The trade association I belong to, the Software & Information Industry Association (SIIA), like many other trade associations, supports a US federal privacy law. This is the right thing to do to protect consumers from harm and solidify trust in the digital economy. It is also good for business because the world needs US leadership in providing a model for effective privacy and continued innovation. And within the United States, we need a federal privacy law to ensure a strong, consistent, and effective nationwide standard that consumers and businesses alike can count on.
Given this context, what then should a federal privacy law contain?
Perhaps most importantly, a US federal privacy law should be just that in inspiration, origin, and design: American with respect to political sensibilities and jurisprudential tradition. It should reflect and appropriately expand on our existing framework of robust and scalable privacy enforcement aimed at preventing and remedying data practices that harm consumers. It should be influenced by the successes of, and informed by the failures of, preceding privacy laws, like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Protection Act (CCPA).
On a granular level, a US federal privacy law should:
- Provide consumers with substantive rights to notice, control, access, correction, deletion, and portability
- Focus on protecting consumers from harmful and unreasonable data practices through a reasonable expectation standard
- Protect consumers from informational injuries, such as deception, financial injury, health and safety risks, unwanted intrusion and reputational harm
- Set forth a national requirement for reasonable data security standards calibrated based on the sensitivity of the data collected
- Set a uniform national standard through preemption to ensure equal protection for American consumers and promote American innovation through the free flow of data throughout the United States.
After learning from preceding privacy regimes, what should a US federal privacy law avoid?
First and foremost, it should not, like the GDPR and CCPA, conflict with our First Amendment principles and important public policy objectives by conferring a right to be forgotten or by otherwise restricting the free flow of information in the public domain. Any federal law should exclude publicly available information and information about individuals acting in their business capacity as opposed to personal capacities. These narrow and appropriate exclusions preserve existing and fundamental freedoms as well as protecting business models that provide important and legitimate services and purposes.
Second, it should not focus on the expansion of consent requirements to the detriment of meaningful consumer choice and the socially beneficial uses of consumer data. A blanket opt-in regime, for instance, unnecessarily risks meaningful consumer choice, as the GDPR has done by resulting in numerous amounts of consent requests that arguably have the effect of lessening, rather than increasing, the seriousness with which people take online privacy.
Third, it should not risk the integrity of business risk assessments by extending the definition of personal information to capture information about people acting in their business capacity. The CCPA has done this, and thus may unintentionally risk allowing fraudsters and other bad actors to opt out of information collection or delete information about their disreputable business activity.
Lastly, a federal privacy law should not include provisions relating to data breach notification. While we support the concept of a federal data breach law, experience suggests that it will require much more time to get to yes among legislators and stakeholders if data breach is included in a federal data privacy law. Policymakers should leave data breach notification regulation for a later day, and move now to enact a strong federal privacy standard to ensure meaningful consumer protections, creating regulatory certainty for businesses sooner rather than later.
Underpinning any federal privacy law, of course, is enforcement
A federal privacy law should contemplate strong and consistent enforcement, first and foremost by granting primary enforcement authority to the Federal Trade Commission (FTC), and also granting enforcement powers to the States. To avoid inconsistent interpretations, the grant of authority to the States should include a concomitant obligation to notify and allow the FTC to intervene to ensure consistent application of the federal privacy standards. To avoid the grave risk of further inconsistencies and the dilution of interoperability for data laws within the United States, the federal law should not include a private right of action to avoid fragmented enforcement on the state and local level.
To ensure the new privacy law is technology and industry neutral, it should extend the FTC’s jurisdiction for privacy matters to common carriers and possibly non-profits, depending on whether the privacy law takes into account reasonable application standards for small businesses. With respect to remedies, the law should provide the Commission with civil penalty authority for egregious first instance violations that cause informational injury.
The time is ripe for a US privacy standard. Any such law must include robust protections and benefits for American consumers. And it must promote continued innovation and economic growth through preemption and scalable standards that seek to prevent and remedy consumer injury.