Will federal privacy law soon be replacing state level privacy acts?
As countries everywhere start implementing laws and regulations regarding the privacy of consumer data, there have been many questions about whether the United States would enact one as well.
Many states already have their own privacy legislation, including the CCPA in California, the CPA in Colorado, and the CDPA in Virginia. These data protection laws enhance the privacy of the residents of those states, but what about the U.S. as a whole?
There is a potential federal privacy act underway – let’s dive into the details of what that consists of.
The History of (Federal) Privacy Laws in the U.S.
Even though the U.S. does not have a federal data protection law in place, several states have already enacted regulations. Some states were spurred to action by the GDPR, which provides broad protections for citizens and their private data.
For example, the California Consumer Privacy Act was passed in 2018. They enhanced these data protections further with the California Privacy Rights Act, or Proposition 24, in 2020. While these laws are not as comprehensive as the GDPR that governs the EU, they are the strictest in the country.
Once California started the trend, other states followed suit. Places like Colorado, Virginia, and North Carolina have taken it upon themselves to protect the privacy of their residents. It only makes sense that a federal privacy act will eventually emerge to eliminate a mixture of disparate state laws!
Implementing a federal data protection law would allow businesses to grasp compliance requirements while also helping consumers get a clear understanding of their rights.
These are the first laws relating specifically to data collection and tools like cookies, but there are many regulations already in place that protect the privacy of U.S. citizens. The most notable is the Health Insurance Portability and Accountability Act of 1996 – HIPPA – which protects your medical and health-related data.
To date, there is still no federal privacy act that outlines how organizations can store, collect, process, or use personally identifiable information.
The Information Transparency & Personal Data Control Act | Federal Privacy Law
The Information Transparency & Personal Data Control Act is currently under review before Congress. It was introduced by Rep. Suzan DelBene (D-WA) to create a framework for a national privacy law that would replace the current patchwork of state-driven regulations.
So, what does the bill actually dictate?
The proposed law would require companies to develop consumer privacy policies that are written in plain language. Similarly, it would give users an easy way to opt-in or opt-out of data collection or trackers like cookies. The idea here is to ensure that the average person understands what they are agreeing to, what data will be collected, and how the organization intends to use that information.
Companies that collect data must also consider security, as they will be required to keep the sensitive information that they process secured. Per the bill, this responsibility cannot be passed on to a third party.
The proposed bill would also give the Federal Trade Commission the authority to draft rules and adjust the law to stay relevant to privacy needs.
Challenges Ahead – Federal Privacy Law
Although it seems promising that the discussion for a federal data protection law is underway, there are still many challenges ahead for this bill to be passed.
For starters, there are many polarizing aspects of the law – government officials will have dissimilar views, and resolving these differences of opinion will require lengthy discussions. Here are some of the questions that will need to be addressed:
- Will consumers have a private right of action if a regulated organization misuses their data?
- What happens when there is a data breach that results in unauthorized access to personal information?
- How will this new act affect existing data protection laws in the U.S.?
- What will be the minimum standard for compliance, and how will that be enforced?
As the bill currently stands, individuals would not have a right to bring about private action if their data is misused. Likewise, it pre-empts state privacy laws which means the specifics in this bill would apply before those detailed in state-specific laws.
States like California and North Carolina already have extensive privacy laws in place, but these broader laws will likely be applied at a secondary level.
The current act does not pre-empt state laws regarding biometrics, wiretapping, or data breaches, though. In these situations, the law that governs that specific state would take priority.
When it comes to enforcement, the bill dictates that the Federal Trade Commission (FTC) would oversee it. They would have some rulemaking authority but having the right tools and resources to do so is a concern.
The bill has a budget of $350,000 and dictates that the FTC would need to hire 500 new employees. Of this new staff, at least 50 of them would need to have expertise in technology to ensure the appropriate enforcement of the act.
However, it is even possible that Congress decides to create a brand-new agency to oversee and enforce the federal privacy law. Again, doing this could be very controversial, so this is another challenge that the U.S. must overcome to enact the bill.
Congress would have already addressed this bill, but the global COVID-19 pandemic delayed them. As such, it will likely become a priority over the next few months.
What’s important here is that even if the bill does not get passed, it will start a crucial discussion that could lead to new legislation in the future. Eventually, this could lead to a uniform privacy law in the United States that somewhat mirrors what we are seeing in the EU with GDPR and other countries.