Despite a promising start in the 116th Congress, comprehensive information-privacy legislation appears stalled on Capitol Hill. Response to the COVID-19 pandemic has necessarily consumed most of the current bandwidth in Congress. Yet the pandemic has raised issues surrounding access to mobility and proximity data, health information, and other forms of personal information that may—and in some cases may not—be useful for public health. These are a reminder of the gaps in the U.S. system of privacy protection.
Last November, Sen. Maria Cantwell (D-Wash.) introduced the Consumer Online Privacy Rights Act (COPRA) and Sen. Roger Wicker (R-Miss.) released the draft United States Consumer Data Privacy Act (USCDPA). As we (Kerry) wrote at the time, these two Senate Commerce Committee proposals “frame[d] the issues for this discussion going into the next session of Congress” and introduced clarity to the broader privacy debate. Although COPRA and USCDPA are promisingly similar in many aspects, stakeholders have staked out polar all-or-nothing positions on the two provisions where Wicker and Cantwell are the furthest apart—preemption and the private right of action. As long as these protagonists remain in their own corners, the broader privacy debate will be frozen and federal legislation stalled.
Our report, available for download here, seeks to unfreeze the privacy debate by exploring and offering a middle ground. It proposes solutions on preemption and private lawsuits that depart from the maximalist approaches shaping the current debate. Our recommendations aim to prompt a clearer shift in regulatory paradigm by setting boundaries on how covered entities collect, process, and share personal information; establishing organizational accountability mechanisms; and graduating obligations according to the scale of the covered entity, covered data, and privacy risks involved.
The recommendations and analysis in this report frame the kinds of compromises it will take to pass federal privacy legislation that would give individuals stronger, more consistent expectations for how organizations use personal information, while also giving industry clear national guidance on what it needs to do to protect privacy and security. Last year’s gridlock on the Washington Privacy Act (WPA) shows that state legislation is no slam dunk for either side of the debate and that bipartisan federal privacy legislation will take compromise. If the same thing happens in Washington, D.C., any window of opportunity to pass federal privacy legislation is likely to reach a similar end.
Thus, for the federal privacy debate to move forward, stakeholders will need to find middle ground on a range of issues. Perhaps the suggestions here can help.
- Preemption: Consistent national privacy standards would benefit both individuals and industry. Today’s digital society is not confined within state borders, and a person’s privacy should not depend on which state they are in. We therefore recommend preempting “inconsistent” state laws that regulate the collection, processing, sharing, and security of covered data, while leaving space for the body of state law developed over more than 100 years. We also recommend enacting a partial eight-year sunset provision for preemption, which would give Congress the opportunity to revisit the efficacy of federal privacy legislation and evaluate any necessity for supplementary state laws.
- Private right of action: Individuals should be able to seek redress for widely recognized injuries—but we generally recommend limiting recovery to “actual damages,” requiring a heightened “knowing or reckless” liability standard for most statutory provisions, and requiring a “willful and repeated” standard to bring a private lawsuit for more procedural provisions. Procedural filters should include notice and an opportunity to cure, heightened pleading, and class-action limits adapted from securities litigation.
- Limits on processing: Boundaries on collection, use, and sharing of personal information are essential elements of privacy protection. Data minimization provisions in existing bills can be combined into “duty of loyalty” and “duty of care” provisions that more broadly requires covered entities to respect privacy, communicate policies fairly and transparently, and exercise reasonable care to avoid specified and well-recognized harms, including violation of anti-discrimination laws.
- Consent, notification, and transparency: Organizations should have to get affirmative express consent to collect or transfer sensitive data, but we recommend minimizing consent requests by narrowing the definition of “sensitive data” and focusing on what individuals can reasonably expect in “context.” Covered entities should provide transparency in three layers instead of one-size-fits-all: a) timely, context-specific notifications for individuals, b) basic privacy statements targeted to individuals, and c) comprehensive privacy disclosures aimed at regulators and other close observers.
- Graduated obligations and accountability: Small businesses should not be exempt from comprehensive federal privacy legislation, as some have caused serious privacy and security failures. But small and medium entities (including smaller nonprofits) should be exempt from some specific obligations that come with significant compliance costs. Basic underlying obligations—like the duties of loyalty and care, data security, and privacy risk assessments—should apply to all organizations but be tailored to the scale of the covered entity and the volume and nature of data involved. Additional obligations should apply to “large data holders.”
- Civil rights: Existing federal anti-discrimination laws, designed for human decision-making, need reinforcement to address automated decisions. Comprehensive privacy legislation should address algorithmic discrimination because covered data can be used in ways that disadvantage individuals. However, privacy legislation should not alter existing federal or state anti-discrimination laws, and the agencies currently tasked with anti-discrimination enforcement (e.g., the EEOC) should maintain their primary roles. The FTC should refer discrimination cases to the relevant federal agency, and privacy legislation should also prohibit the use of covered data in ways that violate existing anti-discrimination laws.
- Individual rights: We recommend combining the individual rights to request access, correction, deletion, and portability of personal information into an overarching “Right to Control” section and adding a separate “Right to Recourse” that would have to be exercised prior to bring litigation.