After 20 years of debate, it’s time for Congress to finally pass a baseline privacy law

Way back in May 2000, the Federal Trade Commission (FTC) called on Congress to pass a federal law protecting the basic privacy rights of all Americans. It would be the first of many such recommendations made by the agency, and it echoed similar, even more fervent, pleas for action from the leading privacy groups at the time. Congress failed to act in 2000, and still, over twenty years later, despite exhaustive debate and many dozens of bills and hearings, has failed to pass a comprehensive federal law protecting our data privacy and security.

As a longtime FTC attorney and official, I played a central role in these developments. In 2000, as manager of the FTC’s then-fledgling privacy program, I led the agency’s efforts to draft the report and testimony to Congress recommending the legislation. As I advanced in my career, I testified at hearings, read and commented on bills, and continued to champion legislation, only to be disappointed again and again as Congressional sessions came and went without passage of a federal privacy law.

There were good reasons to pass federal privacy legislation in 2000, and there are even more compelling reasons to do so today. Although Congress has many important issues to confront in the coming year, finally passing a federal privacy law should be one of them.

The FTC made its recommendation just a few years after the internet became an everyday medium, four years before Facebook was created, and seven years before the iPhone would be introduced. Bill Clinton was in his last year as president, and we had just survived the non-catastrophe that was Y2K. Nevertheless, multiple FTC surveys had already shown that, despite collecting vast amounts of personal information from consumers, very few companies disclosed anything about how they collected and used this data, and even fewer pledged to provide even the most basic protections for it. The need for legislation was clear, even before we had mobile devices, social networks, apps, and detailed tracking of our every movement and location.

Based on this record, the FTC proposed that each online company be required to implement for consumers four widely accepted privacy principles:

1. Clear and conspicuous notice of its data practices, including what data it collects, how it uses the data, and whether other entities are collecting data through its website;
2. Choice as to how consumer data is used beyond the use for the data was provided;
3. The ability for consumers to review, correct, and/or delete their data; and
4. Reasonable security measures to protect the data from unauthorized access.

The recommended law also would have included rulemaking, so that the law could evolve with technology, and civil penalties for violations.

If these principles sound familiar, it’s because Congress has continued to debate them in hearing after hearing, often with the same repeat witnesses, since the FTC first issued its recommendation (The title of a recent Senate Commerce Committee hearing—“Revisiting the Need for Federal Data Privacy Legislation”—underscored this point, though probably inadvertently). During this time, the United States—once a leader on privacy due to its passage in the 1970s of the Privacy Act and certain sector-specific privacy laws—relinquished its leadership to Europe and California, both of which have passed robust privacy laws (GDPR and CCPA) protecting their citizens and setting examples for other jurisdictions. While Europe and California deserve enormous credit, an issue as important and borderless as baseline privacy deserves U.S. leadership at a national level.

Of course, the FTC’s proposed framework would only have been a starting point for U.S. privacy, and would have needed to change over time. For example, we have learned from experience, and as commerce has developed, that overreliance on “notice-and-choice” to protect privacy places an enormous and impossible burden on consumers to read the privacy policies of hundreds, even thousands, of companies that collect their data, and then make privacy choices for each of them. Placing this burden on consumers is particularly absurd when you consider that many of these companies (data brokers, ad networks, etc.) operate behind the scenes, completely invisible to consumers. This is why recent legislative proposals have included more substantive provisions that would protect consumers regardless of notice-and-choice—for example, a ban on clearly harmful uses of data, such as racial and gender discrimination; a “duty of loyalty” companies would owe to consumers; and strict limits on the purposes for which data could be collected, used, or shared with third parties.

Nevertheless, the world would be very different if Congress had passed such a law in 2000. Despite its shortcomings for the current marketplace, it would have established a basic level of accountability for personal data that is totally lacking today. Consumers and businesses would know the rules, and the FTC could enforce them with appropriate penalties for deterrence. Such a law would also have provided the basis for subsequent amendments (whether by Congress or through FTC rulemaking) to address developments and lessons learned, including the many new business models and technologies that have emerged over the years, the need to advance beyond “notice and choice” as the primary means to protect privacy, and the relationship between consumer data and market power.

Instead, the intervening years have brought us massive data breaches, virtually unlimited data collection online and in our public spaces, huge platforms that know everything about us and dominate the marketplace, and algorithmic predictions that create risk of bias and loss of opportunity. Consumers feel unprotected, and businesses are confused about their obligations. The FTC, despite years of effort to protect privacy using the general-purpose Federal Trade Commission Act passed in 1914, lacks sufficient authority and resources to hold companies fully accountable. And this year, we faced a deadly pandemic without clear privacy rules to guide us, adding to consumer distrust of efforts to track and control the disease through contact tracing.

The damage wrought by the pandemic—to our health, our lives, and our livelihoods—should be our first priority until we get it under control. But then Congress should turn again to privacy with renewed commitment to find common ground and pass a federal privacy law. Notably, last year’s leading bills (from Senators Wicker and Cantwell) both show a strong commitment to privacy and share many elements in common. As a result, Congress is now in a strong position to finally tackle and resolve the most difficult issues always left for “later”– including whether to preempt state privacy laws and permit private rights of action. Compromise and creativity will be essential, with the understanding that the final law must affirm baseline privacy as a core U.S. value, and provide the strong consumer protections and corporate accountability that are missing in the marketplace today.  After over twenty years, it’s time.