As companies are working to re-evaluate their privacy programs following the enactment of California's groundbreaking privacy law, eyes are now on the U.S. Congress as to whether a federal privacy standard can be achieved. Although Congressional efforts to create industry-agnostic privacy and security requirements historically have not been successful, the possibility of a federal privacy framework appears more plausible than in years past. The residual impact of the European Union General Data Protection Regulation (GDPR), which took effect in May 2018, helped to set the stage for a privacy regulatory overhaul in the U.S. In addition, the impending 2020 compliance deadline for the California Consumer Privacy Act (CCPA), coupled with the anticipated "patchwork" approach as other U.S. states consider their own privacy standards, may be driving activity at the federal level.
Bipartisan Privacy Efforts
The House Energy & Commerce (E&C) Committee and Senate Commerce Committee are currently considering privacy legislation. These two committees have jurisdiction over the Federal Trade Commission's (FTC) Consumer Protection Bureau, which will likely be the agency that enforces any new federal privacy law. Senate Commerce Committee Chairman Roger Wicker (R-MS) is "fully committed to enacting privacy legislation this year" and House E&C Chairman Pallone (D-NJ) indicated both privacy and data security would be on his agenda this year. Given the recent change in control from Republicans to Democrats in the House, at this point, the Senate appears to be further along in their federal privacy legislative efforts. Senators Wicker, Moran (R-KS), Blumenthal (D-CT) and Schatz (D-HI) worked for several months last year to craft a bipartisan privacy bill, and that work continues to this day. The E&C Committee plans to hold a privacy hearing on Feb. 26, 2019 (details TBD), and the Senate Commerce Committee has scheduled a hearing on Feb. 27, 2019, entitled: "Policy Principles for a Federal Data Privacy Framework in the United States."
One possible impediment to enacting federal privacy legislation is the question of preempting the CCPA. Many in the industry are calling for federal preemption of state privacy laws, including the CCPA (and perhaps similar legislation being considered in at least HI, MD, MA, MS, NM, NY, ND, RI, WA and NJ). Republicans may generally be sympathetic to industry on this issue while Democrats are likely more skeptical. Ultimately, a bipartisan agreement on preemption will need to be resolved – 60 votes will likely be required in the Senate (where the Republican majority controls 53 votes), and 218 votes will be required in the House (where the Democratic majority controls 235 votes).
Data Security and Breach Notification
Another important question is whether any privacy legislation will include related issues such as cybersecurity, data security and data breach notification. Congress passed the Cyber Security Information Sharing Act in 2015, and data security and the issue of federal preemption of state data breach notification laws has been considered by Congress for several years with no federal legislation being enacted to date. While it may seem logical to combine privacy, cybersecurity and data security into one legislative package, doing so could create committee jurisdictional challenges and reduce the likelihood of enactment. As a result, ultimately, Congress may pursue a more narrow, privacy-only legislative approach.
Finally, the Government Accountability Office released a report on Internet privacy on Feb. 13, 2019, that was requested by E&C Chairman Pallone. The report contains recommendations on additional federal authority to enhance consumer protection.
Separate from Congress, the executive branch took action on privacy during 2018, tasking the National Institute of Standards and Technology (NIST) and the National Telecommunications and Information Administration (NTIA) to develop a voluntary privacy framework. These executive branch efforts are more limited in scope than what Congress is currently considering.
Congressional privacy legislative activity is expected to continue over the coming months, and parallel efforts at the state level may influence the content of, and increase pressure for, a federal standard. The CCPA and recent state privacy bills share GDPR sentiments, with heightened emphasis on individual's privacy rights and control over their personal information. A federal privacy framework may also include at least some aspects of the GDPR model. While the full scope of the new U.S. privacy framework is yet to be seen, a new regulatory regime appears imminent. Consequently, companies should be prepared to evaluate their programs to address the forthcoming requirements.