The International Association of Privacy Professionals Global Privacy Summit (“GPS”) occurred at the beginning of this month in Washington, D.C., giving more than 4,000 privacy professionals the chance to meet, reconnect, discuss developing issues, and learn from leaders in data privacy and security. Much of the conversation centered around the General Data Protection Regulation ("GDPR"), now approaching one year since its effective date.
However, domestic issues relating to state and federal data privacy rule-making and enforcement took center stage in many sessions and conversations throughout the week. Below, we review a few of the common questions and themes.
1. When will the U.S. pass a federal data privacy law?
GPS sessions focusing on a potential federal data privacy law generally agreed that it will eventually happen. Lawmakers and others who are part of the legislative process frequently described the current political climate and timing as “right,” but stopped short of predicting that congress will pass something this year.
Early discussions indicate that there are several points of agreement in the debate. For example, there appears to be general agreement around requiring more meaningful notice and consent opportunities for consumers. Additionally, a federal data privacy law is likely to provide the Federal Trade Commission ("FTC") with additional enforcement authority in the consumer protection area, and possibly regulatory rule-making authority. Lawmakers are less in agreement over just how prescriptive the act should be, particularly as it relates to data security and breach response standards. Some lawmakers have called for personal accountability of c-suite and similarly-situated employees.
Lawmakers disagree most strongly over whether the new rule should provide a private right of action to consumers or preempt state efforts to legislate data privacy, such as the California Consumer Privacy Act. Notably, FTC Chairman Simons believes that preemption is increasingly likely as states continue to contribute to the already complicated patchwork of state and federal data privacy rules and regulations. Some lawmakers have indicated a willingness to give state attorneys general enforcement authority in exchange for preemption. Many conversations seemed to favor FTC and state attorney general enforcement at the expense of a private right of action, but this debate is far from resolved.
2. How might the FTC’s role in data privacy enforcement evolve?
There was no shortage of FTC-focused perspective at the GPS, with multiple current and former FTC commissioners weighing in to provide the following diverse opinions.
- Some argued that the FTC is significantly understaffed at around 40 people, compared to the UK’s more than 200, and Ireland’s roughly 140. But FTC Chairman Simons cautioned that this might be an apples and oranges comparison because the FTC’s European counterparts are now one year into enforcing the world’s most involved data protection scheme in GDPR.
- Some argued that the FTC should be given “first-fining” authority. In general, the FTC cannot impose a fine or other penalty as a first action; instead it must either settle with the company or file a lawsuit. Many believe that new federal privacy legislation should give the FTC the ability to impose penalties on its own volition.
- Some argued that the FTC should have expanded rulemaking authority. Currently, the FTC’s ability to issue rules is extremely limited, but a new federal data privacy rule could allow the FTC to issue regulations within the scope of the new rule. Although some argued that rulemaking authority would help the rule remain agile, others argued that new law should be focused and only provide limited authority, if any, to create additional rules.
- Multiple sessions touched on the possibility that the FTC might increasingly view data privacy issues from an antitrust perspective. Although this is an emerging issue, companies should closely monitor ongoing news regarding antitrust and data privacy because the FTC appears receptive to it.
3. How does the California Consumer Privacy Act and other states' rule-making play into this discussion?
Companies and lawmakers are beginning to feel the weight of the California Consumer Privacy Act (“CCPA”), passed in 2018. Lawmakers are finding that CCPA has framed many of the debates surrounding a potential federal rule. If the federal rule does not preempt CCPA, it is likely that the federal rule will be stronger than CCPA, or else companies doing business in California will likely look to the CCPA as the strongest domestic data privacy rule.
Although it might seem like there is momentum toward a single unifying data privacy law in the U.S., many policy experts are predicting that the legal landscape will actually become more complicated in the coming months. Although bills similar to CCPA in seven states have failed to pass, scaled-back versions with similar provisions are pending in Illinois, New Jersey, and Nevada, and Rhode Island, New York, and Massachusetts could be next to consider their own acts. If federal privacy legislation fails to pass while states continue to actively legislate in this area, the already complicated patchwork of U.S. privacy rules could become even more difficult to follow.