Federal Privacy Law Efforts Move Forward in Congress
As fall has arrived, so has a flurry of privacy activity on Capitol Hill. Though this Congress is highly unlikely to pass any privacy legislation before the end of the Term, the latest developments reflect efforts by key Senators to find areas of agreement and establish the framework for federal privacy legislation to be considered in the next Congress. Notably, the Chairman of the Senate Commerce Committee and other key Republican Senators released a final version of a draft privacy bill that would significantly transform privacy law nationwide, while also taking aim at use of online algorithms. While Senate Democrats have offered proposals that would go further, the Senate Commerce Committee held a hearing on Wednesday that was aimed at attempting to find common ground for legislation, including by hearing testimony from a bipartisan group of former Federal Trade Commissioners—including three former Chairs—who were broadly supportive of the proposed legislation. Important differences remain, but given the repeated calls for a federal privacy law from a diverse group of stakeholders and the pressure for a federal solution in light of individual state privacy efforts, companies should pay close attention to federal proposals that increasingly appear to mark a baseline for a federal privacy law. Here are the latest developments.
Key Republican Senators Introduce the SAFE DATA Act
On September 17, Senators Roger Wicker, (R-MS), chairman of the Senate Committee on Commerce, Science, and Transportation, joined by Senators John Thune, (R-SD), Deb Fischer, (R-NE), and Marsha Blackburn, (R-TN) introduced a comprehensive privacy bill—S. 4626—called the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act.
The SAFE DATA Act largely tracks a staff discussion draft version of the bill Chairman Wicker introduced around this time last year. Our full summary of that initial draft is here. At a high level, the legislation would create substantive privacy rights for certain data covered by the bill. In particular, it would create rights to transparency, access, deletion, correction, and portability. It would also require opt-in consent to process or transfer “sensitive covered data,” which includes a broad variety of identifiers, such as biometric information and geolocation data.
Importantly the bill would preempt state privacy laws and, while allowing enforcement by the FTC and State Attorneys General, it would not include a private right of action. Both of those positions are in stark contrast to a competing bill put forward by Senator Maria Cantwell (D-WA) last year.
There are a few notable changes from Senator Wicker’s staff discussion draft to the SAFE DATA Act, including the following additions that come from other pieces of privacy legislation:
Regulating “opaque algorithms”: Section 205 of the SAFE DATA Act would prohibit the use of “opaque algorithms” by covered internet platforms unless they (i) notify users of the opaque algorithm, and (ii) make available an “input-transparent algorithm” to which users can easily switch. An “opaque algorithm” is “an algorithmic ranking system that determines the order or manner that information is furnished to a user on a covered internet platform based, in whole or part, on user-specific data that was not expressly provided by the user to the platform for such purpose.” This section draws heavily from the bipartisan Filter Bubble Transparency Act introduced last October, which was designed to make it easier for consumers to understand if and how platforms were filtering the content presented to them.
Regulating the “manipulation” of user interfaces: Section 206 of the SAFE DATA Act prohibits “large online operators” from, inter alia, “design[ing], modify[ing], or manipulat[ing] a user interface with the purpose or substantial effect of obscuring, subverting, or impairing user autonomy, decision-making, or choice to obtain consent or user data[.]” This section draws from the bipartisan Deceptive Experiences To Online Users Reduction (DETOUR) Act, introduced last April, which was designed to “prohibit large online platforms from using deceptive user interfaces, known as ‘dark patterns’ to trick consumers into handing over their personal data.”
These developments are notable in part because they expand the privacy bill to cover a broader set of topics around algorithms powered by artificial intelligence (AI) and user interfaces – not just traditional data privacy concerns.
Senate Hearing on Comprehensive Privacy Legislation
On September 23, the Senate Commerce Committee held a hearing on Revisiting the Need for Federal Data Privacy Legislation. The goal of the hearing was to “examine the current state of consumer data privacy and legislative efforts to provide baseline data protections for all Americans” and to “examine lessons learned from the implementation of state privacy laws in the U.S. and the E.U. General Data Protection Regulation, as well as how the COVID-19 pandemic has affected data privacy.” A bipartisan slate of former FTC commissioners and the Attorney General of California appeared as witnesses.
