The Move Toward Federal Data Privacy and Breach Protection Laws
The US still lacks federal legislation comparable to the EU’s General Data Protection Regulation (GDPR), but that may change soon
Key takeaways:
- Since the GDPR went into effect in 2018, state legislatures in the U.S. have voted to enact laws related to data privacy and breach notifications.
- Since January 2021, several bills have been introduced in both the Senate and the House dealing with the broader subject of data privacy.
- The push in Congress follows Virginia’s passage of a comprehensive data privacy law in March 2021, joining California as the second state to do so.
- Without comprehensive federal legislation, both consumers and business owners are subject to inconsistent and confusing legal requirements regarding data privacy.
The US government lags the EU and several other of the world’s largest economies in devising a legal framework for protecting its citizens’ personal data. Since the EU’s GDPR went into effect in 2018, state legislatures across the US have passed laws related to data privacy and breach notifications, but there remains no comprehensive, unifying national law.
That may soon change. In 2021, several bills have been introduced in both the Senate and the House dealing with the broader subject of data privacy. And two of them seem to be gaining traction within the 117th U.S. Congress.
The call for stricter regulations gets reinforced with each highly publicized data breach or ransomware attack. Legislators are buoyed by widespread support from consumers and a growing coalition of business organizations and privacy experts.
Congressional bill introductions in 2021
In late April 2021, Senator Jerry Moran (R-Kansas) reintroduced the Consumer Data Privacy and Security Act, a bill he first presented to the full Senate in March 2020. Sen. Moran believes that this legislation will strengthen protections on personal data and “create clear standards and regulations for American businesses that collect, process and use consumers’ personally identifiable data.”
“Without action from Congress, consumers will continue to be vulnerable to future threats against their personal data, and innovators and job creators will be plagued with regulatory uncertainty resulting from a growing patchwork of state laws,” stated Moran.
In the House of Representatives, former Microsoft executive and current Washington Representative Suzan DelBene introduced the Information Transparency and Personal Data Control Act to “create a national data privacy standard to protect our most personal information and bring our laws into the 21st Century.”
Other legislative proposals are narrower in scope and, in some cases, revisiting elements of bills that were previously abandoned. One is a bi-partisan effort led by Rep. Michael McCaul (R-Texas) and Rep. Jim Langevin (D-RI) to establish a Cybersecurity and Information Security Agency as a kind of “911 for breach notification.”
Another bi-partisan effort led by Sen. Amy Klobuchar (D-MN) focuses on protecting consumer data collected specifically through interactions with large tech platforms like Facebook and Google. Klobuchar introduced similar legislation in 2019 following the Cambridge Analytica scandal. That bill died in the then-Republican Senate; many believe the repackaged Social Media Privacy Protection and Consumer Rights Act will fare better in a Democrat-led Senate.
An update on nationwide activity
The push in Congress gathered momentum following Virginia’s passage of a comprehensive data privacy law (the Virginia Consumer Data Protection Act) in March 2021, joining California as the second state to enact such sweeping legislation.
California’s Consumer Privacy Act (CCPA) was passed in 2020 and has served as a template for other states in crafting their own legislation. Its framework has many similarities with the EU’s GDPR and contains mandates that would be expected in federal legislation. The CCPA has since been updated, and its replacement law, the California Privacy Rights Act (CPRA), will go into effect in January 2023. The revisions strengthen certain elements of the CCPA and make its standards even more like the GDPR.
Since 2018, many states across the nation, including Texas, have drafted legislation related to consumer rights and business obligations regarding data privacy. Many bills are less inclusive than California and Virginia’s laws. In more than 10 states, consumer privacy acts ultimately failed or never made it out of their legislatures’ committees.
The case for a federal law
Without comprehensive federal legislation, both consumers and business owners are subject to inconsistent and confusing requirements regarding data privacy. Customers may receive variable protections, and companies are liable for conforming to the strictest laws wherever they conduct business. A federal effort would codify regulations into a unified body of law that will create a baseline of rights and rules.
Whichever law is enacted is expected to follow the general frameworks set by the GDPR and the CCPA, with an emphasis on consumer opt-in requirements and protections and a focus on the need for companies to be transparent and use “plain English” when communicating privacy policies. The proposed federal legislation establishes the Federal Trade Commission (FTC) as the enforcement authority of data privacy violations.
The struggle to enact laws at the federal level reportedly has much to do with the power of big tech and other industries that would be adversely affected by stricter regulations. Some legislators are unwilling to create laws that could potentially curb innovation and strip the internet of some of its freedoms.
Predictions and implications
The number of competing bills in Congress underscores the popularity and urgency of data privacy, as well as the need for a coordinated approach. But the significant failure rate of similar bills introduced in state legislatures suggests that getting anything passed on the federal level may be difficult.
Similarly, there is no consensus of opinions about the likelihood of data privacy legislation passing, and what provisions a successful bill will contain. Some experts believe that federal legislation must not preempt existing state laws that are more restrictive in order to pass. Others believe that the popularity of this kind of legislation could make this one of Congress’s less-volatile debates.
Regardless of the status of federal legislation, compliance is essential for any business subject to international or state data privacy laws. The risk of data breaches continues to grow. And proactively addressing any organizational vulnerabilities while establishing processes should a breach occur are a must for any business that collects consumer data.
The experienced attorneys at Johnston Clem Gifford offer quality legal counsel for a wide range of public corporations and privately held businesses, financial institutions, trade associations, nonprofit organizations, new ventures, and family concerns. We help our clients comply with ever-changing data privacy and security laws. Contact us online or by calling (214) 974-8000.