Introduction
In September 2020, four Republican senators introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (the “SAFE DATA Act”).1 However, their introduction of a bill that would attempt to address the federal government’s lack of comprehensive data privacy regulation was far from the first time Congress had tried to address this issue. In fact, the SAFE DATA Act is just one of many bills related to data privacy that have been introduced in Congress since the midterm elections in 2018.2 While the fact that no comprehensive data privacy bill has yet been enacted into law may be a testament to congressional disagreement on what exactly the statutory scheme should look like, it also suggests that it is likely only a matter of time until one is passed. Considering the likelihood that a comprehensive federal data privacy law becomes a reality in the foreseeable future, this blog post will explore why there is a push for such legislation in the first place, what standards a federal data privacy law might impose, and what the effect of those standards might be on individuals and businesses nationwide.
The Need for a Federal Comprehensive Data Privacy Statute
Over at least the past decade, the use of and demand for big data by businesses has and continues to grow at a rapid pace, particularly considering the cost-cutting impact that it tends to have.3 This development provides a powerful incentive for businesses to collect, analyze, share, and sell personal information of individuals, which they can acquire on their own or through third parties. However, the utility of big data for businesses does not come without costs to consumers. One risk that the rise of big data has brought is the prevalence of large data breaches, of which there have been numerous well-publicized occurrences. Data breaches, such as those involving personal data stored by companies like Equifax and Marriott, have exposed the data of hundreds of millions of individuals to unauthorized parties like hackers.4 Widespread use of big data also can indirectly have discriminatory, harmful effects on consumers.5 For example, the unregulated use of big data for behavioral profiling has led to instances in which credit card companies lower customers’ credit limits based not on the customers’ credit history but, instead, on analysis of different customers with poor repayment histories who shopped at similar establishments.6
Consumers seem to be wary of the types of risks that accompany data collection on a wide scale. One study showed that the majority of American adults are not only aware that their personal information is being collected regularly by companies, but they also largely feel like they have little or no control over what is collected and that the risks of collection outweigh the benefits.7
While there may not be a perfect response to quell these issues, the recent trend in several jurisdictions worldwide has been to try to give individuals a greater degree of control over their information that lies in the hands of business entities. Generally, these measures work toward this goal by requiring certain disclosure and protocols from businesses collecting personal data and endowing individuals with certain rights with respect to their data. Two of the recent leading efforts are the General Data Protection Regulation (the “GDPR”) from the European Union and the California Consumer Protection Act (the “CCPA”) from California, enforceable in 2018 and 2020 respectively, which aim to protect residents of Europe and California by giving their residents specific rights related to their personal data and setting requirements for why and how businesses can use the data.8 However, the vast majority of states in the U.S. currently have little to no data privacy regulation, giving businesses broad discretion in how they acquire data, what they do with it, and the level of information they provide to individuals whose data they interact with.
Possible Federal Standards When Comprehensive Data Privacy Law is Passed
An examination of legislative proposals for a comprehensive federal data privacy statute provides insight into what the public can expect when one is eventually enacted into law. The bills that have been introduced in Congress in the last two years vary in a number of ways but also contain similarities that allow for educated predictions into what kind of standards will be present in whatever the eventual federal law is. One difference between the various legislative proposals is that Republican-introduced bills, like the SAFE DATA Act, would preempt the ability of states to pass or enforce their own data privacy laws.9 Conversely, legislation introduced by Democratic members of Congress, such as the Consumer Online Privacy Rights Act (“COPRA”) sponsored by Senator Maria Cantwell, has a more aggressive approach to application and enforcement, such as a private right of action for individuals with respect to their data and the right for states enact and enforce their own data privacy laws in addition to the federal statute.10
Despite these differences in approaches, there is encouraging bipartisan support on several significant issues that a comprehensive data privacy bill would be likely to include. For instance, both the SAFE DATA Act and COPRA would give all Americans the rights, among others, to request access, correction, and deletion of their personal data.11 Additionally, both the SAFE DATA Act and COPRA would impose similar obligations on businesses. Among these obligations are mandates for covered businesses to appoint a data privacy officer to monitor and oversee data collection and handling and maintain internal controls to enforce the other provisions of the legislation.12 Lastly, both the SAFE DATA Act and COPRA set limits on what entities can use individuals’ personal data for without receiving express consent.13
Thus, while it is unclear what the degree of state preemption and individual enforcement will ultimately be, if any, it is possible to make an informed prediction for what a prospective data privacy law would include. Specifically, whatever data privacy law is ultimately passed is highly likely to endow Americans with specific rights with respect to how their data is maintained and used, require businesses to implement certain infrastructure or policies to facilitate transparency and safe handling of personal information, and limit the reasons for which businesses can use individuals’ personal data without their express consent.
