With a lame duck session ahead in Congress, Democratic leaders in the House are facing demands to move forward pending bills. Many industry groups are hoping that Congress will take up the American Data Privacy and Protection Act, a privacy bill that would lock in place a single national standard and shut down efforts now underway in the states to expand consumer protection. Speaker Nancy Pelosi (D-Calif.) has been targeted by one of the bill’s supporters, a former top official at the Commerce Department, who claims that her “pride” is the reason the bill has not moved.
A better explanation could be that Speaker Pelosi believes in the legislative process and that a better privacy bill is still possible.
The most well-known problem with the federal privacy bill is that it will overwrite stronger state privacy laws, most notably the California Privacy Rights Act. This is unusual in federal privacy law and clearly controversial. Backers of the bill claim that it is stronger than the California law, oblivious to the well-stated objections of Speaker Pelosi, Gov. Gavin Newsom, the California attorney general, the California speaker of the house, the California Privacy Protection Agency, and also Californians for Consumer Privacy, the group that gathered 9 million votes in support of the state law, by far the most successful privacy campaign in U.S. history.
This is the moment when those in California get to ask the D.C. pundits what have *they* been smoking?
There is a simple solution to the objection from California: Remove the language that preempts stronger state laws. If the federal bill is indeed stronger, as the backers contend, then compliance with the California law should be easy.
But that is only the start. The federal bill has a weak private enforcement scheme that fails to provide any dollar amount for a violation of the law. That will create a real problem for enforcement because privacy violations, though consequential, are often difficult to quantify. And that is why privacy laws typically set out a specific dollar amount to help guide litigants and courts as to outcomes.
A related problem is that the enforcement provision kicks in two years after the bill goes into force. That is also without precedent. But both problems can be solved – provide a stipulated damages amount and remove the unnecessary delay. If there is a violation of the law after the bill is enacted, then enforcement should follow.
Another problem with the current draft is that it excludes Europeans from the scope of coverage. At first, I thought that was simply a drafting mistake as no consumer privacy law enacted by Congress had ever excluded non-U.S. residents from coverage, but I have since learned that this provision was intended.
It is difficult to describe just how bad that provision is. The United States is at this very moment trying to establish a legal framework that will permit the continued flow of personal data of European consumers to United States internet companies, which is critical to the digital economy. Two previous attempts had failed because the European Court of Justice concluded that the United States simply did not provide comparable protection to the safeguards available in Europe. President Biden signed an executive order to establish an EU-US Data Protection Framework, following lengthy negotiations between the U.S. Department of Justice and the EU Justice Ministry.
If the Congress now passes a privacy law that, for the first time, excludes European consumers, it is not difficult to predict what the next judgment from the European court will be. That problem can also be fixed by removing the qualifier that excludes non-U.S. residents from the scope of coverage. U.S. companies should be responsible for protecting the privacy of the consumer data they choose to collect regardless of where they may reside. That is also a rule that will strengthen international trade.
Then there is the problem of the Federal Trade Commission’s ability to safeguard privacy. Under the proposed bill, the FTC has central enforcement responsibility. The FTC has a noble history protecting consumers and promoting good business practices, but it has struggled with privacy enforcement. An organization I led brought the privacy cases that established the FTC’s legal authority over Facebook and Google. It took two years for us to get favorable outcomes, and even then, the FTC was reluctant to enforce its own order. We even sued the FTC in federal court to enforce its own order against Google. A sympathetic judge acknowledged the problem but said she lacked authority to compel an agency to exercise its enforcement powers.
Years passed and violations piled up. The Cambridge Analytica scandal broke. Whistleblowers came forward. The FTC was unwilling to act. It took more than eight years from the settlement we obtained against Facebook in 2011 before the Commission took its first enforcement action against the company.
The FTC’s spotty enforcement record — combined with the long period that FTC rulemakings require, the two-year delay in private enforcement, and the preemption of state authority — could set back privacy protection in the United States for many years.
In almost every other country in the world, there is a dedicated privacy agency with the specific authority and expertise to enforce data protection law. And for many years I urged Congress to establish a similar agency in the United States. The creation of a dedicated privacy agency is one of the key achievements of the California privacy law. And the California Privacy Protection Agency has done an admirable job so far engaging the public, issuing orders, and seeking new authorities where needed. If the federal privacy law is adopted with the preemption provision, the California agency is essentially out of business.
There is another key point to consider as this session of Congress wraps up. The public attitude toward the tech industry has clearly shifted since work on a federal privacy bill began. Tech lobbyists no longer hold the pen on legislation. Twitter is teetering on the edge. Layoffs have diminished Facebook, Google, and others. Compromises with powerful tech companies — such as federal preemption — that might have looked good a year ago now seem unnecessary. This is not a time for a retribution, but it is a time for Congress to enact effective baseline legislation that provides real protection for consumers and leaves the door open for future innovation in the states.
Fortunately, the House still has a leader who has shown many times her ability to advance the interests of the nation and protect the interests of her state. There is not much time left to pass a comprehensive federal privacy law, but do not underestimate Speaker Pelosi.
Marc Rotenberg is the founder and president of the Center for AI and Digital Policy, a global network of AI policy experts and advocates. He is a former chair of the Public Interest Registry, which manages the .ORG domain. He delivered the report “A Public Interest Vision of the Internet” to then Vice President Gore in 1993.