IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Data Privacy Experts Talk Future of Federal, State Legislation

Panelists during Forum Global’s Data Privacy Conference this week questioned what the path to a federal data privacy law would look like, and what it would mean for states with policies of their own.

Data, Privacy
In the absence of federal law, data privacy rules are being hashed out by states. Several have passed laws and more are expected to follow suit, with no guarantee that these policies will mesh.

Congress, meanwhile, continues to eye a nationwide policy, with several legislators looking to empower the Federal Trade Commission (FTC) to tackle such concerns. But many questions remain over how far that entity can go and how any forthcoming national policy will interact with existing state privacy legislation, said speakers at Forum Global’s 3rd Annual Data Privacy Conference on Wednesday.


California and Colorado launched data privacy laws, and Virginia hopes to implement its own in January 2023, according to Sam Towell, Virginia’s deputy attorney general for civil litigation. Virginia modeled its policy off an unsuccessful Washington bill, tailoring that proposal to suit the local governance structure.

These kinds of tweaks result in an uneven national picture, in which residents’ protections and organizations’ obligations change as they cross borders.

“We are in the process now of working out elements to make it a bit more Virginia-specific,” Towell said. “Of course, anything that's more one-state specific is going to add to that kind of patchwork dynamic. But in the absence of federal legislation, it really is the only opportunities that the states have to be engaged in this process.”

The landscape could quickly become more piecemeal because “nearly thirty states have examined privacy legislation” in the past year, said K. Dane Snowden, CEO and president of the Internet Association, a trade organization representing global Internet companies’ public policy opinions.

The disparity can be problematic for both residents and businesses.

“Americans’ privacy protections should not change based on where they live, or the services they use,” Snowden said.

One motive behind the push for a national policy is that there are limits to what states can accomplish. Towell said that the federal government is better able to combat data practices with discriminatory effects.

“Because we're still working in some of our basic building blocks with respect to civil rights enforcement, we may not be in the best position to address it as robustly in the data privacy space, as perhaps the federal government would be able to with a national standard,” Towell said.

“You don’t want civil rights issues on state-by-state basis,” Snowden agreed.


Companies also often advocate for a single, nationwide law because it would make their compliance work easier. A unified policy spares them from having to learn and monitor laws that vary by state and rework contracts for each one — something that can hit small businesses’ budgets hard, said Tess Macapinlac. She is a privacy associate at OneTrust, a company that helps business clients stay compliant with governance, privacy and security regulatory requirements across different jurisdictions.

There has been a bit of reprieve, however, with Virginia and Colorado allowing data protection assessments an entity conducts under similar state laws to fulfill requirements under their laws, Macapinlac said.


States’ proactive approach to data privacy means any forthcoming federal law will not be written on a blank slate. Federal rule-makers must decide whether a national policy should simply set a baseline level of privacy that states can exceed if they wish or whether the federal law will supplant all state-level ones.

The former approach means organizations must grapple with inconsistencies across states and residents may be confused about protections that are not universal nationwide. The latter method could potentially weaken or roll back protections, should federal regulations be looser than those outlined in existing state policies, said Jessica Rich, former director of the FTC’s Bureau of Consumer Protection and current counsel at law firm Kelley Drye & Warren.

And states have produced some real successes, she said: “States are the laboratory for creative solutions on privacy like breach notification, which really changed the environment in the United States.”


Debate also wages over how to enforce protections. California’s privacy law lets consumers sue companies if their personally identifiable information is stolen, while Virginia’s law only allows the attorney general to bring lawsuits.

A federal approach that allows consumers to sue could leave businesses fending off flurries of unfounded — and expensive — lawsuits alongside the valid ones. But a national law prohibiting private suits could frustrate consumers, who may have to wait until the federal government deems the impact of a violation sufficiently large to merit its intervention, Rich said.

A federal law also needs an enforcer, and many congressmembers have eyed the FTC, given its existing work in consumer protections.

But that’s far from the only possible approach. Sen. Kirsten Gillibrand's , D-NY, Data Protection Act of 2021 would establish a new independent agency tasked with enforcing — and potentially creating — data privacy, protection and fairness rules.

Any new agency could take years to establish, however, and unlike the FTC, wouldn’t already have relationships with states and counties, Rich said. On the other hand, the current FTC isn’t powerful enough to handle the privacy work ahead, she said.


The Magnuson-Moss Warranty Act gives the FTC certain rulemaking capabilities that some believe could let it advance national data privacy policy without leaving the country waiting for Congressional action.

But Rich said these powers are very limited and require the agency to go through a protracted process. In part that’s because the agency deals specifically with “unfair” and “deceptive” practices impacting consumers and competition.

“Most rules have taken years, some as long as nine years. And that’s because there’s many steps — cumbersome steps — [and] many opportunities for stakeholders to request hearings and otherwise gum up the works,” Rich said. “Significantly, you need to prove in this rulemaking that the failure to comply with each and every mandate in the rule is either unfair or deceptive, and prevalent. And we've already talked about how unfairness and deception is a blunt tool for privacy.”

The FTC’s oversight also does not extend to certain organizations like banks, nonprofits and communications common carriers.

The debate over the FTC’s role and powers continues to develop, and various changes have been aired. Senators Roger Wicker, R-Miss., and Marsha Blackburn's, R-Tenn., Setting an American Framework to Ensure Data Access, Transparency and Accountability (SAFE DATA) Act, for example, proposed expanding the FTC’s oversight to more types of organizations and authorizing it to create certain new rules.

A House committee in mid-September also proposed furnishing the FTC with funds to establish and run a bureau that would combat unfair and deceptive data privacy practices and similar matters.

But Snowden said lasting change requires a new law rather than new regulations, otherwise policies could change each time there’s a new administration

“We need to make sure whatever we do, we have it in statute and that we're not looking at things through rulemakings,” Snowden said. “History has taught with net neutrality. We've been dealing with this issue for 15 to 20 years now.”
Jule Pattison-Gordon is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.