Lawmakers and industry groups want to pass a federal data privacy law this year, but progress on the measure has slowed. It’s now unclear whether legislation resembling California’s tough requirements on the tech industry can clear hurdles in Congress and be signed into law before the end of the year.
Small bipartisan groups of lawmakers in both chambers are working on draft legislation that was supposed to have been unveiled in May but has been delayed and is now expected to be released sometime before the August congressional recess.
The key challenges confronting lawmakers are crafting a law that not only would set a federal standard on how tech companies must safeguard consumers’ data but also provide enough remedies for consumers, and have such a bill win the backing of a plurality of lawmakers in both chambers.
In interviews last week, key lawmakers declined to say if they were close to completion or even specify a timeline for the legislation. But privately some congressional aides, industry sources and lobbyists said there isn’t a consensus yet on what a federal bill should look like. They worry Congress will run out of time before California’s Consumer Privacy Act kicks in Jan. 1.
“All I can tell you is we’ve got to do one, but I don’t have anything to say” beyond that, Rep. Frank Pallone Jr., chairman of the House Energy and Commerce committee, told CQ Roll Call. “We are trying to do a comprehensive bill, but that’s all I can say.”
Pressed on whether he’s hopeful a bill will pass Congress before the end of the year, the New Jersey Democrat, whose committee oversees data privacy issues, chuckled and said, “I don’t have anything on timing.”
Pallone and Rep. Jan Schakowsky, an Illinois Democrat who chairs the subcommittee on Consumer Protection and Commerce, are working on the House version of the bill and held one hearing in May on the topic.
House Minority Leader Kevin McCarthy is backing federal data privacy legislation, The Wall Street Journal reported last week. McCarthy told the paper that state-by-state laws would disrupt growth and innovation in the industry, but he didn’t offer any details on his proposal.
In the Senate, a group of lawmakers is working on the bill, including Mississippi Republican Roger Wicker, chairman of the Senate Commerce Committee; Maria Cantwell of Washington, the committee’s top Democrat; and other committee members such as Connecticut Democrat Richard Blumenthal, Kansas Republican Jerry Moran, South Dakota Republican John Thune and Hawaii Democrat Brian Schatz.
Wicker said he “was pleased with the progress we are making” but declined to say when the bill would be ready. “There has been no timetable.”
Cantwell’s aide declined to comment on the progress, saying the senator was abiding by Wicker’s request that the bill not be negotiated through the media.
The bipartisan group effort is a “way to focus our minds to get to a bill,” Schatz said. But when asked if he was hopeful a bill would pass Congress before Jan. 1, he said, “I don’t know what happens.”
Schatz is pushing for the idea of holding tech companies responsible in a fiduciary capacity for users’ data, a notion that he has said “freaks people out.” Fiduciary responsibility would call for a higher level of trust between tech companies that gather data and users who supply them, typical of a doctor-patient relationship.
Sen. Edward J. Markey, who also serves on the Senate Commerce Committee, said the group of lawmakers was “working hard” to craft a bill and “I’m hopeful, but there’s no guarantee” that an acceptable bill would emerge from the effort. The Massachusetts Democrat said he couldn’t answer whether the bill would become law before the end of the year.
Markey is championing a bill that would offer privacy protections for children under 16 years old.
Avoiding a patchwork of state laws
Technology companies are pressing Congress to pass a federal bill that would preempt state laws because they fear other states will copy California and the industry would be left with a patchwork of legislation to follow. Dozens of states have data privacy bills in various stages of consideration in their legislatures.
The California privacy bill defines personal information broadly to include biometric data such as facial recognition; allows consumers to opt out of the sale of their information while giving them the right to know, access and delete what the companies know about them; imposes penalties for violations; and grants consumers a right to sue if their data is lost due to negligence.
“We would love for a bill to get done this year,” Craig Albright, vice president of legislative strategy at The Software Alliance, said in an email. “That’s up to Congress, of course, but we are optimistic that both the Senate and House committee chairmen will be able to forge consensus this year on strong, comprehensive privacy protections.”
The Software Alliance represents top tech companies like Apple, Microsoft, Salesforce and IBM.
“Passing federal privacy legislation remains a top priority for the internet industry,” Michael Bloom, senior vice president for government affairs at the Internet Association, said in an email. “Crafting any comprehensive, economy-wide legislation takes time and input from a broad array of stakeholders.”
The group represents Amazon, Airbnb, Facebook, Twitter, Uber and others.
But key lawmakers, consumer advocacy groups and privacy activists have said they would not back a federal bill that preempts or attempts to weaken the California law.
California Democratic Sen. Dianne Feinstein has said she would not favor a federal bill that weakens the California statute.
At a hearing last month, Neema Singh Guliani, senior legislative counsel for the American Civil Liberties Union, told the Senate Commerce Committee the group is opposed to federal law superseding state legislation.
“If Congress uses federal privacy legislation as an opportunity to broadly preempt state laws, it will cause more harm than good,” Guliani said. “As an organization with affiliates in every state, the ACLU has been at the forefront of many efforts to pass strong state privacy laws. We know firsthand that in many cases, it has been states, not Congress that have led efforts to protect consumers.”
Should consumers be able to sue?
The toughest challenge for Congress would be matching the California law’s provision that allows consumers the private right of action to sue tech companies for data breaches that stem from negligence, said Alastair Mactaggart, board chair at the nonprofit Californians for Consumer Privacy and one of the main proponents of the California privacy legislation.
“There’s zero chance of getting that through Congress,” Mactaggart said of the private right of action provision. “That’s one of the key tenets of the California law, and it’s a huge issue and we fought hard for that.”
Tech companies can avoid such legal exposure by encrypting consumer data they store, Mactaggart said. “If you encrypt the data, there’s no liability, but if you keep it in plain text, you’ve got a problem on your hands” if the data is stolen or hacked into.
Mactaggart said while tech companies were pressing Congress to pass a federal law, many of them also were attempting to weaken the California law before it goes into effect.
As many as 40 different bills were introduced in the state legislature, seeking exceptions for various industries, Mactaggart said. He cited the example of a proposal that would have allowed automakers to collect and sell consumer data by claiming that such an exception was required to conduct safety recalls.
If Congress aims to pass a nationwide law that would supersede state laws, it would have to match the Golden State’s data privacy protections, Mactaggart said.
Nearly “20 percent of the House Democratic caucus is from California,” Mactaggart said. “It’s very hard for me to see how that group supports legislation that is weaker than California’s.”