New Stakeholders Push For Privacy Regulation

While the COVID-19 pandemic has dominated policymakers’ attention, the ongoing privacy debate is ever-present.  New issues—like geolocation tracking to trace the spread of the virus—have generated renewed interest in privacy on Capitol Hill.  And at the state level,  California Attorney General Xavier Becerra has said that he will begin enforcing the California Consumer Privacy Act (CCPA) on July 1, as originally planned, despite the pandemic.  It is against this backdrop that a number of new voices have begun calling for increased privacy regulation in 2020.

Most recently, Texas Attorney General Ken Paxton said last Wednesday that “there needs to be more [privacy] regulation, whether it gives consumers control through portability or control through just protecting their privacy and their data being used.”[1]  He also explicitly endorsed the data portability schemes of both the CCPA and Europe’s General Data Protection Regulation (GDPR).[2]  He explained that his preference stems from “big tech companies having so much information and so much control over people’s lives through this information.”

Last month, the Cyberspace Solarium Commission (CSC)—a Congressional working group established by statute to develop a national cybersecurity strategy—put forward a report with an “urgent call to action” on privacy and cybersecurity.  Among other things, the report called for a nationwide cybersecurity labeling program for information technology products, federal legislation establishing manufacturer liability for cybersecurity incidents, and comprehensive federal privacy legislation.  On the latter, the CSC called for “a national data security and privacy protection law establishing and standardizing requirements for the retention, collection, and sharing of user data” enforced by the Federal Trade Commission (FTC).

Senator Jerry Moran—a Republican from Kansas—introduced a new privacy bill at the beginning of March.  The bill broadly tracks the general approach of Senators Roger Wicker (R-MS) and Maria Cantwell (D-WA), who introduced privacy bills late last year:  establishment of an enumerated set of consumer privacy rights (e.g., right to know, right to access), general data protection obligations, and enforcement by the FTC.  Senator Moran’s bill, like other Republican proposals before it, proposes broad preemption of state privacy laws and explicitly disclaims a private right of action.  These two issues have been—and appear to remain—a major partisan fault line in the federal privacy debate.

There have been numerous other significant calls for privacy legislation.  A Department of Justice official recently called on Congress to pass legislation that would require companies to notify federal law enforcement if they experience a data breach.  Last week, a large technology company released a set of privacy principles and called for “a strong federal privacy law,” echoing an open letter from late last year in which CEOs of 51 major U.S. companies called for “a comprehensive consumer data privacy law.”  Senator Wicker reiterated his call for federal privacy legislation in the opening statement of a Commerce Committee “paper hearing” earlier this month on the use of aggregate consumer data to combat the coronavirus.  And the Electronic Frontier Foundation recommended that the Presidential Commission on Law Enforcement and the Administration of Justice “develop model policies for agencies that will meaningfully restrict law enforcement access to and use of [facial recognition] technology.”

These new calls for privacy regulation—from a diverse array of public and private sector stakeholders—may ultimately spur the federal government or state privacy efforts to move even faster.  As a result, organizations should continue to carefully monitor their privacy practices and compliance obligations.  You can find ten of our stopgap tips to do so here

[1] The quote begins at 49:12.

[2] This discussion begins at 48:07.