Logan Finucan
Senior Manager, Data Policy & Trust
[email protected]
2020 is unlikely to be the year that a US comprehensive privacy law is passed, although developments in the coming months may generate traction and set the direction of travel towards an eventual law which will have impacts at least as consequential as the EU’s GDPR.
The Congressional Grind
Debates in the US Congress regarding comprehensive privacy legislation have been underway for some time. Long championed by consumer advocates and supportive members of Congress, it took high-profile scandals like Cambridge Analytica, and a major looming state-level measure – the California Consumer Privacy Act (CCPA) – to force Congress to finally take action.
Privacy is one of the few issues in Congress where there is a bipartisan consensus that something must be done, as well as – surprisingly – a bridgeable gulf between the two parties. While taking aim at the technology industry, Republicans also want to shield business from the burdens of CCPA compliance in addition to the EU’s GDPR, as well as put a stop to possible state-level requirements that would prove unmanageable for business. Many Democrats are also happy to join in the with the tech-bashing and are using political momentum to stir demands for individual protections. Congressional discussions took place largely behind closed doors throughout 2019 as committee staff negotiated and built support within the House and Senate for several measures. Towards the end of 2019, some of this effort began to materialise, with drafts representing the Democratic (Consumer Online Privacy Rights Act) and Republican (US Consumer Data Privacy Act) positions at the Senate Commerce Committee, as well as a bipartisan draft from the House Energy and Commerce Committee.
The CCPA Effect
The primary motivator for Congress to act on privacy was the passage of the progressive California Consumer Privacy Act (CCPA). Its strict provisions – not fully aligned with the GDPR – are rapidly becoming a de facto national standard as companies work to comply with provisions that allow them to operate on a national scale and other states are set to adopt a similar model. Despite the costs, many businesses have committed significant resources to compliance with the CCPA rather than jeopardise their access to the largest digital market in the United States.
Congress has now missed its deadline to introduce a federal law to pre-empt the application of the CCPA, which came into effect on 1 January 2020. Despite large businesses initially pressing Congress to intervene, as many companies have worked to comply, the urgency of undoing the CCPA diminished. However, this doesn’t necessarily remove the need for a federal law. Other states have, or will soon, follow in California’s footsteps, and are likely to do so in ways that make it more complicated for business. Given the trajectory of debates in Congress, the CCPA is increasingly looking more like a floor for federal protections that may pass the current Congress, not a ceiling the left is reaching for.
Reading Between the Bills
Different visions for what a comprehensive federal privacy law should look like have been put forward. Some fairly stripped down, principle-based bills have already been presented, such as Senator Schatz’s Data Care Act and Rep DelBene’s Information Transparency and Personal Data Control Act.
However, the most recent drafts are much more detailed and elaborate more on obligations, roles and responsibilities. This presents interesting trade-offs for businesses: stripped down measures that provide non-prescriptive but sometimes vague standards, or more articulated approaches that in some ways may be more stringent but provide greater clarity and certainty for business on what their obligations will be. Regardless of what business might prefer, the choice between the two approaches may now be out of industry’s hands as both Republicans and Democrats seem to be leaning towards bills that are more detailed and comprehensive.
Perhaps to the disappointment of Europe, this doesn’t necessarily mean that resulting legislation will be a flavour of the GDPR. US lawmakers are finding new and creative ways of structuring rigorous privacy obligations. Democratic Senator Brian Schatz’s bill would create novel duties of “care”, “loyalty” and “confidentiality” for online businesses gathering and processing personal data, for example. Several other bills contain protections or heightened scrutiny related to algorithmic decision-making. The Democratic Eshoo-Lofgren Online Privacy Act in the House would even enshrine a “right to human review of automated decisions” and a “right to individual autonomy,” requiring affirmative express consent for algorithmic personalisation based on behaviour. Republicans are also experimenting with novel approaches in this area; Senator Thune’s “Filter Bubble Transparency Act” would require companies to provide mechanisms to access “non-personalized” versions of services.
How Likely Is a Compromise?
Despite some challenges, Republican and Democratic sides in the Senate have converged to a significant degree. In the Senate Commerce Committee, there have been signs of accommodation by Republicans, led by Chairman Wicker, on the topic of private rights of action, as well as some movement by Democrats led by Senator Cantwell on partial pre-emption of state-level measures.
Chairman Wicker himself has indicated that Senate Republicans may be prepared to acquiesce to many Democratic standards to pre-empt state measures. It’s possible to envision a compromise privacy bill in which the two sides agree on CCPA-like standards, with a limited private right of action.
Ultimately however, the substance of the bill will not be the determining factor of its realisation in 2020, but rather the timing of the political calendar. It is always difficult to tick items off the political agenda during an election year and the legislative process will soon grind to a halt. Given the impeachment trial of President Trump in the Senate, due to take place in the first quarter of 2020, this year will be even more challenging to introduce any legislation, including privacy. All the while, businesses will be adjusting to the newly enforced CCPA.
What to Expect Next?
The first few months of 2020 will provide a significant indication of the trajectory for a new federal privacy law in the US. After a breakdown in bipartisan Senate talks, Commerce Committee Democrats and Republicans decided to stake out their respective positions and decamp for the holidays. While this could create space for quiet talks of compromise, it could just as easily allow the process to wither on the vine. Perhaps Senator Schatz it best: “Sometimes this is a precursor to a deal, and sometimes it’s a precursor to it all falling apart, and I guess we’ll have to find out which one this is.”
Watch for any new overtures between Chairman Wicker and Senator Cantwell. If such efforts really have run their course, a new bipartisan proposal from Senators Moran and Blumenthal could inject new momentum into the Senate process if unveiled at the right time. Regardless, if significant steps are not taken in Q1 – even if they avoid being trampled by the impeachment process – the initiative is likely to be overwhelmed by the election. After 3 November 2020, what will happen in terms of privacy legislation remains unclear, with potential for a new President or Congressional leadership in 2021 – or perhaps, the current ones again.
