Will There be a US Federal Privacy Standard?

There’s a good commentary by Daniel Barber, published today, about the various data privacy bills that are being considered by Congress. Here’s a synopsis:

  • Consumer Online Privacy Rights Act (COPRA). A Senate bill introduced in November 2019, this is a consumer-friendly act focused on data privacy, would impose large fines on violators, and would create a new federal bureaucracy, the Bureau for Privacy.
  • Privacy Bill of Rights Act. A Senate bill from April 2019 that is quite similar to the California Consumer Privacy Act (CCPA).
  • Consumer Data Protection Act. A Senate bill from November 2018, COPRA closely matches the European Union’s General Data Protection Regulation (GDPR) and would target companies with at least $50 million in annual revenue and that manage more than one million records. Like the most aggressive penalty under GDPR, it would impose a fine of four percent on violators.
  • Online Privacy Act. This act would enable consumers to access their data and have it deleted, much like the GDPR, and would impose regulations on algorithmic processes that many are using to target prospective customers.

The two big questions surrounding a GDPR- or CCPA-like bill at the federal level are:

  • Is it a good idea to preempt state data privacy legislation?
  • Should stricter state regulations on data privacy supercede weaker federal provisions?

Mr. Barber’s take on the first question is clear: “While I generally favor the states’ role in being the so-called laboratories of democracy, only a uniform federal piece of legislation will solve the problem and create order.” I agree with him to an extent, but federal legislation tends to get watered down in committee. That, combined with an administration that is not favorable to enacting new regulations, could result in a weakened version of these bills that would do relatively little in addressing problems with data privacy.

With regard to the second question, I believe that states should be permitted to enact stricter legislation if their citizens and their elected representatives choose to do so. Yes, it makes things more onerous for business, but it enables states to have the freedom to implement rules that are a better fit for their citizens (not that that always happens, of course).

Perhaps the best course of action is for companies to adopt the CCPA as a de facto standard for all of their US domestic operations. Microsoft and ISP Starry have already done so, pledging to honor the provisions of the CCPA in all 50 states. In the absence of federal regulation to protect data privacy, it will be interesting to see if consumer demand for privacy is sufficient to motivate other companies to follow the example of Microsoft and Starry.