Testimony at the hearing centered around the growing need for a comprehensive privacy law and efforts to find common ground for a what the witnesses generally characterized as a “strong” privacy bill. Citing the California Consumer Privacy Act (CCPA), difficulties with implementing the EU-U.S. Privacy Shield framework, and the increased digital presence of Americans in response to the COVID-19 pandemic, Senator Wicker’s majority statement offered that “the need for a uniform, national privacy law is greater than ever.” The witness testimony echoed this sentiment, with former FTC Commissioner Julie Brill and former Chairman William E. Kovacic highlighting the “urgent need to pass a comprehensive privacy law” and contending that “privacy regulation today is paramount.”
But battle lines remain. Senator Cantwell’s statement took issue with “other legislation” in the Senate—without naming particular bills—highlighting the two major fault lines that remain in the federal privacy debate. First, Senator Cantwell took issue with bills that “preempt stronger state laws,” arguing that there should be room for states to legislate. Other stakeholders have critiqued this position on the ground that a national standard would create a more consistent and predictable compliance regime for businesses, in contrast to a “patchwork” of state laws. Former FTC Chairman Jon Leibowitz noted in his written testimony that “a proliferation of state and local consumer privacy laws in place of a national framework would create significant compliance and operational challenges for businesses of all sizes.”
Second, Senator Cantwell argued that consumers should have a private right of action to enhance enforcement efforts. As we have written, studies have shown that private rights of action in privacy legislation have proven counterproductive in the past by “undermin[ing] appropriate agency enforcement, clutter[ing] the courts, and chill[ing] innovation and nationwide service deployment.” Former Acting Chair of the FTC, Maureen K. Ohlhausen echoed this sentiment, explaining that private rights of action “often result in class actions that primarily benefit attorneys, while providing little, if any, relief to those who were harmed.”
Those two areas of disagreement have stalled progress on a federal privacy bill to date and were a subject of debate at the hearing. Attorney General Becerra, for example, objected to any federal solution that preempted California law – though, as Leibowitz pointed out in an exchange with Sen. Wicker, some portions of the federal proposals are “stronger” than California’s current approach under the CCPA. As for the private right of action, Chairman Wicker noted that a number of existing privacy laws, such as COPPA and HIPAA, do not contain private rights of action.
In short, there remains a strong consensus on the need for a rights-based federal privacy law, but also sharp divisions over preemption and enforcement – issues that will need to resolved for a privacy bill to pass.
Members of Congress Continue to Introduce Various Other Proposals
In addition to the key comprehensive privacy proposals in the Senate Commerce Committee, Congressmembers continue to float new privacy proposals—both comprehensive and more targeted. A few such bills include:
The Fourth Amendment Is Not For Sale Act: Senator Ron Wyden (D-OR) is expected to introduce this bill any day. Senator Wyden has said that the bill will “outline a plan to ban the government from buying information that would otherwise require a court order or a warrant.” According to Senator Wyden, this limit is necessary to avoid building in a “backdoor” to the Fourth Amendment, wherein the government can simply buy from data brokers information which it is constitutionally prohibited from obtaining.
The National Biometric Information Privacy Act of 2020: Introduced last month by Senators Jeff Merkley (D-OR) and Bernie Sanders (I-VT), this bill would, inter alia, require organizations to procure a written release before obtaining a person’s biometric information and would outright prohibit certain uses of such information. Similar to the Illinois Biometric Information Privacy Act, the bill would authorize private rights of action with liquidated damages for any violations of the legislation.
Public Health Emergency Privacy Act: A coalition of 38 House Democrats and 11 Senate Democrats (and independent Senator Angus King (ME)) introduced companion bills in May. The bills would—for the duration of the COVID-19 pandemic—provide enumerated privacy rights to individuals and corresponding restrictions on organizations that collect emergency health data. Note that these bills came on the heels of a competing Senate Republican proposal—the COVID-19 Consumer Data Protection Act of 2020—which we previously covered here.
Stakeholders should continue to closely monitor the legislative landscape at both the federal and state level. A federal privacy law would likely impose new obligations on business and (depending on what passes) potentially set off a series of rulemaking proceedings at the FTC to implement the law – also a subject of Wednesday’s hearing. At the same time, the absence of a privacy law continues to result in privacy compliance risk, as states have begun to create a patchwork of privacy obligations across the United States, and plaintiffs’ attorneys have attempted to use creative means to bring privacy lawsuits under state laws. Companies’ compliance efforts will need to take account of the ongoing uncertainty and risk when it comes to privacy and data regulation.