U.S. Privacy Law in the Making

2020 is unlikely to be the year that a U.S. comprehensive privacy law is passed, although developments in the coming months may generate traction and set the direction of travel toward an eventual law that will have impacts at least as consequential as the EU’s GDPR.

The Congressional Grind

Debates in the U.S. Congress regarding comprehensive privacy legislation have been underway for some time. Long championed by consumer advocates and supportive members of Congress, it took high-profile scandals like Cambridge Analytica, as well as a major looming state-level measure – the California Consumer Privacy Act (CCPA) – to force Congress to finally take action.

Privacy is one of the few issues in Congress where there is a bipartisan consensus that something must be done, as well as – surprisingly – a bridgeable gulf between the two parties. While taking aim at the technology industry, Republicans also want to shield business from the burdens of CCPA compliance in addition to the EU’s GDPR, as well as put a stop to possible state-level requirements that would prove unmanageable for business. Many Democrats are also happy to join in the with the tech-bashing and are using political momentum to stir demands for individual protections.

Congressional discussions took place largely behind closed doors throughout 2019, as committee staff negotiated and built support within the House and Senate for several measures. Toward the end of 2019, some of this effort began to materialize, with drafts representing the Democratic (Consumer Online Privacy Rights Act) and Republican (U.S. Consumer Data Privacy Act) positions at the Senate Commerce Committee, as well as a bipartisan draft from the House Energy and Commerce Committee.

The CCPA Effect

The primary motivator for Congress to act on privacy was the passage of the progressive California Consumer Privacy Act (CCPA). Its strict provisions – not fully aligned with the GDPR – are rapidly becoming a de facto national standard as companies work to comply with provisions that allow them to operate on a national scale and other states are set to adopt a similar model. Despite the costs, many businesses have committed significant resources to comply with the CCPA rather than jeopardize their access to the largest digital market in the United States.

Congress has now missed its deadline to introduce a federal law to preempt the application of the CCPA, which came into effect on January 1, 2020. Despite large businesses initially pressing Congress to intervene, as many companies have worked to comply, the urgency of undoing the CCPA diminished. However, this doesn’t necessarily remove the need for a federal law. Other states have followed or will soon follow in California’s footsteps and are likely to do so in ways that make it more complicated for business. Given the trajectory of debates in Congress, the CCPA is increasingly looking more like a floor for federal protections that may pass the current Congress, not a ceiling the left is reaching for.

Reading Between the Bills

Different visions for what a comprehensive federal privacy law should look like have been put forward. Some fairly stripped down, principle-based bills have already been presented, such as Senator Brian Schatz’s Data Care Act and Representative Suzan DelBene’s Information Transparency and Personal Data Control Act.

However, the most recent drafts are much more detailed, elaborating more on obligations, roles and responsibilities. This presents interesting trade-offs for businesses: stripped down measures that provide non-prescriptive but sometimes vague standards, or more articulated approaches that in some ways may be more stringent but provide greater clarity and certainty for business on what their obligations will be. Regardless of what business might prefer, the choice between the two approaches may now be out of industry’s hands, as both Republicans and Democrats seem to be leaning toward bills that are more detailed and comprehensive.

Perhaps to the disappointment of Europe, this doesn’t necessarily mean that resulting legislation will be a flavor of the GDPR. U.S. lawmakers are finding new and creative ways of structuring rigorous privacy obligations. Democratic Senator Brian Schatz’s bill would create novel duties of “care,” “loyalty” and “confidentiality” for online businesses gathering and processing personal data, for example. Several other bills contain protections or heightened scrutiny related to algorithmic decision-making. The Democratic Eshoo-Lofgren Online Privacy Act in the House would even enshrine a “right to human review of automated decisions” and a “right to individual autonomy,” requiring affirmative express consent for algorithmic personalization based on behavior. Republicans are also experimenting with novel approaches in this area; Senator John Thune’s “Filter Bubble Transparency Act” would require companies to provide mechanisms to access “non-personalized” versions of services.

How Likely is a Compromise?

Despite some challenges, Republican and Democratic sides in the Senate have converged to a significant degree. In the Senate Commerce Committee, there have been signs of accommodation by Republicans, led by Chairman Roger Wicker, on the topic of private rights of action, as well as some movement by Democrats led by Senator Maria Cantwell on partial preemption of state-level measures.

Chairman Wicker himself has indicated that Senate Republicans may be prepared to acquiesce to many Democratic standards to preempt state measures. It’s possible to envision a compromise privacy bill in which the two sides agree on CCPA-like standards, with a limited private right of action.

Ultimately, however, the substance of the bill will not be the determining factor of its realization in 2020, but rather the timing of the political calendar. It is always difficult to tick items off the political agenda during an election year, and the legislative process will soon grind to a halt. Given the impeachment trial of President Trump in the Senate and the even broader coronavirus crisis, this year will be far more challenging to introduce any legislation, including privacy. All the while, businesses will be adjusting to the newly enforced CCPA.

What to Expect Next

The first few months of 2020 will provide a significant indication of the trajectory for a new federal privacy law in the U.S. After a breakdown in bipartisan Senate talks, Commerce Committee Democrats and Republicans decided to stake out their respective positions and decamp for the holidays. While this could create space for quiet talks of compromise, it could just as easily allow the process to wither on the vine. Perhaps Senator Schatz said it best: “Sometimes this is a precursor to a deal, and sometimes it’s a precursor to it all falling apart, and I guess we’ll have to find out which one this is.”

Watch for any new overtures between Chairman Wicker and Senator Cantwell. If such efforts really have run their course, a new bipartisan proposal from Senators Jerry Moran and Richard Blumenthal could inject new momentum into the Senate process if unveiled at the right time. Regardless, if significant steps are not taken in Q1 — even if they avoid being trampled by the health crisis — the initiative is likely to be overwhelmed by the election. After November 3, 2020, what will happen in terms of privacy legislation remains unclear, with potential for a new President or Congressional leadership in 2021 — or perhaps, the current ones again.

The pieces in this series have been extracted from a larger report by Access Partnership on the trajectory of tech policy in 2020. The next installment will discuss how data sharing regulations might “heat up” in 2020.