Trial Magazine
On the Hill
A Plethora of Privacy Bills
March 2020Federal privacy legislation is picking up steam as big tech pressures Congress to take regulatory action and preempt state efforts to regulate data protection.
On Jan. 1, the California Consumer Privacy Act (CCPA)—a comprehensive state data protection law—went into effect, creating even more pressure on Congress to act. Under the CCPA, California residents have the right to know what a business is doing with their personal data and the right to request that personal information be deleted. The CCPA contains a class action statutory remedy for California residents who are victims of data theft and breaches—an additional remedy to the common law ones frequently used in data breach cases.
In 2019, a few comprehensive bills were introduced to address privacy broadly, and more than one dozen targeted privacy bills were introduced to address specific types of data breaches or individual privacy concerns.
One example of a comprehensive privacy bill is the “Consumer Online Privacy Rights Act” (COPRA) (S. 2968), introduced by Sen. Maria Cantwell (D-Wash.), the ranking member of the Senate commerce committee. COPRA creates explicit privacy rights and corporate duties while preserving existing state statutory and common law remedies, setting a floor for liability while allowing for future state law innovation. The bill contains a private right of action that presumes privacy violations are concrete injuries, permitting consumers to directly seek civil damages. COPRA also prohibits forced arbitration and class action waivers, priorities that AAJ seeks to include in all pro-consumer legislation.
In response to COPRA, the chairman of the commerce committee, Sen. Roger Wicker (R-Miss.), unveiled a draft privacy bill called the “Consumer Data Privacy Act,” which also provides comprehensive privacy protections but drastically limits enforcement by preempting state statutory and common law remedies. The chairman and Sen. Cantwell have said they hope to work together on privacy legislation, but the enforcement provisions in their bills are completely different.
Other smaller bills have been introduced to address discrete privacy concerns, including
- bipartisan legislation that would create a federal “Do Not Track” system to limit data collection (S. 1578)
- bipartisan legislation that requires facial recognition privacy standards (S. 847)
- legislation prohibiting genetic testing services from selling collected data to third parties (H.R. 2155)
- legislation requiring data brokers (companies that collect or buy data, aggregate it with data from other sources, and sell the information to third parties) to publicly submit information about their business practices (S. 2342).
The FTC as regulator. Many large tech companies want the Federal Trade Commission to serve as the new regulatory authority for and primary enforcer of privacy violations, preempting state statutory and common law remedies, as well as newly created state privacy laws like California’s. But the agency is not equipped to handle such enforcement, even with a significant increase in funding and resources.
What’s next. It is AAJ’s priority to preserve state remedies when new federal regulation is implemented, and we also are advocating for creating a private right of action under federal law to enforce federal data privacy violations. AAJ Public Affairs expects that more bills will be rolled out in the upcoming months, and Congress will continue to discuss this issue. While it seems unlikely that comprehensive privacy legislation will be enacted this year, pressure will continue to mount on Congress to protect consumers.
AAJ has a free list server, the Data Protection Working Group, for members interested in privacy and data breach advocacy updates. To join, contact Brian McMillan (brian.mcmillan@justice.org).
Susan Steinman is AAJ’s senior director of policy and senior counsel and can be reached at susan.steinman@justice.org. To contact AAJ Public Affairs, email advocacy@justice.org.