Is 2021 the year we’ll finally get a federal consumer privacy law? Barring another worldwide disaster, all signs point to yes — or at the very least, some significant progress toward one. Several senators and representatives who introduced privacy bills in previous sessions told Recode that they will be reintroducing their bills in the months to come. First up is Rep. Suzan DelBene (D-WA), who is introducing her Information Transparency and Personal Data Control Act on Wednesday.
“We need for folks to understand how critically important privacy is,” DelBene told Recode. “Not only domestically for consumer rights, but how we’re going to have more and more challenges internationally if we don’t address privacy.”
On a consumer-facing level, DelBene’s bill would require businesses and websites to get users’ permission before sharing their sensitive personal data, including things like Social Security numbers, location, sexual orientation, immigration status, and health information. It would also give users the ability to opt out of the collection, use, or sharing of non-sensitive personal data. Companies collecting data would have to tell users if and why their information is being shared, as well as the categories of third parties with whom it’s being shared. Finally, businesses and websites would have to provide clear and understandable privacy policies, written in “plain language,” as DelBene calls it.
“We’re focused on opt-in so that privacy is the default,” she said.
Behind the scenes, businesses would have to submit to a privacy audit every two years, and state attorneys general and the Federal Trade Commission (FTC) would have enforcement powers — with the latter given significant resources and authority to enforce the law and create additional regulations as it sees fit.
“Enforcement is key,” DelBene added. “We can have a privacy policy, but if we don’t have somebody who’s going to be in charge of enforcing it and setting and continuing to make sure that we have strong rules? … That’s obviously critical.”
DelBene’s bill will likely kick off a new round of attempts to pass a consumer privacy law in this new congressional session. Over the years, the Senate and House commerce committees have held hearings on consumer privacy, and several members of Congress in both houses and from both parties have proposed bills. Both sides recognize the need for a law. And yet, we have no law.
Meanwhile, the need for such a law has never been greater. Americans spent more time online than ever during the pandemic, giving their valuable data to a variety of platforms and services that operate with few rules beyond those they make for themselves. These platforms — Facebook and Google chief among them — grow wealthier and more powerful every day, thanks to the virtual mountains of data they collect from billions of people around the world.
Meanwhile, other countries and states have started to enact their own data privacy laws. The European Union has the General Data Protection Regulation (GDPR). India and China are proposing their own privacy laws, Californians have their Consumer Protection Act (CCPA) and the Privacy Rights Act (CPRA), and Virginia just passed the Consumer Data Protection Act (CDPA). Several other states are considering their own, including DelBene’s home state, Washington. So the lack of a federal privacy law makes the United States look like an outlier.
“Having the US absent from that discussion, where it’s the largest economy in the world — and certainly the leader in technology — is just amiss,” Omer Tene, vice president and chief knowledge officer of the International Association of Privacy Professionals, a nonpartisan membership organization, told Recode.
A consumer privacy bill from a former tech executive
DelBene has been the representative for Washington’s First Congressional District since 2012. Before that, she was an executive at several tech companies, from small startups to the very large Microsoft. So she knows business, she knows tech, and she uses that background to inform some of her legislation and initiatives.
As a member of Congress, DelBene has pushed for the Public Health Emergency Privacy Act, which would strengthen health privacy protections related to the pandemic, and the Email Privacy Act, which would force law enforcement to get a warrant for emails from third-party providers (currently, they only have to get a warrant for emails that are fewer than 180 days old). She’s also sponsored bills about smart cities, ebooks, telehealth, the Internet of Things, and virtual currency.
DelBene’s previous attempts to introduce the Information Transparency and Personal Data Control Act in the last two Congresses didn’t go anywhere. Her latest version has a few changes but isn’t radically different from its forebears. The big difference this time around is that we now have a Democratic-majority House and Senate that makes passing consumer privacy legislation — or any legislation, really — seem much more possible. The real question is what that law will include.
“Largely, this is a bipartisan issue, which is room for optimism that [a privacy bill] can pass,” Tene said. “This is a topic that they can find convergence on.”
DelBene’s bill, which has elements that appeal to both parties, might be a place to find that convergence. DelBene is the chair of the New Democrat Coalition, a caucus of nearly 100 moderate Democrats, and her bill reflects those centrist leanings. It’s more business-friendly than other Democrats’ bills, and in the two areas that Republicans and Democrats are the furthest apart — preemption, which is states’ rights to pass their own, stronger privacy laws; and private right of action, which is consumers’ rights to sue companies if they think their privacy rights have been violated — DelBene’s bill is more on the right-leaning side of things than the left. That said, previous iterations of her bill have had the support of many Democrats (last time, she ended up with 34 co-sponsors) and the endorsement of the New Democrat Coalition.
DelBene said she’s hopeful she’ll even get at least one Republican co-sponsor on the bill this time around.
“We still have work to do to make that happen,” she said. “So we’re going to keep working with everyone.”
Where the bill may lose some Democrats (and probably more than a few privacy and consumer advocates)
But the Information Transparency and Personal Data Control Act is missing some things that many privacy and consumer advocates consider to be essential. While it does give consumers the power to opt into the sharing and selling of some types of their data — considered to be a more privacy-forward approach than forcing consumers to do the work to opt out of everything — the bill does not explicitly give consumers the right to access, change, or delete the information a company has collected about them. Those are rights that CCPA and GDPR grant, so it’s conspicuously absent from DelBene’s bill.
There is also the question of preemption and private right of action. DelBene’s bill would preempt state laws and bar private right of action, which tends to align more with Republicans’ interests than Democrats’.
