Though recent bills are similar, lawmakers have yet to resolve two polarizing issues: preemption and private right to action.
The Senate may be reaching a tipping point on the need to pass comprehensive federal data privacy legislation, but ironing out the details relating to implementation and enforcement mechanisms remains a challenge.
A Wednesday Senate Commerce, Science and Transportation Committee hearing served as a forum for lawmakers to air their differences on how to effectively legislate national privacy standards. Though a cadre of former Federal Trade Commission officials, along with California Attorney General Xavier Becerra, all emphasized the need for a comprehensive bill, they were preaching to the choir. Both Sens. Roger Wicker, R-Miss., and Maria Cantwell, D-Wash., respectively the chair and ranking member of the committee, have introduced comprehensive privacy legislation.
Wicker convened the hearing just under a week after he and other Commerce committee Republicans unveiled the Setting an American Framework to Ensure Data Access, Transparency, and Accountability, or SAFE DATA, Act September 17. Cantwell and Commerce Democrats introduced their version of privacy legislation, the Consumer Online Privacy Rights Act, or COPRA, in November 2019. The two bills join a slew of other privacy efforts made recently by both parties and chambers of Congress.
The more compelling position presented by experts is that Republicans and Democrats are remarkably aligned in their desire to pass national privacy legislation, and they should avoid squabbling over the differences that do exist to get privacy legislation on the books as soon as possible.
Stacey Gray, a lawyer who tracks federal privacy issues at the Future of Privacy Forum, told Nextgov ahead of the hearing the Republican and Democrat proposals are far more similar than they are different. Gray called it “exciting” that the two bills “are not that far apart.”
Sen. Brian Schatz, D-Hawaii, said during the hearing there’s healthy competition among the committee members to develop and advocate for their own privacy bills. Schatz is a COPRA co-sponsor.
“This has been fruitful in the sense that I think we’ve got a lot of very good ideas,” Schatz said, “but we’re sort of on a razor’s edge between that competition being fruitful and competition preventing us from enacting legislation.”
The two main differences holding up progress relate to whether a federal law should preempt state laws and how enforcement will work. Republicans want a bill that supersedes state laws and is enforced by the FTC. Whereas Democrats aligned with Cantwell want to allow states the room to innovate beyond the federal standard, and they want a bill to include a private right of action.
“I would expect those two issues to remain quite polarized,” Gray said. “They were polarized similarly when we saw comprehensive legislation working its way through Washington state earlier this year and it led to the bill not passing.”
Yet even though the differences seem stark in the abstract, through the course of the hearing the space between the two options became murkier.
Becerra’s testimony at the hearing was based on his experience implementing the California Consumer Privacy Act, or the CCPA, a data privacy law which took effect January 1. The attorney general functioned as a mouthpiece for the anti-preemption position. Becerra also supports the right to private action.
Cantwell and some other Democrats on the committee fear that preemption, meaning the federal law would supersede state and local privacy laws, will prevent states like California from innovating beyond the nationwide minimum. They seek to drag states that haven’t yet adopted data privacy laws up to a national standard without restricting those states that want to innovate beyond a national law.
“I would urge that you consider that we could set a standard, but just don't make it the ceiling,” Becerra said. “Let it be the floor.”
But former FTC Chair and Commissioner Jon Leibowitz and other witnesses said both Cantwell's and Wicker’s bills go further than California’s CCPA already. Leibowitz added he wouldn’t support preemption if he thought a federal law would be weaker than state offerings.
“At the end of the day, you want the person who is driving from Biloxi to Seattle to have the same robust privacy protections wherever she or he goes,” Leibowitz said.
The former commissioner’s comment gets to the heart of the problem with allowing for state-by-state differences: The internet doesn’t know boundaries. Sen. John Tester, D-Mont., who said his opinions aligned with Becerra’s comments regarding preemption, asked witnesses how enforcement would work when data disputes may cross state boundaries.
“You really put your finger on one of the challenges here, which is that we aren’t talking about simply having a federal law in California, what we would have is a federal law, California and a multitude of other states,” Maureen Ohlhausen, former FTC commissioner and acting chair, said.
William Kovacic, another former FTC chair and commissioner, said he supports giving the FTC rulemaking authorities such that it can adapt a federal data privacy standard as new issues come to the fore. By the very nature of the fact that the internet does not recognize state boundaries, any state evolutions of the law would become de facto nationwide standards anyway because a business that has to comply with say, California’s CCPA, complies with that state law not within the borders of California alone.
“I don't think individual states would feel an urgency, necessarily, to march ahead if they had confidence that this national scheme was going to be adaptable and flexible,” Kovacic said.
Kovacic added he is confident that legislation coming out of the committee will not only be adaptable, but that the legislators would take it upon themselves from time to time to return to the issue at hand and ensure it’s up to date.
Private Rights of Action
Cantwell’s opening statement included a strong stance articulating a need for citizens to be able to search for redress if their privacy rights are violated on their own. Cantwell said even if Congress empowers the FTC and state attorneys general to enforce a nationwide data privacy standard, there will never be enough resources to police the plethora of companies collecting consumer data.
“We will never be able to fully police the thousands and thousands of companies collecting consumer data if you are the only cop on the beat,” Cantwell said.
Becerra, in response to questions from Cantwell, added the private right of action makes legal protections tangible. Citizens have to have remedies available to them for their rights to be meaningful, according to Becerra.
Though both Republicans and Democrats agreed the FTC should be granted more resources in order to enforce privacy regulations, Cantwell and Becerra argued that citizens still need that extra outlet to advocate for themselves because state attorneys general and the FTC will never have the bandwidth to deal with every problem that arises.
“I guarantee you consumers would prefer to have the California attorney general move their case instead of them,” Becerra said, “but at the end of the day if we don’t have the capacity, then some of those consumers will take up the opportunity if they are given the right to go to court.”
Gray said private right of action may be even more important if preemption wins the day.
“Most privacy advocates and civil rights advocates and a lot of the Democratic leadership would strongly prefer a privacy bill, especially if it's going to supersede state laws, to include a private right of action so that individuals can challenge alleged violations directly themselves in court,” Gray said.
In her written testimony, Ohlhausen said in past instances, private rights of action have usually just lined the pockets of attorneys without realizing true redress for victims. She added leaving enforcement up to state attorneys general and the FTC would create a level of consistency that in the end benefits consumers more than individual attempts to right the boat.
“It seems that in the discussion of data privacy at the federal level, this has become an article of faith,” Wicker said, “and I really regret that because I think it amounts to a stumbling block that may prevent national legislation from being enacted.”
In his written testimony submitted to the committee, Leibowitz said it would be a “tragedy” if disagreement over the private right to action enforcement issue were to prevent the Senate from passing privacy legislation at all.