U.S. Federal Privacy Law: When Will Push Actually Come to Shove? 

By Emily Leach

US capitol building

When the EU set out to create what would become the General Data Protection Regulation, one of the main objectives was to harmonize data protection law within the EU member states. Rather than binding legislation, the pre-GDPR data protection regime was a directive — the 1995 Data Protection Directive. Unlike a regulation, a directive provides direction to the EU member states on a result they need to achieve but gives each nation the power to create its own legislation to achieve that end. 

The result of the DPD was 20-something (depending upon the EU membership at the time) different ways of doing data protection, causing a compliance nightmare for businesses in the region. Sound familiar? It should. 

With five state privacy laws passed in the last four years — and more on the way — having 20+ separate U.S. state consumer privacy laws is no longer hyperbole. It’s our likely future if Congress doesn’t step in.  

Currently, there are multiple comprehensive privacy bills in Congress. And, if you listen to spokespeople from Big Tech to civil liberties groups, industry associations to privacy advocacies, Democrats to Republicans, they all agree we need a federal privacy law. What they don’t necessarily agree on is what that law should look like. 

Recently, Cobun Keegan of the IAPP hosted a LinkedIn Live with Tatyana Bolton of R Street Institute and Sarah Collins of Public Knowledge on what a U.S. law might look like that struck an optimistic outlook on the chances for passing a law this year. Among other aspects, the panelists discussed what have become the two major sticking points and where we may see consensus on them: Preemption of state laws and a private right of action. 

Preemption 

Preemption is a big deal. As discussed above, one of the major benefits of having a federal law is that businesses would have one law to abide for the whole country and not, potentially, 50. However, states like California, with existing laws, (and many privacy advocates) have concerns that a weaker federal law would preempt their state law, lessening protections for California residents. This has become a contentious issue and a major hurdle for passing a federal law. 

The panelists offered some expectations on what preemption might look like in a federal law, noting that it would not likely infringe on areas that states have historically controlled. Areas such as tenant-landlord relationships, student privacy, cybersecurity, ransomware — anything the law doesn’t specifically include — would continue to fall to the states. Though the law would likely preempt any existing comprehensive state privacy laws, like those in California, Virginia, Colorado, Utah and Connecticut.  

Additionally, there are existing federal laws that a comprehensive privacy law wouldn’t want to mess with like the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act. While this is likely advantageous to passing privacy today, it is a sticking point in terms of attaining EU adequacy and may be something the U.S. would be wise to revisit in the future. 

Private Right of Action 

Regarding private right of action, Collins was quick to underscore that the idea that PRA is not a yes or no question. “There are tons of levers to push” when considering this issue, she said. One option is that an individual may have to address the violation with the company first. Another is limiting the types of violations that are subject to PRA, as California did in CCPA. Additionally, existing state laws have all provided a right to cure — most with a sunset clause like California and Virginia but Utah chose not to sunset its cure timeframe. Other options include limiting when a class can be formed, for example where the violation constitutes a behavior pattern.  

Point being, there are ways to do PRA that may be palatable to business groups and privacy advocates. It’s wise to remember, however, that Washington (the state) tried a number of versions of PRA and none passed muster. 

Likelihood of crossing the finish line 

With so many states considering comprehensive consumer privacy laws, and the potential impact that an overturning of Roe v. Wade would have on privacy, many privacy pros and others are hoping that the stars are in line to get a federal law passed. When questioned about what privacy pros might be surprised to know, Bolton answered, “how close we are to getting this done.” I, for one, am hoping she’s right. Especially as she added that next year doesn’t look nearly as promising. 

Photo by Mayer Tawfik on Unsplash

Get started today

Ensuring digital security and compliance for your future.