen. Warner and co-sponsored by Sen. Hawley. This bill requires social media services with more than 100 million monthly active users to disclose not only the types of data they collect, but also the value of that data. Moreover, the bill would give users the right to request the deletion of all or individual fields of data that commercial data operators have collected about them. In late October, this bill was the subject of hearings in the Senate Committee on Banking, Housing, and Urban Affairs.
Introduced in late October, the Augmenting Compatibility and Competition by Enabling Service Switching Act is another bill sponsored by Sen. Warner and co-sponsored by Sens. Blumenthal and Hawley. This bill requires large communication platform providers to, at the request of the user, â€œinitiate the secure transfer of user data,â€� essentially granting users the right to data portability. The bill has been referred to the Senate Committee on Commerce, Science, and Transportation.
Introduced in the Senate in April, the Balancing the Rights of Web Surfers Equally and Responsibly Act is sponsored by Sen. Blackburn, with Sens. Tammy Duckworth, D-Ill., and Martha McSally, R-Ariz., joining as co-sponsors in July. This bill requires broadband internet access service and edge providers to notify users of their privacy policies. It also requires covered entities to obtain opt-in approval from a user to use or disclose the userâ€™s sensitive information and obtain opt-out consent to use or disclose non-sensitive information. This bill has been referred to the Senate Committee on Commerce, Science, and Transportation.
Protecting Personal Health Data Act
Introduced in June, the Protecting Personal Health Data Act is another data privacy bill sponsored by Sen. Klobuchar and co-sponsored by Sen. Lisa Murkowski, R-Alaska. The purpose of this bill is to address gaps in Health Insurance Portability and Accountability Act regulation by regulating entities such as wearable fitness trackers and social media sites that collect health information. It would require the promulgation of such regulations by the secretary of Department of Health and Human Services. This bill has been referred to the Senate Committee on Health, Education, Labor and Pensions.
Commercial Facial Recognition Privacy Act
The Commercial Facial Recognition Privacy Act, sponsored by Sen. Roy Blunt, R-Mo., and co-sponsored by Sen. Brian Schatz, D-Hawaii, prohibits the use of facial-recognition technologies in the absence of affirmative consent from individuals. This bill has been referred to the Senate Committee on Commerce, Science, and Transportation.
Facial Recognition Technology Warrant Act
The Facial Recognition Technology Warrant Act was introduced Nov. 14 by Sen. Christopher Coons, D-Del., and co-sponsored by Sen. Mike Lee, R-Utah. Notably, the bill would require law enforcement agencies, including the Federal Bureau of Investigation and Immigration and Customs Enforcement, to obtain a warrant to use facial-recognition technology to surveil individuals. This bill has been referred to the Senate Committee on the Judiciary.
Areas of bipartisan agreement
Regarding bipartisan agreement around data privacy, Republican and Democratic lawmakers seem to be hard at work forging agreements beyond the notice-and-choice paradigm, which had been the crux of bipartisan bills introduced before COPRA and CDPA. Indeed, several of the bipartisan privacy bills introduced this term go little further than requiring companies to provide consumers with notice of their data use policies. These include the Filter Bubble Transparency Act, Social Media Privacy Protection and Consumer Rights Act, and BROWSER Act. A few bills, though, do go further by providing a right to access: the Social Media Privacy Protection and Consumer Rights Act, DASHBOARD Act, and ACCESS Act (vis-a-vis the right to data portability). One of these, the DASHBOARD Act, also provides a right to erasure.
Yet, a side-by-side analysis of COPRA and CDPA indicates there are emerging areas of bipartisan agreement beyond notice and choice. Indeed, requirements regarding consent, transparency, data security and corporate accountability have secured bipartisan support and are all likely be included in a federal privacy bill.
Yet, a side-by-side analysis of COPRA and CDPA indicates there are emerging areas of bipartisan agreement beyond notice and choice. Indeed, requirements regarding consent, transparency, data security and corporate accountability have secured bipartisan support and are all likely be included in a federal privacy bill. Yet, any new federal law that aims to offer meaningful privacy protection but does not adequately protect the rights to opt out, access, correction and deletion, among other rights and obligations, would appear to fall short of the standard set in California.
The bills outlined above represent the current state of bipartisan agreement on federal data privacy legislation. While many more bills related to data privacy have been introduced this year, most have attracted sponsors/co-sponsors from only one party and, thus, are unlikely to secure the support needed for passage in a divided Congress. It seems reasonable to assume that protections outlined in these bipartisan-sponsored data privacy bills and those found in both COPRA and CDPA have the greatest chances of inclusion in a federal bill that succeeds in gaining the votes necessary for adoption.
The introduction of new data privacy bills in Congress is not likely to abate soon. Reps. Frank Pallone Jr., D-N.J., and Jan Schakowsky, D-Ill., are reportedly working with Republican lawmakers on the Energy and Commerce Committee to develop a bipartisan piece of data privacy and security legislation. Yet, with the 2020 election campaign already underway, the window of opportunity for bipartisan legislation may be closing.
As congressional hearings and negotiations around privacy continue, it seems more true than ever that bipartisanship is necessary for comprehensive federal reform of U.S. privacy regulation.