Momentum is building for federal data privacy legislation, in large part due to the passage of the California Consumer Privacy Act (CCPA) (which goes into effect in 2020) and other states enacting or considering their own consumer privacy laws. These developments have businesses concerned that they will face a patchwork of inconsistent and onerous state privacy laws, which is currently the case with breach notification. Many leading tech companies, trade groups, and the U.S. Chamber of Commerce have voiced support for a national privacy law. On top of these domestic considerations, the EU’s General Data Protection Regulation (“GDPR”), a sweeping privacy law that affects many U.S. companies conducting business in the EU, is also now in effect. Several legislative proposals have been put forward in Congress, and we are starting to see the broad outlines of a potential law. But for many of the details, there is still nothing close to a consensus. Here are some of the issues that will likely be the subject of the most intense debate in the next congressional term:
- Scope: Will federal legislation apply to all businesses, or be limited to firms operating primarily in the internet ecosystem? Will it exempt entities already subject to sector-specific privacy laws, like the CCPA, which does not apply to information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act? Will it only apply to firms of a certain size, and if so, what will be the threshold? The CCPA applies to for-profit entities that meet one of the following criteria: (1) earns $25 million or more in annual revenue; (2) holds the personal data of at least 50,000 Californian consumers, households, or devices; or (3) derives at least half of its revenue from selling Californians’ personal data. We think that any final federal privacy law will have at least some of these scope limitations.
- Transparency: There is broad consensus that the law will require companies to provide greater transparency to customers on personal data practices. Although companies and consumer groups may disagree at the margins, we expect that a federal privacy law will mandate clear, intuitive disclosures over the categories of personal information collected and how that data is collected, stored, used, and shared with third parties.
- Consent/Opt-In/Opt-Out: One of the most hotly contested issues is whether and how companies will need to obtain consent from customers for certain uses of their data, and whether customers will be required to opt in to, or be allowed to opt out of, certain company practices. Take, for example, the sale of personal information to third parties. Companies will likely have to disclose this practice to consumers. But what if customers don’t want their data sold? Will companies be prohibited from selling those customers’ information for advertising purposes unless those individuals opt in via express consent, or will companies be able to sell their data unless those customers affirmatively opt out? And if customers do opt out, will companies be allowed to deny them any goods or services as a result?
The CCPA provides one model: it offers a limited opt-out right to consumers for the sale of any personal information to third parties, and although it prohibits covered businesses from denying services to consumers who opt-out, it does permit those businesses to offer consumers financial incentives not to opt out. A bipartisan federal proposal introduced by Senators Klobuchar (D-Minn.) and Kennedy (R-La.) last spring would grant consumers an opt-out from collection, use, and sharing of personal data, and permit the business to restrict or deny service only if the consumer’s opt-out renders the service inoperable.
One approach for federal legislation could be to authorize some data uses without any opt-in or opt-out right (e.g., where a business’s “legitimate interest” in that use is not outweighed by the customer’s interests in protecting the data from misuse), but provide that, for certain uses of particularly sensitive categories of data, customers may opt out and businesses would not be allowed to completely deny those customers service on that basis.
- Right to Know/Right to Be Forgotten: There is general agreement that federal privacy legislation will include a right of consumers to know what data companies have related to them. The right to require companies to correct or delete data is more controversial, in part because of the many circumstances in which companies have a legitimate need or legal obligation to maintain customer data, and in part because of First Amendment considerations. In the end, we think that some limited right to have personal information corrected/deleted will be included in any final legislation.
- Harm Threshold: For breach notification laws, some states require notification to people whose personal data has been subject to a breach only if there is a risk of harm to those individuals, while other states require notification regardless of the risk of harm. For privacy obligations, businesses generally favor obligations based on actual harm or at least the risk of actual harm to consumers. Consumer advocates, however, argue that limiting privacy rights and remedies to conduct involving actual harm will mean that only a provable financial loss or physical injury will entitle affected consumers to relief, while other damages that are more difficult to prove, like embarrassment, anxiety, and loss of dignity, are often the real harms caused by data breaches, and they will go uncompensated. These groups support a “rights-based” approach to privacy, where harm is assumed (or at least presumed) with a broad definition of personal information. This issue will be vigorously contested, and the federal legislation may incorporate some elements of both approaches. For example, the law may provide for enforcement with civil penalties absent proof of actual harm to consumers, but only in situations in which harm may be presumed, such as where the violation involves an unknown third party gaining unauthorized access to sensitive personal information (e.g., medical history, online banking passwords, complete credit card data, etc.).
- Preemption of State Law: Perhaps the most contentious issue will be whether (and to what extent) the federal privacy law preempts state law privacy and data security legislation. The business community is likely to insist on preemption of state laws. It argues that the patchwork of targeted federal laws and inconsistent state privacy laws already imposes excessive compliance burdens, which will only increase as states enact their own versions of the CCPA. Consumer groups have opposed preemption, arguing that the federal government alone cannot provide adequate protection to consumers’ privacy rights, and that states should be empowered to innovate and provide greater privacy protections to their residents. Congressional Democrats have indicated that they are not willing to “replace a progressive California law” through preemption with a “nonprogressive federal law.” Given the high priority placed on this issue from the business community, it is likely that any final law will include at least some degree of state law preemption. A federal law that replaces a patchwork of inconsistent state laws with strong privacy protections for consumers could satisfy most stakeholders.
- Data Security and Breach Notification: Closely related to the preemption issue is data security and breach notification. Currently, each state has its own separate data breach notification regime, and more than a dozen states also have substantive data security requirements. Businesses are eager to reduce their compliance burdens by harmonizing their data security and breach notification obligations across the United States, and are therefore advocating for including these requirements into federal privacy legislation, so long as they would be flexible and would have preemptive effect over state laws. It is hard to predict how this will play out, but one possibility is that state law preemption for breach notification would not garner enough support if it waters down existing obligations under some state laws, nor would it gain enough support if it is more onerous than existing state laws, so preemption would be limited to privacy (and perhaps data security) obligations, but not breach notification.
- Government Enforcement: As a potential compromise for state law preemption, federal privacy legislation may grant authority to state attorneys general to enforce violations of the federal law, in addition to, and in coordination with, a federal agency (likely the FTC). Given that the business community seems relatively open to this possibility of dual state and federal enforcement, we expect that state AGs will have at least some enforcement rights under a comprehensive federal law.
- Private Right of Action: Under the CCPA, individuals can bring a private right of action where a certain subset of sensitive information has been improperly accessed. Industry is generally opposed to such provisions. In contrast, consumer groups have asserted that such a right is critical (along with prohibitions on compulsory arbitration). Recent federal proposals (including from Democrats) have not provided for this right, so we believe that it is unlikely to be included in any final legislation, especially if there is enforcement by state attorneys general and fining authority for violations by the FTC.
- Certifications: Another controversial issue is whether company executives will be required to certify compliance with applicable privacy requirements, as is the case for the New York Department of Financial Services cyber rules, and if so, what the consequences of an inaccurate certification will be. Senator Wyden’s proposed legislation includes a provision for criminal penalties for executives who provide knowingly false certifications. Our view is that executive certifications, especially ones that could result in criminal penalties, are unlikely to be part of any final legislation.
We will be monitoring developments in federal privacy laws closely here at the Davis Polk Cyber Blog and will post regularly on any significant developments.
This piece has also been published on the Compliance & Enforcement blog, run by the Program on Corporate Compliance and Enforcement (PCCE) at NYU School of Law.