Article on US Data Privacy


– a situation where no action can be taken or progress made; deadlock.

– to bring to a standstill.

Some critics might suggest that this definition of the chess term describes perfectly the current state of affairs in the Senate, as lawmakers clash over Pre-emption and Private Right to Action — the two polarizing issues at the centre of the fierce disagreement between the two sides of the house.

If last week’s Senate Commerce, Science and Transportation Committee hearing is anything to go by,
achieving any agreement over the details relating to implementation and enforcement remains as elusive as ever.

Just another day at the office?

… or is the Senate finally approaching the tipping point on the need to

pass comprehensive federal data privacy legislation?

Data Privacy was back under the spotlight last Wednesday, less than a week after Republican lawmakers proposed a nationwide privacy framework, requiring businesses to disclose their data collection, processing and transfer activities more prominently while providing consumers with the ability to easily access, correct, erase and transfer their personal data to another service.

During the day, lawmakers were allowed to air their views on how to legislate national privacy standards effectively. California Attorney General Xavier Becerra and a select group of former Federal Trade Commission officials emphasized the need for a comprehensive bill — they were preaching to the converted!

Senator Roger Wicker, R-Miss., chaired the hearing just under a week after he and other Commerce
committee Republicans unveiled the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act September 17.

The Act is said to strengthen the Federal Trade Commission’s ability to hold businesses accountable for the misuse of consumer data by allowing the commission to obtain monetary remedies for consumers, develop new rules to expand the scope of ‘sensitive data’ and establish a data broker registry. Michael Gold, the co-chair of the privacy, information management and data protection group at Jeffer Mangels Butler & Mitchell LLP, said:

“Folks have been talking about this for years. Many people believe that folks in Congress have been waiting to see what the states are doing, … But at the same time, for an economy as large and complex as we have in the U.S., to let the individual states legislate issues of this magnitude doesn’t make a great deal of sense.”

Inspired by the EU’s General Data Protection Regulation (GDPR) becoming law in May 2018 and the California Consumer Protection Act taking effect on January 1, 2020, several hearings have been held by the Commerce Committee to explore the possibility of enacting privacy rules that would apply across the U.S. But while both Republicans and Democrats agree that such legislation is necessary, they have failed to agree on specific key issues, including whether individual states should be able to set stricter rules and whether consumers should be allowed to bring private lawsuits for violations of their personal data.

Morrison & Foerster LLP partner Nathan Taylor said:

“The SAFE DATA Act highlights the tension and divide between Republicans and Democrats, who have bogged down data privacy and data breach legislation for the past 15 years, and you don’t even have to look at the substantive privacy aspects of the bill, This has been fruitful in the sense that I think we’ve got a lot of very good ideas,” 

The compelling position presented by experts is that Democrats and Republicans appear to be remarkably aligned in their desire to pass national privacy legislation and, therefore, should avoid bickering over the differences that actually do exist in order to make rapid and sustained progress on getting privacy legislation passed as quickly as possible.

During the hearing, Senator Schatz said there is healthy competition among the committee members to develop and advocate for their own privacy bills. Schatz, a COPRA co-sponsor, added:

“This has been fruitful in the sense that I think we’ve got a lot of very good ideas, …but we’re sort of on a razor’s edge between that competition being fruitful and competition preventing us from enacting legislation.”

Having been fuelled by the EU’s General Data Protection Regulation (GDPR) that became law back in 2018, closely followed by California’s CCPA, which came into effect on January 1, 2020, the Commerce Committee has held several hearings to explore the possibility of bringing in privacy legislation that would be applied nationwide.

Two significant differences currently holding up progress are to do with whether federal law should pre-empt state laws — and how enforcement will actually work in practice. On the one side, Republicans argue that a federal bill should supersede state laws and be enforced by the Federal Trade Commission (FTC). On the other side, Democrats — aligned with Cantwell — want to allow states the room to innovate beyond the federal standard. They also want a bill to provide consumers with a private right of action.

“I would expect those two issues to remain quite polarized,” said Gray, adding: “They were similarly polarized when we saw comprehensive legislation working its way through Washington state earlier this year, leading to the bill not passing.”

Although members of both sides of the house agreed in principle that such legislation is necessary, they have. so far, failed to agree on certain key issues, such as whether individual states should be allowed to implement more stringent rules and whether consumers should be allowed to bring lawsuits claiming damages for alleged violation of their personal data. 



