The Big Push for a Federal Privacy Law: What Does it Mean for State Regulators? (Contributed)

It will be important for the states to monitor federal legislation to ensure that their interests are taken into account.

by / October 19, 2018
Shutterstock

In June of this year, the California Legislature passed a sweeping new privacy law, created new data privacy rights for consumers and imposed significant new obligations on companies. The law prompted an outcry among tech companies who were concerned that it was hastily drafted and could lead to inconsistent and onerous obligations if other states were to enact such laws. The concern is that state regulation, like California’s, could have a detrimental effect on the digital economy.

This has led to a push by business interests for a federal privacy law. The Internet Association, which represents more than 40 companies, including Facebook, Alphabet, Microsoft and Twitter, has proposed “an economy-wide, national approach to regulation that protects the privacy of all Americans.” Similarly, the United States Chamber of Commerce published a list of principles that could serve as a framework for a federal privacy law:

  • A nationwide privacy framework to create consistency and certainty with regard to privacy protections.
  • An approach to privacy protection that is risk-focused and contextual.
  • A requirement that businesses be transparent about the collection, use, and sharing of consumer data and provide clear privacy notices.
  • A consistent set of principles across all industry sectors.
  • Regulations that are flexible and can adapt to changing technologies rather than prescribing specific solutions. 
  • Enforcement provisions that only apply where there is concrete harm to individuals. [This is in direct response to the California laws providing statutory damages (without proof of harm) for certain security breaches.]
  • An approach that encourages collaboration between government and business. [It would allow companies to correct deficiencies in response to concerns rather than promote an adversarial system that allows private rights of actions or punitive actions by government before business can respond.]
  • The adoption of policies that promote the free flow of data across international borders.
  • Incorporating privacy considerations into product and service design.
  • Creating a uniform approach to security breach notifications to reduce the complexity and costs associated with the compliance and enforcement issues resulting from different laws in the 50 states and U.S. territories.

It is difficult to predict how quickly Congress will respond to these requests. For the past decade Congress has considered from time to time a national security breach notification law, but has not yet been able to pass one. However, the digital economy has become such a key part of our overall economy that it will be difficult for Congress to ignore this push for a federal privacy law. In addition, the enactment of a uniform data protection regulation in Europe, the General Data Protection Regulation, has created a precedent for a more uniform approach across jurisdictions.

What does this mean for state regulators? Most likely Congress will be pushed to create a national framework that will preempt conflicting state and local laws as that is a significant concern of business interests. If a federal law is passed, it will probably not alter privacy laws that apply to government activities, but would likely limit the ability of states to enact conflicting state consumer privacy laws. It seems unlikely that Congress would allow states to enact more rigorous protection as that would defeat the purpose of creating a uniform federal privacy framework.

There will probably be some areas left to states. For example, states’ regulations against unfair and deceptive practice will likely continue to apply to companies that mislead consumers about their privacy practices. In addition, Congress may provide that the federal legislation can be enforced by state and local officials. For example, the CAN-SPAM Act of 2003 preempted most anti-spam laws, but provided that a state attorney general could enforce certain provisions of that law.

It will be important for the states to monitor federal legislation to ensure that state interests are taken into account. And, if the federal government is unable to develop a national framework, states should consider working together to develop a consistent approach among themselves. This is an approach taken in many other areas of the law through the Uniform Law Commission. Both consumers and businesses alike would be well-served by a uniform approach, whether at the state or federal level. 

Scott W. Pink

Scott W. Pink is special counsel in O’Melveny’s Data Security & Privacy practice, based in Silicon Valley. He advises technology, media, entertainment and a variety of consumer product and franchise companies on issues of cybersecurity and privacy, intellectual property counseling; social media law; and advertising, marketing and promotions law.  

The views expressed here are those of the author and do not necessarily reflect the views of O’Melveny & Myers, LLP.