The Possible Effects of a Comprehensive Federal Data Privacy Statute
The impact of a comprehensive federal data privacy statute will likely be substantial, both for individuals and business organizations. On the consumer side, a major effect that a comprehensive law would likely have is the standardization of basic rights that Americans have with respect to their personal information. By enacting these rights into federal law, Americans’ ability to compel businesses to disclose, change or delete their personal information would no longer depend on whether they resided in a state with laws affording those protections.
On the business side, a comprehensive law would create a baseline for how American businesses treat user or consumer information that they collect, maintain, or distribute. While many businesses already have systems in place to accommodate users in California, Europe, or other jurisdictions with applicable data privacy regulations, a federal law would eliminate businesses’ discretion to grant or deny rights of access, correction, and deletion to individuals in states without any active data privacy laws. Further, businesses that do not already have advanced data privacy policies and infrastructure to handle consumer requests can expect material increases in their monetary costs of compliance. One study estimated that a comprehensive federal data privacy law with requirements that are similar to those in the CCPA or GDPR would cost the collective American economy an estimated $122 billion per year in increased compliance costs.14
To a degree, however, the impact of a prospective federal data privacy law will hinge on undetermined legislative questions, including whether it includes a preemption of states’ ability to enact or enforce their own data privacy regulations and whether individuals will have a private right of action to enforce their statutory data privacy rights. If states are preempted from maintaining their own data privacy laws, businesses will only need to comply with federal standards when interacting with the personal information of Americans; although standards for consumers residing outside of the United States would still need to be accounted for due to international regulations like the GDPR. However, if states are not preempted, then they will be able to continue to implement their own data privacy regulations, such as the CCPA, which could impose obligations on businesses interacting with data from residents of those states in addition to those required under federal law. Further, if the ultimate law contains a private right of action for individuals, there will likely be increased legal risk for businesses and even greater compliance costs to avoid potential consumer data privacy litigation. While some of these questions have yet to be determined, recognizing the need for a comprehensive federal data privacy law, understanding the specific standards it could impose, and assessing the impacts those standards might have are useful exercises for American individuals and businesses wondering what the future of data privacy might bring.
Wicker, Thune, Fischer, Blackburn Introduce Consumer Data Privacy Legislation, U.S. Senate Committee on Com., Sci, and Transp. (Sept. 17, 2020), https://www.commerce.senate.gov/2020/9/wicker-thune-fischer-blackburn-introduce-consumer-data-privacy-legislation. ↩
See U.S. Congress Search Page, https://www.congress.gov/search?q={%22congress%22:[%22116%22],%22source%22:%22all%22,%22search%22:%22privacy%22}&searchResultViewType=expanded (last visited Oct. 28, 2020). ↩
See Big Data Statistics, Growth & Facts 2020, SoftwareFindr (2020), https://saasscout.com/big-data-statistics/#:~:text=Global%20statistics%20reveal%20that%20big,to%20%24274.3%20billion%20in%202022. ↩
See Tara Siegel Bernard et al., Equifax Says Cyberattack May have Affected 143 Million in the U.S., N.Y. Times (Sept. 7, 2017), https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html; Nicole Perlroth et al., Marriott Hacking Exposes Data of Up to 500 Million Guests, N.Y. Times (Nov. 30, 2018), https://www.nytimes.com/2018/11/30/business/marriott-data-breach.html. ↩
See Solon Barocas & Andrew D. Selbst, Big Data’s Disparate Impact, 104 Cal. L. Rev. 671, 674 (2016). ↩
Edith Ramirez et al., Big Data: A Tool for Inclusion or Exclusion?, FTC (Jan. 2016), 9-10. ↩
See Brooke Auxier et al., Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information, Pew Res. Ctr. (Nov. 15, 2019), https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/. ↩
See Regulation 2016/679 of the European Parliament and of the Council of Apr. 27, 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), art. 15-21, 24-43, 2016 O.J. (L 119) 33 (EU); California Consumer Protection Act, Cal. Civ. Code § 1798.100-1798.135. ↩
Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act, S. 4626, 116th Cong. § 405(a) (2020). ↩
Consumer Online Privacy Rights Act, S. 2968, 116th Cong. § 301(b)(3), (c)(1) (2019). ↩
Id. § 102-104; S. 4626 § 103(a)(1)(A)-(C). ↩
Id. §301, 302 (2020); S. 2968 § 202. ↩
S. 4626 §108; S. 2968 § 110(d)(1). ↩
Alan McQuinn & Daniel Castro, The Costs of an Unnecessarily Stringent Federal Data Privacy Law, Information Technology & Innovation Foundation (Aug. 5, 2019), https://itif.org/publications/2019/08/05/costs-unnecessarily-stringent-federal-data-privacy-law. ↩