Congress Accelerates Year End Privacy Efforts, With Remarkable Agreement and Differences on Preemption and Private Rights of Action
2019 started with buzz about potential federal privacy legislation, which a variety of stakeholders support, from the U.S. Chamber of Commerce to the Federal Trade Commission. Despite multiple hearings and several proposals that did not gain traction, Congressional activity had seemingly stalled. But that may be changing.
In the past few weeks, efforts to pass a comprehensive privacy law have intensified: (1) Senate Democrats proposed a set of privacy principles; (2) key Senators on the Senate Commerce Committee have put forward their proposals, and (3) the Senate held a major privacy hearing. These much-anticipated developments may be too little, too late—at least for businesses gearing up for the California Consumer Privacy Act (CCPA), which goes into effect in less than one month.
Below is an overview of this final 2019 blitz on privacy legislation with some key takeaways. For a detailed analysis of the new privacy proposals and other developments, reach out to the Wiley Privacy team.
Key Senators Propose Comprehensive Privacy Legislation
We start with the biggest development: Senator Roger Wicker and Senator Maria Cantwell—the Chairman and Ranking Member of the Senate Commerce Committee, respectively—each have unveiled draft legislation. We have been waiting for a proposal from these Senators, and while the thinking long has been that they (with others) would make a joint proposal, their separate proposals still mark a major stride in the Senate’s move toward comprehensive privacy legislation. And, because the Senate Commerce Committee is the likely source of any comprehensive privacy bill, the differences in these drafts are likely to be the main battleground for legislation
There is a lot of overlap between the Wicker bill and the Cantwell bill, which share some surprising and notable similarities to European Union-style privacy legislation by creating new consumer rights and remedies.
Both define covered data similarly, with clear carve-outs for employee data and de-identified data, among other things. Both bills would distinguish between sensitive covered data and other covered data, and would require opt-in consent for processing and transferring sensitive data. Notably, both bills define the term “sensitive covered data” more broadly than the FTC’s current privacy framework, but Senator Cantwell’s bill goes even further than Senator Wicker’s.
Both bills adopt a consumer rights-based structure and would create new federal consumer rights to transparency, access, deletion, correction, and portability. They both impose other obligations on covered entities, including “reasonable” and “appropriate” data security requirements; data minimization requirements; and requirements to engage in privacy impact assessments (however, Senator Cantwell’s assessment proposal applies more generally to covered entities, while Senator Wicker’s assessment requirement only applies to covered entities that are large data holders).
Both bills vest the FTC with enforcement and rulemaking authority, and create an enforcement role for state attorneys general. In broad strokes, the bills largely agree on the basic structure of a privacy law, and many core elements.
However, there are gaping differences. The two biggest elephants in the room are preemption and private rights of action.
Preemption. The Wicker bill broadly preempts all state laws “related to the data privacy or security and associated activities” of businesses covered by the law, with a notable exception for breach notification laws. On the other hand, the Cantwell bill explicitly says that “[n]othing in this Act shall be construed to preempt, displace or supplant” state laws regarding consumer protection, privacy rights of employees and students, and “[l]aws specifying remedies or a cause of action to individuals.” The debate over preemption has been a major sticking point for both parties. While those that oppose preemption worry that a federal law with preemptive effect may weaken consumer rights, those who support it argue that, without preemption, businesses will be left scrambling to keep up with a federal law and a patchwork of state laws, making compliance difficult. Members of Wiley Rein’s Privacy team have analyzed the arguments for preemption of state regulation of digital privacy here. As these two bills indicate, preemption will likely remain one of the most contentious issues.
