On March 2, 2020, Reed Smith and the International Association of Privacy Professionals (IAPP) presented a panel discussion on 2020 privacy laws and trends featuring Attorney General Christopher Carr of Georgia; Linda Holleran Kopp of the Bureau of Consumer Protection, Division of Privacy and Identity Protection of the Federal Trade Commission (FTC); and Oriana Senatore, Senior Vice President of Policy & Research at the U.S. Chamber Institute for Legal Reform (ILR).

A clear theme from the discussion was that federal legislation is the best path for privacy reform in the United States. The current “patchwork quilt” of federal and state data privacy laws and enforcement by the FTC (and other agencies) as well as by states – now complicated exponentially by enforcement actions by cities and counties and the presence of private rights of action increasingly proposed for state privacy legislation – is not the way to best balance privacy consumer protection and business compliance. Indeed, the evolving privacy landscape is now approaching a “crazy quilt patchwork.”Key elements of the discussion included:

The role of the FTC as a privacy enforcer. The panelists agreed on the importance of the FTC as the country’s key privacy enforcer. Senatore, in particular, emphasized that the business community supports the FTC’s role in privacy enforcement, also noting that the Commission’s important work on privacy warrants enhanced enforcement powers in federal legislation as well as adequate appropriations for their work. Of note, the US Chamber’s model US privacy legislation specifically preempts state law. Attorney General Carr similarly acknowledged the key role of federal agencies in privacy enforcement and security, which are essential to the duties of the states to protect their consumers. Currently, state attorneys general (AGs) and the FTC jointly enforce important federal privacy laws and also work together under their respective unfair and deceptive acts and practices laws. Kopp agreed and emphasized the FTC’s strong support for federal legislation that would enhance its ability to engage in rulemaking, impose penalties, and pursue common carriers and nonprofits. She also emphasized that, pending federal legislation, the Commission has been taking action to curb privacy violations and abuses via enhancing the terms of its orders, which will include more specific data security safeguards, strengthen third-party assessor accountability, and elevate data security to the c-suite and board level. (See New and improved FTC data security orders: Better guidance for companies, better protection for consumers.)

Trial bar activity: private rights of action and contingency fee contracts with states. There also was significant discussion regarding the role of the plaintiffs’ bar as an enforcer of privacy laws. Discussing ILR’s recent white paper, “Ill-Suited: Private Rights of Action and Privacy Claims,” Senatore explained how giving enforcement power to experienced agencies and impartial government enforcers is a better way to address privacy concerns than via private rights of action, which predominantly benefit the financially motivated trial bar. Senatore also sounded the alarm about a separate but related concept to private rights of action – attempts by the plaintiffs’ bar to get contracts with states to act as if they were state AGs to pursue litigation with recoveries on a contingency fee basis. Both Senatore and General Carr, who acknowledged being pitched by the trial bar to bring privacy cases on behalf of Georgia in this way, agreed that the public’s interest was not served by allowing plaintiff’s lawyers to set national privacy policy. Of note, some federal privacy laws, such as the Telephone Consumer Protection Act (TCPA) and the Fair Credit Reporting Act (FCRA) are enforceable by federal agencies as well as by plaintiffs under a private right of action. ILR’s position is that these laws have been subject to a significant amount of abuse.

City and county litigation: Another hot discussion point addressed the trend of cities and counties initiating privacy investigations or litigation, often at the prompting of plaintiffs’ lawyers hired on a contingency fee basis. Although the trial bar may claim these litigations have significant upside, these suits have significant negative consequences. The panelists discussed those problems, with General Carr and Senatore particularly noting that these actions undermine the authority of state AGs while also roadblocking global settlements of complex litigation, depriving businesses (and others) of the predictability and finality present in more typical investigations or litigations brought by the states, the FTC, or both. Attorney General Carr also raised the serious question of whether municipalities are acting legally when they usurp the power of state AGs.

In closing, Attorney General Carr noted that the public is paying more attention to data privacy – which is likely to intensify as our lives are increasingly online. Regulators and businesses alike would benefit from further clarity in the field, ideally in the form of a federal privacy law with clear privacy rules and stronger FTC enforcement powers. Until that time, however, businesses should work to comply with the current “patchwork” of privacy laws and be prepared for potential enforcement actions, as privacy is clearly a growing focus for state and federal regulators.