With no framework yet for a federal privacy law, states that took the initiative to regulate online firms’ use of personal data may end up providing models for Congress.
Following the passage of the landmark California Consumer Privacy Act last year, bills were introduced in at least 25 states addressing different aspects of data privacy, according to the National Conference of State Legislatures. Illinois and Washington took the most comprehensive approach, while others considered piecemeal measures.
“After California did their thing, privacy has been a hot topic of discussion,” said Hayley Tsukayama, a legislative analyst for the Electronic Frontier Foundation. “We didn’t see a lot of passage of those bills, but they did produce good discussion.”
The push for more stringent privacy rules followed increased scrutiny of the way technology platforms sweep up data from users, analyze, and sell it — as well as how they safeguard it or fail to. A tipping point came with the revelation that Cambridge Analytica, a political research firm that worked for Donald Trump’s 2016 presidential campaign, improperly harvested data from 87 million Facebook users.
California’s law, which will go into effect next year, allows residents to review the information collected about them by Internet companies and stop the sale of it: a protection akin to what’s offered by Europe’s more sweeping General Data Protection Regulation.
While policymakers in other states looked to California’s bill as an example, its delayed implementation may have caused some wariness since the effects weren’t yet apparent. Instead, states like North Dakota approved studies to examine consumer personal data disclosures.
Lawmakers who brought California’s proposal to their home states “ran into questions about how has this law played out in California, and there weren’t answers on that,” Tsukayama said. “It’s good that people are talking about this in their legislatures, but apart from specific pieces of privacy legislation, we haven’t seen another big sweeping privacy bill.”
The delayed implementation of California’s bill also created an opening for amendments that might soften it. Google and trade associations representing Silicon Valley titans (such as the Internet Association, TechNet, and Consumer Technology Association) have all lobbied for modifications,. The state legislature considered a slew of changes, some of which won approval in at least one chamber, in its most recent session.
“We certainly did see the tech industry come in with a number of bills, with provisions that made the privacy industry very uneasy, to carve out things, to change definitions in the bill, things that extended far beyond the simple fixes that may have been overlooked because it passed so quickly,” Tsukayama said.
Internet companies argue the alterations to the law would improve its clarity and fairness.
Jim Halpert, a partner at law firm DLA Piper and co-chair of its global data protection practice, commended the ideas in California’s bill, but said it was confusingly drafted.
“It’s not totally a great model to use in other states,” he said. The timing for a federal framework may now be right.
“We’re at an inflection point where on the one hand, privacy issues are perceived as being really important, but also the business community now realizes that state-by-state regulations are not sustainable and it is time to make a deal on federal legislation,” he said.
The push for a federal privacy law, as well as the efforts by the states, follows Europe’s lead. The region’s data-privacy law requires companies to tell users in “clear and plain language” how they will handle their information and explain what they intend to do with their information.
Lawmakers on both sides of the aisle have expressed interest in passing a federal privacy bill, with California’s law and the GDPR possibly serving as models, and roughly half-a-dozen proposals dealing with the collection or use of personal data were introduced this year.
Silicon Valley’s biggest players hope Congressional action will smooth the widening patchwork of state rules and, perhaps, defang some of them.
A survey of CEOs conducted by Business Roundtable found 80% are in favor of a federal privacy framework.
“You often have, at the political and lobbying level, highly polarized discussions with people in their corners,” Halpert said. “But one can hope we’ve reached the point where problem-solvers who deal with compliance are going to come together with privacy advocates, think about what makes sense and develop some good improvements in U.S. national privacy law and avoid this fragmentation.”
Privacy groups such as the Electronic Frontier Foundation, though, are concerned a sweeping federal privacy bill might undo stronger state protections.
“We wouldn’t want to see those gains be overridden by any federal law,” Tsukayama said. States taking the lead, she said, “can be a little more nimble, a little more responsive” to the fast-changing world of technology.