Private Rights of Action. The Wicker bill is silent on private enforcement, vesting enforcement with only the FTC and state attorneys general. By contrast, the Cantwell bill creates an incredibly broad private right of action. It allows a private lawsuit for any violation of the statute. A suit may be brought regardless of harm, as the bill goes out its way to say that all violations of the law constitute “concrete and particularized injury in fact[.]” It further allows for liquidated damages—between $100 and $1,000 “per violation per day”—punitive damages, and recovery of attorney’s fees. And it preemptively invalidates arbitration agreements. Past experience with similar provisions in the Telephone Consumer Protection Act (TCPA) and Illinois’ Biometric Information Privacy Act (BIPA) indicate that the authorization of no-injury lawsuits would likely be a disaster. However, compromise on a watered-down private suit provision may still be possible, as Senator Wicker has recently indicated he is open to a narrower private right of action. We have written and worked extensively on private rights to sue and the Constitutional standing arguments that have typically thwarted efforts by plaintiffs’ lawyers to sue over privacy and security issues. Click here for our brief in the Supreme Court arguing against lawsuits over “injury-free” claims, and here for a blog post analyzing the expansion of privacy litigation under Illinois’s BIPA.
In sum, there is plenty of agreement in the bills but differences over preemption and private rights of action loom large and may prove fatal to compromise.
Democrats Propose Privacy Principles
Prior to the release of the bills discussed above, key Senate Democrats—including Senator Cantwell—published a Privacy and Data Protection Framework (Privacy Principles), which outlines a set of principles for comprehensive federal privacy legislation. The underlying goal of the Privacy Principles—creating “a comprehensive federal privacy and data security law”—garners broad support. However, it is questionable whether these Principles will prove to be a meaningful step toward achieving an end product that will gain bipartisan support. Indeed, the Principles do not appear to acknowledge and/or attempt to come to a middle ground on some of the biggest sticking points between Senate Democrats and Republicans on privacy legislation. Specifically, the Principles—like Senator Cantwell’s proposal—explicitly call for a private right of action exempt from arbitration provisions and are conspicuously silent on preemption.
Wednesday’s Senate Commerce Hearing
These issues, and the two proposals from Senators Cantwell and Wicker, were featured discussions at a December 4th Senate Committee on Commerce, Science, & Transportation hearing on “Examining Legislative Proposals to Protect Consumer Data Privacy.”
The Commerce hearing revealed consensus that there should be a comprehensive federal privacy law. State law is creating confusion and imposing real burdens. As Walmart’s Senior Vice President for Digital Citizenship Nuala O’Connor testified, “[w]e are scrambling to be ready for the Jan. 1 compliance date at Walmart in California.” There also seemed to be a consensus about greater FTC enforcement authority, aided by state attorneys general. Some witnesses called for a dramatic expansion of FTC resources, and the there is a somewhat surprising appetite for expanding FTC power, so close in time after heated disputes over the FTC’s handling of data security and privacy enforcement under its Section 5 authority.
Unsurprisingly, the hearing made major fault lines clear. Witnesses disagreed on preemption and the incorporation of private rights of action into the federal framework. Maureen Ohlhausen, former FTC Chairwoman, argued that a private right of action would reap little consumer benefit compared to FTC enforcement, but others argued that a private right of action would offer consumers a way to enforce their privacy rights. Political leaders’ views on these issues seem somewhat locked in, but time will tell whether these issues will be deal breakers or if policymakers can reach an agreement on sweeping new privacy laws that supersede conflicting state laws or leave the plaintiffs’ bar unsatisfied.
Recent weeks have demonstrated remarkable consensus on draft privacy legislation, as Senator Wicker in particular embraced a robust and detailed set of new consumer rights and business obligations. The fact that there is agreement to material elements of sweeping new mandates and on FTC powers is a major indication that privacy discussions have moved policymakers substantially closer to a federal solution. Several years ago, this would have been unthinkable, as many large private companies objected to federal legislation.
While businesses keep a close eye on these and forthcoming developments, federal legislation is unlikely in the near term to “solve” companies’ compliance burdens under state laws, in no small part due to lack of consensus on preemption and private rights of action. The private sector should plan on gearing up for compliance with the CCPA and potentially other state laws in the meantime.