Since the enactment of GDPR (the General Data Protection Regulation) in the European Union, more U.S. states have been passing consumer privacy laws, prompting both privacy advocates and business groups to put pressure on Congress to pass a federal regulation in this arena. Companies like Google, Microsoft, and Apple that have traditionally been opposed to federal privacy law are now throwing their support behind the establishment of uniform privacy rules. Some of the companies are offering their own proposed frameworks, in order to avoid having different compliance standards when conducting business transactions in multiple jurisdictions (i.e., GDPR in the EU versus California Consumer Privacy Act in California).
Last week, key U.S. Senate and House of Representative committees held separate hearings to explore prospects for national privacy legislation. While congressional lawmakers are largely in agreement about the need for federal privacy legislation, they have failed to agree on the details, including to what extent a federal framework should preempt state privacy laws such as the California Consumer Privacy Act that is slated to take effect in January 2020. Business groups present at the House subcommittee hearing continued to push senators towards a single national privacy framework, with witnesses and committee chairman Roger Wicker, pointing out the proposed California law will block local municipal officials within the state from enacting stronger protections and that the EU’s groundbreaking GDPR replaced a patchwork of member state privacy laws with a uniform EU-wide standard. Former Federal Trade Commission (FTC) head Jon Leibowitz argued that "a cacophony, or a crazy quilt patchwork, of 50 states laws" will only "make consumers numb," and echoed Wicker's sentiment that a single national framework doesn't necessarily mean a weaker framework than those already on the books.
Woodrow Hartzog, a professor of law and computer science at Northeastern University School of Law offered the lone dissenting voice on the panel, stating that he didn’t think preemption was necessary and that it could end up being harmful in the long run.
The participants in the hearing had an easier time agreeing on enforcement than preemption. The group agreed that there is a need to give federal regulators more power to crack down on alleged data misuse and privacy violations, and that the regulator should be the FTC, which currently lacks authority to create rules or impose fines for first-time violations of prohibitions against unfair and deceptive trade practices. The group generally agreed that creating a clear, bright line for enforcement, even for a first initial violation, would be effective to change internal culture within companies.
There are still plenty of issues that need to be resolved after last week’s hearings. There is no agreement on how much power states will hold. Also, while there is some agreement that the FTC should be able to go after companies who break the agreed-upon rules, there is still an issue of whether a proposed federal privacy framework will allow for individual remedies. Finally, there is much debate surrounding the issue of any proposal’s definition of personally identifiable information and the data subjects involved, as this will play a significant role in determining how broad sweeping federal regulation will become.