On Data Privacy, Look to the States
As data breaches dominate news cycle after news cycle – at a seemingly exponential rate – have federal policymakers started to pay attention to the issue?
The answer is yes. But before your faith in the American democratic experiment is restored, don’t bet on passage of a federal data privacy standard any time soon, even if we do see some movement on legislation in Congress this fall and in early 2020. A federal data privacy standard is a pipe dream in the current political environment despite significant interest in enacting one on both sides of the political aisle.
Washington has been moving slowly on this issue for some time. In late July 2018, the Trump administration announced the U.S. Department of Commerce would work with some of the nation’s largest media and technology companies – Comcast, Facebook and Google’s parent company, Alphabet – to develop consumer data privacy policies. Two months later, the Commerce Department released a request for comment on new data privacy regulations, but there has been very little perceived progress on these rules in the last 11 months.
The administration’s efforts came on the heels of significant activity in Europe and in statehouses across the home front. Europe’s General Data Protection Regulation (GDPR), agreed to in early 2016, took effect in May 2018. California’s Consumer Privacy Act of 2018 was signed into law last June (and will go into effect next year) and, the same month, Vermont enacted a law requiring data brokers to ask consumers if they want to opt out of collection.
This momentum has not carried over into 2019, at least at the federal level. (As we will see, the record in state legislatures is mixed.)
Earlier this year, U.S. Senate Banking Committee Chair Mike Crapo (R-Idaho) said he would “further explore legislative solutions” that would give consumers more control over their financial data. But while his panel has asked stakeholders for feedback, has held hearings on the matter and might even pass a bill this fall, that measure is likely to encounter difficulty passing the full Senate. On the other side of the Capitol, House Speaker Nancy Pelosi (D-Calif.) and her allies have been honing in their own version of a data privacy bill in recent months. In the majority-rules House, Speaker Pelosi might be able to get legislation through the Democratic House – but it would be met with opposition in the GOP-led Senate.
State action has been somewhat more robust, but many have delayed their efforts to pass legislation – perhaps because they want to wait to see what federal lawmakers will do.
According to the National Conference of State Legislators, data privacy legislation or bill drafts have been introduced or filed in at least half of the states and in Puerto Rico. But only a few measures have survived all the way to a governor’s desk.
Maine and Nevada have enacted significant data privacy legislation this year. On June 6, Gov. Janet Mills (D-Maine) signed legislation that requires internet service providers to obtain permission from consumers before selling or sharing their data with a third party. The law went into effect July 1.
After Nevada’s legislature passed a bill earlier this summer, businesses operating in the state will have to offer consumers a right to opt-out of the sale of their personal information no later than October 1 of this year. As Digital Dealer explains, lawmakers in Colorado and Massachusetts also passed strict laws that take elements from California’s regulation. And proponents of data privacy legislation are still active in New York. The Empire State’s legislation is “even broader than” California’s since it would expand private right of action to additional violations, including the failure to act on a customer’s request to delete information – what GDPR in Europe refers to as “the right to be forgotten.”
Lawmakers in several other states, however, have let legislation languish.
That list includes Arizona, where three bills failed due to inaction. One piece of legislation would have required any commercial website that collects personal information from more than 500 users to establish a secure personal information portal allowing consumers to access their own information and correct any errors.
Lawmakers in Mississippi introduced the Consumer Privacy Act this year, but that legislation, which mirrored California’s, died in committee. Washington’s statehouse also rejected a bill modeled after California’s. Rhode Island is still studying legislation that mirrors the Golden State’s and New Mexico has postponed a bill “indefinitely.”
Montana did not even get past the drafting process on legislation that would have restricted companies from selling data without consumers’ express consent. The Utah legislature failed to consider a bill that would have kept internet service providers from using, disclosing, selling or permitting access to a customer’s personal information except under certain circumstances. Lawmakers in Connecticut also failed to consider several data privacy bills, including one that would have kept social media websites from accessing consumers’ personal contacts.
The Connecticut state legislature did pass legislation to establish a task force to examine what businesses operating in the state should have to tell consumers about the data they collect.
This trend – studying the issue – is evident in several states. (While such “study bills” can sometimes be viewed as bureaucratic inertia against more meaningful legislation, legislative study mandates are quite often precursors to more impactful statutory changes.)
Hawaii’s state legislature voted to convene a task force to examine existing data privacy laws and regulations. Louisiana created a panel to “study the effects of the sale of consumer personal information by an internet access service provider, social media company, or search engine.” North Dakota lawmakers approved a bill that would allow for a legislative management study of consumer personal data disclosures and the Texas legislature created a Privacy Protection Advisory Council, which will study the state’s online
privacy laws in the hopes the legislature will act in 2021.
With data breaches now a part of the daily news cycle, lawmakers at both the state and federal levels will continue to feel pressure to act. Just this week, news surfaced across the pond that biometric data from more than one million users was exposed in a breach of Suprema’s Biostar 2 security platform. Epic Games, creator of the massively popular Fortnite, faces a class action lawsuit emanating from a November 2018 data breach and, as Forbes contributor Steve Andriole noted this week, the global annual cost of data breaches is expected to reach $2.1 trillion next year.
Given the persistent bad news, why haven’t federal and state policymakers worked more quickly? The answer is as old as the United States itself: the tension between state and federal power.
In the current context, it is Republicans, typically strident defenders of states’ rights, who want a national system. Earlier this year, U.S. House Energy and Commerce Committee Ranking Member Greg Walden (R-Ore.) said, “Your privacy and security should not change depending on where you live in the United States … One state should not set the standards for the rest of the country.” That statement is a significant departure from the GOP’s usual defense of state autonomy.
Fearing federal legislation that might be weaker than statutes some states enact, Democrats want to preserve states’ rights to create their own system. Drew Hammill, a spokesperson for Speaker Pelosi argued, “States have been at the vanguard of protecting Americans … All Americans have benefited from state privacy and data breach laws, so their role as policy innovator and law enforcer must be respected.”
Earlier this year, House Energy and Commerce Committee Chair Frank Pallone (D-N.J.) observed, “Consumer privacy isn’t new to this committee … We’ve been talking about it for years, yet nothing has been done to address the problem.”
Given the ideological arguments at the heart of this issue, federal action on this matter could still be years away. If you’re looking for progress in the next twelve to twenty-four months, best to look to the state capitals.