On the first point, DelBene is unequivocal: A federal privacy law must be preemptive.
“How does it work if you have a patchwork [of state laws] for your average user, and how does it work for a small business?” DelBene said. “And shouldn’t we have a strong federal law so that people’s rights are protected everywhere in the country, and that we’re bringing that strong point of view to the international table?”
This approach would be nice for big businesses, too, which is why they’ve called for a preemptive federal law; only having to deal with one (ideally weak) law is much easier for them than having to anticipate and adjust to a barrage of constantly evolving rules from 50 states.
There is an exception to preemption in DelBene’s bill: biometric laws. So Illinois’s Biometric Information Privacy Act, which says businesses must get user permission before collecting their biometric data — such as using facial recognition — wouldn’t be touched.
But preemptive bills have an increasingly tall hurdle to overcome as more states adopt privacy laws and their residents get rights that a weaker preemptive federal law would then take away. For instance, the American Prospect’s scathing assessment of DelBene’s bill’s previous iteration called it a “privacy bill, minus the privacy” which would take Californians’ CCPA rights away and give them “next to nothing” in return.
There’s also no private right of action in DelBene’s bill, which means that consumers won’t be able to sue businesses if they feel their rights have been violated. State attorneys general and the FTC will be the only parties that can go after those businesses. Private right of action proponents point out that attorneys general and the FTC don’t always have the time or resources to enforce privacy laws, so an extra measure of accountability is necessary. Businesses really don’t like private right of action because it opens them up to lots of expensive lawsuits.
But private right of action can be a difficult sell. Even the CCPA was watered down to only grant it for cases where sensitive personal data was exposed because a business didn’t take adequate security precautions to protect it. Virginia’s CDPA doesn’t have it, and the question of whether to include it has delayed Washington state’s attempt to pass its own.
Cameron Kerry, a fellow at the Brookings Institution’s Center for Technology Innovation and co-author of the “Bridging the gaps: A path forward to federal privacy legislation” report, thinks we’ll ultimately see a federal privacy law that compromises on both private right of action and preemption.
“I think it is sinking in with the industry that it’s probably going to take some kind of private right of action to get legislation passed,” Kerry told Recode. “I think it is sinking in with people who oppose preemption of state laws that it’s also going to take some significant preemption to get a bill passed.”
DelBene’s solution to the lack of private right of action is a significantly beefed-up FTC, with $350 million in funding and an additional 500 full-time employees who will focus on data privacy and security. That’s a major boost, considering that the FTC currently has about 1,100 full-time employees who are spread across its multiple areas of enforcement (with just 40 to 45 of them in its Division of Privacy and Identity Protection). And the bill gives the FTC the authority to make future regulations that could strengthen or adjust the law, rather than waiting years — even decades — for Congress to act and pass new legislation.
“It’s important that we have the enforcement and rule-making authority to address any issues that arise or something we didn’t catch,” DelBene said.
At least one privacy advocacy group isn’t quite sold on that reasoning, however.
“We’d rather Congress enact privacy safeguards by statute, as opposed to Congress empower an agency to enact privacy safeguards by regulation,” Adam Schwartz, senior staff attorney at the Electronic Frontier Foundation, told Recode.
The Information Transparency and Personal Data Control Act will soon have more progressive competition
DelBene’s bill is the first consumer privacy bill to come out this year, but it won’t be the last. Several have been introduced over the years, all with their own particular quirks. The office of Sen. Kirsten Gillibrand (D-NY) told Recode that she’s planning to reintroduce her Data Protection Act, which would establish an agency charged with creating and enforcing privacy regulations. Ohio Democratic Sen. Sherrod Brown’s office told Recode that he intends to introduce a 2021 version of his Data Accountability and Transparency Act, which he released in draft form last year. Brown’s bill does away with consumer consent entirely by making the legal default that no personal data is collected, used, or shared at all.
And Sen. Ron Wyden (D-OR) will also be coming out with a new version of his 2019 Mind Your Own Business Act, the previous version of which included the creation of a national “do not track” system, gave the FTC to power to levy stiff fines for first-time offenses, called for prison time for company executives who lied to the FTC, and gave users access to the data companies have collected on them.
“Yes, I’ll be reintroducing the Mind Your Own Business Act,” Wyden told Recode. “I plan to work closely with my colleagues to move comprehensive privacy legislation.”
There have also been bills from Reps. Zoe Lofgren and Anna Eshoo (both D-CA) and Sen. Jerry Moran (R-KS) that could come back this year, and the Senate commerce committee’s Democrats, led by Washington’s Sen. Maria Cantwell, and Republicans, led by Mississippi’s Sen. Roger Wicker, may reintroduce their bills. A bipartisan bill from the commerce committee could have the best chance of succeeding out of all of them, but that’s been a nonstarter so far.
So after too many years of too little action on consumer privacy legislation, lawmakers might find themselves with an embarrassment of riches. DelBene’s bill might stick out for its bipartisan appeal. Or, with a Democratic majority now in both houses, a more progressive bill might have a better shot. What is clear now is that we need a law, and the sooner the better. DelBene’s is one of what will be many, and it’s a relatively short and simple bill with room to build on, which gives the FTC the power to do just that.
“I wrote this bill as being very foundational,” DelBene said. “We do need to expand beyond this. … If we don’t have fundamental privacy policy, then how are we going to address all the issues that are built on top of that? So we really are starting out making sure that we’re building the infrastructure we need to make sure we’re protecting consumer rights in the digital world.”
Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.