Over the past few months, the question of “if” Congress should strengthen privacy protections has increasingly become a matter of “when” and what form the legislation should take. Republican and Democratic congressional leaders have pledged to take action on privacy this year; a number of legislative proposals have already been introduced and others are under development, and this is one of the few legislative areas where bipartisan agreement is possible. While the debate is still in its early stages, its potential implications are significant — namely, the creation of a new federal privacy regime that would be the American answer to the European Union’s General Data Protection Regulation (“GDPR”) and potentially head off state-by-state regulatory efforts like the California Consumer Privacy Act of 2018 (“CCPA”).
This is a development that should be on the radar screen of every organization that handles personal information. The integrated team of privacy and public policy professionals at K&L Gates has developed the following five questions to begin your analysis of the legislative debate and start planning the next steps as it moves forward. More likely than not, privacy is a central concern for your organization, and it will be essential to monitor the action in Congress and engage with policymakers as needed to protect and advance your interests. We can help.
1. Does this impact me?
The big-tech giants have received most of the media attention so far, but the reality is that a federal privacy law would create new obligations for every organization that collects, uses, processes, stores, or shares personal information. This is an effort of a similar scale and scope as the GDPR and the CCPA. If your organization’s activities potentially are covered by either regime, it is likely that the legislation Congress is considering will be relevant too. The bottom line is that the implications of the federal privacy debate cut across industries and sectors.
2. What could this mean for my organization?
It is too early to say what the final privacy legislation will look like, but it is safe to assume that it will entail new obligations for organizations and potentially create new legal exposure and enforcement risk. Some of the key issues under discussion include the following:
3. Is anything really going to happen?
There is understandable pessimism about the prospects for sweeping legislation under a divided Congress, but the data breaches, unauthorized sharing, and other privacy violations that have dominated headlines for the past few years have led to a high level of public interest and engagement on the issue. In addition, the CCPA’s looming 2020 effective date — and the potential for similar initiatives in other states — has united much of the business community around the need for federal legislation. These trends have made privacy legislation a top priority for House and Senate leaders on both sides of the aisle, as well as the Trump administration. As noted above, policymakers are pressing ahead with plans to hold hearings, draft legislation, and move a bill as early as this summer.
Of course, the devil is always in the details, and there is a possibility that these legislative efforts could fall short. Although there is broad interest in privacy legislation among stakeholders and policymakers, there are important differences of opinion about its specifics that could be difficult to reconcile. However, even if the proposals under debate do not make their way into law this year, they will still set a marker for future initiatives — underscoring the importance of the present legislative debate.
4. How does this affect my existing compliance program?
With GDPR implementation in the rearview mirror, many organizations are looking toward the CCPA as the next major regulatory milestone. The privacy debate in Congress adds uncertainty to this timeline and could complicate compliance strategies going forward. Federal legislation could preempt the California law entirely, introduce new or additional requirements on top of it and other federal laws, open the door to future rulemaking activities, and prompt responsive action by other jurisdictions — including U.S. states as well as foreign governments.
In view of this, consider the need to monitor developments closely so they do not come as a surprise and can be factored into compliance plans sooner rather than later. In addition, early engagement in the process offers a way to advance priorities and address specific problems before legislation is baked into law.
5. What should I be doing to prepare?
Preparing for changes in the U.S. privacy landscape starts with understanding your organization’s exposure to personal information and following the various policy proposals under consideration to develop a clear sense of their potential implications for your business and regulatory compliance strategies. Undertaking this evaluation sooner rather than later preserves the option to engage in the legislative debate to shape the final outcome in a way that advances and protects your interests.