During a recent panel, I was called “ridiculously optimistic” for saying I could see a path to passage of comprehensive privacy legislation in the current Congress. But with bills emerging from both the chairman and the ranking member of the Senate Commerce Committee and a December 4 full committee hearing to discuss legislation, the scenario I could see developing is not so farfetched. Although separate Republican and Democratic bills are not the joint bipartisan proposal widely anticipated for several months, the bills and the hearing this week kick off the concrete discussion about privacy legislation that stakeholders have been waiting to join.
The bills frame the issues for this discussion going into the next session of Congress, and efforts toward a bipartisan agreement continue. The first bill to emerge was the Consumer Online Privacy Rights Act filed by Senator Maria Cantwell (D-WA) on November 26, a week after she and other Democratic privacy leaders released principles for privacy legislation. Senators Brian Schatz (D-HI), Amy Klobuchar (D-MN), and Edward Markey (D-MA), all of whom have put forward privacy bills of their own, joined in her bill. Then, just before Thanksgiving, Commerce Committee Chair Roger Wicker circulated a “staff discussion draft” of a Consumer Data Privacy Act of 2019 covering much of the same ground, but with a different drafting approach and some distinct points of difference.
I have said for a while that if the various stakeholders involved were crafting privacy legislation, they could work out a successful bill. This was in part because stakeholders have been ahead of legislators in their grasp of the issues and the choices required for a bill. Now, these proposals demonstrate that legislators are catching up and are engaged in a process of classic legislating that is rare in these times.
Although there are key differences, the two bills also have important similarities. Both adopt the same general framework: a set of individual rights combined with boundaries on how businesses collect, use, and share information, all of which would be enforced through the Federal Trade Commission. The individual rights include access, correction, deletion, and portability for personal information, along with rights to give “affirmative express consent” before the collection and processing of “sensitive” categories of information and to opt out of the sale or transfer of personal data. Business obligations include data minimization, use limitations, data security, and the responsibility to bind other companies that receive personal information to the same obligations. These rights and obligations incorporate concepts from the California Consumer Privacy Act (CCPA) and European Union GDPR, which provide benchmarks for federal enactment. In addition, both bills expand FTC enforcement authority, with state attorney general enforcement authority as force multipliers, and give the agency power to interpret specific provisions by adopting rules and expanded legal authority.
The areas of convergence and difference are consistent with a matrix I use to conceptualize the state of the privacy debate. In turn, this matrix provides a useful lens to look at the Cantwell bill and Wicker staff draft. It categorizes issues in four buckets based on the degree of consensus and the substantive and political complexity of resolving open issues. Grouping the Senate Commerce Committee proposals this way helps highlight key differences and common areas between them.
The easiest bucket, termed “implementation issues,” is comprised of provisions on which there is a high level of agreement among stakeholders, and where remaining issues to be resolved are mostly technical details. These include data access, correction, deletion, and portability, as well as notice and transparency—all issues on which the Cantwell and Wicker proposals substantially agree, with minor differences that should not be difficult to resolve.
The next bucket, “solvable issues,” shows significant agreement at higher levels of generality, but more at stake in how remaining differences are resolved. These include the scope of data and entities covered, federal and state enforcement authority, measures for organizational accountability, and data security. Both Senate Commerce proposals show significant progress toward solving the solvable issues. Both define “covered data” as data “linked or reasonably linkable” to an individual or device and provide for de-identification of data. Both take similar approaches to FTC enforcement and rulemaking and have substantively similar provisions on data security. Both require appointment of privacy and security officers to carry out defined programs. Both seek to carve out small business exceptions, although in quite different ways (and the Cantwell bill covers only entities subject to the jurisdiction of the FTC). The bills deviate when it comes to spelling out privacy harm: the Cantwell bill defines a “harmful data practice” as one with the potential to cause physical, monetary, reputational, or otherwise substantial injuries, while Wicker’s discussion draft does not explicitly address a definition. Cantwell’s bill also makes clear that any violation of the statute or regulations the FTC adopts constitutes a concrete “injury in fact.”
