The specter of dozens of privacy bills moving through state legislatures this year may push Congress to pass its own legislation this year, despite doubts about lawmakers’ willingness to act.
The legal landscape on privacy is changing quickly, with the 21st Century Privacy Coalition, a lobbying group representing telecommunications carriers, counting 94 privacy proposals pending in state legislatures across the United States as of late February, coalition co-Chairman Jon Leibowitz told a Senate committee. States are following the lead of California, which passed its own consumer privacy law in 2018 in response to the data collection and sharing practices of large Internet companies.
“A proliferation of different state privacy requirements would create inconsistent privacy protections for consumers,” Leibowitz told the Senate Commerce, Science, and Transportation Committee during a Feb. 27 hearing. “You don’t want a crazy patchwork of 50 different state laws.”
Multiple state privacy laws would also make it difficult for online businesses to sell products or collect consumer data outside their home states, other witnesses said.
Privacy advocates and some lawmakers have been pushing for years for Congress to pass a comprehensive privacy law that would rein in the data collection and sharing practices of online services. Their efforts have been unsuccessful, but the California Consumer Privacy Act, along with the other states considering new privacy laws, may give Congress a new incentive to act.
Even before the California privacy law goes into effect in 2020, there have been efforts to strengthen it. On Feb. 25, California Attorney General Xavier Becerra and Democratic state Sen. Hannah-Beth Jackson introduced a bill to give consumers the ability to sue businesses for sharing and selling personal data without permission.
Most witnesses and lawmakers from both parties at two recent congressional hearings voiced support for a new federal privacy law that would preempt state laws like the CCPA. The hearings in the Senate Commerce Committee and a House Energy and Commerce subcommittee didn’t focus on specific privacy proposals, but some witnesses called for some basic consumer protections.
Among the provisions proposed: Consumers should be allowed to opt out of data collection; businesses should be required to get opt-in permission to collect sensitive personal data; and businesses should tell consumers what data they’re collecting and how they’re using it.
Some witnesses also called on Congress to give the Federal Trade Commission new authority to fine companies on the first violation of privacy regulations.
Three bills in Congress would create new federal privacy rules. The latest bill, introduced on Feb. 28 by Sen. Catherine Cortez Masto, D-Nev., would prohibit online services from serving targeted ads based on discriminatory practices and targeting by race, sexual orientation, or gender.
While the telecom members of the 21st Century Privacy Coalition have long called for stricter privacy rules for online rivals like Google and Facebook, tech trade groups also spoke in favor of a federal privacy law. The Internet Association, representing Google, Facebook, Amazon, and other online services, and the BSA (formerly the Business Software Alliance), representing software firms including Apple, IBM, and Microsoft, both called for a federal law.
Internet Association members support “meaningful” federal privacy legislation that sets a nationwide standard, trade group president and CEO Michael Beckerman told senators.
“The Internet industry and [Internet Association] member companies are far from perfect,” he said. “And we understand that we fail or succeed based on people’s trust with our products and services. Our members are committed to doing better.”
Preemption of state laws could be a sticking point, however. While most lawmakers and witnesses offered support for it, some worried about the possibility of a weak federal law that would kill stronger state laws.
The U.S. legal system is set up to allow for many state laws, noted Woodrow Hartzog, a law and computer science professor at Northeastern University. Nearly every state has its own data breach notification law, and there haven’t been major problems with compliance, he said at the Senate hearing.
Federal rules “should be a floor, not a ceiling,” for consumer privacy protections, he added.
Sen. Maria Cantwell, D-Wash., also questioned preemption. “Are we here just because we don’t like the California law, and we just want a federal preemption law to shut it down?” she said. “I find this effort somewhat disturbing. With all the litany of privacy violations … the first thing that people want to organize here in D.C. is a preemption effort.”
