Can’t Congress Pass a Law for Data Privacy?

Written by: Richard Sheinis, Esq.

The U.S. is lagging further and further behind the rest of the world when it comes to the privacy of personal data.  The EU’s General Data Protection Regulation (GDPR), which became effective in 2018, has become the “gold standard” for data privacy.  Many countries have used the GDPR as the model for their own national data privacy laws.

In the U.S., however, it has been a different story.  We have a few national privacy laws that are industry focused, such as HIPAA for healthcare, and the Gramm-Leach-Bliley Act for the financial industry.  Relatively comprehensive privacy legislation has been introduced in Congress during the last several years, with at least five (5) such legislative proposals having been introduced in 2021 alone.  However, after being introduced, none of the legislation goes anywhere.  While some legislative proposals are very reasonable, other proposals unfortunately seek to cast corporations as villains.

Perhaps because of Congress’ own inertia on the subject, the Democrats included $1 billion in their $3.5 trillion Build Back Better Act to create a new bureau to address “unfair or deceptive acts or practices relating to privacy, data security, identity theft, data abuses, and related matters”. Then, on September 26, 2021, nine (9) Democratic Senators sent a letter to FTC Chair Lina Khan asking the agency to “begin a rulemaking process” addressing privacy and the collection of consumer data.  The lawmakers wrote that “consumer privacy has become a consumer crises.”  It is likely that the creation of regulations by the FTC would exceed its authority and would draw legal challenges.

Several states are filling the gap with their own legislation.  California, Virginia and Colorado have all passed their own data privacy laws, with a focus on providing consumers with greater control over their data by limiting the sale of personal information, or the sharing of information across platforms for targeted advertising.  Other states have similar privacy legislation that is under consideration.  At last count, 35 states have proposed some type of data privacy legislation.  One problem with individual state legislation is the burden it places on companies to comply with multiple laws that have some similarities, but also important differences.

So where does this leave the U.S. when it comes to data privacy?  It might leave us out in the cold.  The European Union’s General Data Protection Regulation, and subsequent court rulings, have already made it difficult to transfer personal information from the EU to the US because of the US’ lack of a comprehensive, national data privacy law.  This is an unnecessary roadblock for U.S. companies doing business internationally.

If Congress can find its way to passing a national data privacy law, which everyone seems to recognize we need, here are my recommendations for what needs to be addressed:

1. 1. Make sure it is comprehensive. No more piecemeal laws for different industries.  One law can cover it all.
   2. Supersede state privacy laws. Making companies comply with the different laws in multiple states is ridiculous.  It is an unnecessary drain on company resources.  There should be one standard across the land.
   3. There is a concern that companies are allowed to sell, share and exchange personal information without individuals having any control over their own information. Several state laws are building in “Do Not Sell”, “Do Not Share”, or “No Ad Targeting” rights for individuals.  Rather than requiring individuals to opt-out of companies using their data, let’s require an opt-in.  An opt-in would prohibit companies from using personal information for their own purposes, other than to provide services requested, unless the consumer affirmatively gives them permission to do so.
   4. When a consumer opts-in to allow their personal information to be sold or shared, require the company selling or sharing the personal information to pay the consumer. Companies have to pay a person to use their name, image or likeness (“NIH”).  They should have to pay to use an individual’s personal information for the company’s financial gain.
   5. Provide a safe harbor and immunity for companies that maintain an established standard of computer security. When a company experiences a data breach, they are frequently required to provide written notification to affected individuals.  In what other area of law is a business required to notify individuals with a letter that essentially acts as an advertisement to file a class action suit against the company?  If companies are required to provide such notice the notice should not be allowed to be used as evidence against the company.  The company should also be provided with immunity from law suits if they had adequate security.  This would incentivize companies to improve security to prevent a data breach, which is the desired goal in the first place.  Which leads me to my last recommendation…
   6. Stop treating companies that experience a data breach like criminals. A company that is hacked is not a criminal.  They are the victim of a crime, similar to a person whose home is burglarized.  Proposed legislation is often too punitive and seeks only to punish the victimized company as if they invited the data breach to happen.  Unfortunately, many politicians today seek only to villainize corporations, and they propose legislation that does so.