Then, there are the “complex issues,” which include limits on data processing, algorithmic transparency, and algorithmic discrimination. These have significant impact both on the scope of protection of individuals and obligations of businesses, and implicate politically-charged social issues as well as existing business models. On data processing, Senate drafters again have a lot in common, with similar provisions limiting collection, use, and retention of data to what is “reasonably necessary, proportionate, and limited” based on defined purposes — except that the Wicker draft expands these purposes to include product improvement and (interestingly) “what is reasonably anticipated within the context of the covered entity’s ongoing relationship with an individual.” Both proposals also require companies to ensure that providers and other third parties that receive personal information from them comply with these limitations, and enable individuals to opt out of sharing non-sensitive data with third parties.
Similarly, both bills require express consent for processing of personal data defined as “sensitive,” with the Cantwell bill proposing a significantly broader definition of sensitive covered data. It includes “information revealing online activities over time and across third-party website or online services,” as well as “metadata,” email addresses, and telephone numbers, which encompasses a significant part of current ecosystems of information used for advertising and marketing and could limit contextual as well as behavioral advertising.
The differences are greater with regard to algorithmic decisionmaking, and especially algorithmic discrimination. The Cantwell bill contains a detailed provision on annual corporate assessments of data, design and outcomes, while the Wicker draft only provides for privacy impact assessments by companies that qualify as “large data holders.” The Cantwell bill explicitly prohibits processing of personal information in ways that discriminate in housing, employment, credit, education, or availability of public accommodations, and it expands the scope of protected classes beyond current anti-discrimination statutes. In contrast, the Wicker bill empowers the FTC to refer cases of potential discrimination in violation of federal law to appropriate federal and state agencies and cooperate with these agencies. Both bills would require the FTC to conduct studies of algorithmic discrimination and report the results.
The final bucket contains the “endgame issues” of preemption and private rights of action, which I have argued are too politically charged to resolve without a clear picture of the substance of privacy protection in a bill. Not surprisingly, this is where there are the widest gaps between proposals.
The Wicker bill contains a sweeping provision to preempt any state law “related to the data privacy or security and associated covered entities.” The Cantwell bill is somewhat nearer the middle; it includes preemption of “directly conflicting state laws,” but leaves wide exposure to state laws with a proviso that this does not override laws with “a greater level of protection.” It also ensures state consumer protection, tort, contract, civil rights, and other laws are not affected.
The gap is at least as wide when it comes to private rights of action. The Wicker bill has none, the Cantwell bill allows individual suits for damages and injunctive relief.
It may be that these divergent positions are markers for negotiating remaining differences in other areas or that these are issues that can be resolved only with a committee markup or a floor vote. To reach agreement on a bill, though, it will take some compromise on preemption and private of rights of action. The desire of many businesses for a consistent national standard is understandable, and a single law can benefit consumers if the standard provides strong protection and simplifies the exercise of rights. But a national standard does not require effacing a body of state privacy laws that go back to Samuel Warren and Louis Brandeis’s 1890 Harvard Law Review article, The Right to Privacy. There is a path to a preemption provision that balances these interests.
A path to resolve the private right of action question is harder to find because it is such anathema to congressional Republicans and many businesses. Nonetheless, it has acquired legs as an additional enforcement tool (as it is presented in the Cantwell bill), and some businesses are considering what remedies they might be able to live with if meaningful preemption is on the table.
In sum, the Wicker draft would allow wider latitude for existing data practices of many businesses, while the Cantwell bill is generally more detailed in requirements and broader in application. Nevertheless, there are also some areas where the Wicker draft is more protective of consumers, such as in the scope of exceptions for small businesses, and both proposals would raise individual privacy protection beyond existing federal law and even the CCPA. I anticipate putting out more detailed analysis and commentary soon.
The five witnesses for the December 4 hearing all support comprehensive federal privacy legislation, which provides a good indication of where Chairman Wicker wants to go. The release of a proposal by Privacy for America, a coalition led by advertising and marketing groups but joined by other businesses, provides a further endorsement of the Senate Commerce legislation with a proposal of their own that contains many elements in common with both the Wicker and Cantwell drafts.
Between now and the end of the current legislative session, Congress faces what Politico Playbook calls a worse “legislative nightmare” than ever and the Senate is likely to spend the early part of the next session in an impeachment trial. But outside the hot glare of these confrontations, Senate Commerce Committee members, staffers, and stakeholders can continue the work of shaping privacy legislation that can command broad support. You don’t have to be a ridiculous optimist to expect that behind-the-scenes work will continue, and to hope that it can yield a bipartisan proposal capable of passage in 2020.