During the hearing, California’s AG, Xavier Becerra’s testimony was largely based on his experience of implementing the CCPA. Becerra served as a mouthpiece for the pre-emption argument. He is also an advocate for the right to private action. Cantwell and other Democrats on the committee are concerned that pre-emption — meaning federal law would supersede state privacy laws— could prevent states such as California from innovating beyond the national minimum. They hope to drag states that have yet to adopt data privacy laws up to a nationwide standard, without restricting those states that want to innovate beyond a nationallaw.

Becerra said: “I would urge that you consider that we could set a standard, but just don’t make it the ceiling, … Let it be the floor.”

Former FTC Chair and Commissioner Jon Leibowitz, along with some other witnesses, said the bills proposed by both Cantwell and Wicker already go significantly further than the CCPA. Leibowitz also said he would not support pre-emption if, in his opinion, a federal law would be weaker than state-level laws. Leibowitz added: “At the end of the day, you want the person who is driving from Biloxi to Seattle to have the same robust privacy protections wherever she or he goes,”

Another former FTC chairman and commissioner, William Kovacic, voiced his support for giving rule-making authority to the FTC, so that it can adapt a federal data privacy standard as and when new issues appear. The very nature of the internet means that it does not recognize state boundaries. Therefore, any
state-implemented expansions of the law would become de-facto nationwide standards because a business that has to comply with, for example, California’s CCPA, complies with that state law, not within the borders of California alone.

Kovacic said he did not think individual states would necessarily feel any urgency to press ahead if they were confident that a national scheme would be adaptable and flexible. However, he added he is confident that legislation coming out of the committee will not only be adaptable but that legislators would, from time to time, return to the issue at hand and ensure that it is kept up to date.


Private Right of Action

Cantwell’s opening statement included a strong stance articulating a need for citizens to be able to search for redress if their privacy rights are violated on their own. Cantwell said that even if Congress empowers the FTC and state attorneys general to enforce a nationwide data privacy standard, there will never be enough resources to police the plethora of companies collecting consumer data.
“We will never be able to fully police the thousands and thousands of companies collecting consumer data if you are the only cop on the beat,” Cantwell said.

Becerra, in response to questions from Cantwell, added that the private right of action makes legal protections tangible. According to Becerra, citizens have to have remedies available to them for their rights to be meaningful.
Though both Republicans and Democrats agreed that the FTC should be granted more resources in order to enforce privacy regulations, Cantwell and Becerra argued that citizens still need that extra outlet to advocate for themselves because state attorneys general and the FTC will never have the bandwidth to deal with every problem that arises.

In his response to Cantwell’s questions, Becerra said the private right of action makes legal protections tangible. Citizens need to have remedies available to them for their rights to be meaningful. Republicans and Democrats both agreed that the FTC should be given additional resources enabling it to enforce privacy regulations. Becerra and Cantwell argued that consumers have to have an extra outlet to advocate for themselves because the FTC and state attorneys general will never have sufficient bandwidth to cope with every single problem that occurs. Becerra said:

“I guarantee you consumers would prefer to have the California attorney general move their case instead of them, ….but at the end of the day if we don’t have the capacity, then some of those consumers will take up the opportunity if they are given the right to go to court.”

Gray said private right of action is likely to be even more important if pre-emption wins the day. “Most privacy advocates and civil rights advocates, and a lot of the Democratic leadership would strongly prefer a privacy bill, especially if it’s going to supersede state laws to include a private right of
action so that individuals can challenge alleged violations directly

Maureen Ohlhausen, former FTC commissioner and acting chair, said in her written testimony in past instances, private rights of action have usually just lined the pockets of attorneys without realizing proper redress for victims. She added that leaving enforcement up to state attorneys general and the FTC would create a level of consistency that, in the end, benefits consumers more than individual attempts to right the boat.

“It seems that in the discussion of data privacy at the federal level, this has become an article of faith,” Wicker said, “and I really regret that because I think it amounts to a stumbling block that may prevent national legislation from being enacted.”

So, there we have it—stalemate — at least for the time being.
But isn’t that how things generally go in the Senate — however complicated or straightforward the process of ironing out differences can be?
But, like most games of Chess, the pawn and the king return to the same box when the game is over.


Writer: Mike Page (for The Data Privacy Group)