Federal privacy legislation that has stalled in Congress for months has a new impetus, as questions about the use of location and health data during the pandemic are bringing privacy considerations to the fore.
“The pandemic has further heightened the demand for Federal privacy legislation,” said Christine Wilson, a commissioner on the Federal Trade Commission (FTC), speaking during a June 3 Brookings Institution event. Wilson said Federal privacy legislation “could have provided useful guardrails” for the new, complex questions about the use of health and location data.
In December 2019, the top Democrat on the Senate Committee on Commerce, Science, and Transportation, Sen. Maria Cantwell, D-Wash., introduced the Consumer Online Privacy Rights Act (COPRA). Also in December, committee member Sen. Brian Schatz, D-Hawaii, introduced a bill, the Data Care Act of 2019.
The committee’s chairman, Sen. Roger Wicker, R-Miss., released a draft of privacy legislation, the United States Consumer Data Privacy Act (USCDPA), last year as well. And in March 2020, Sen. Jerry Moran, R-Kan., introduced the Consumer Data Privacy and Security Act. All four efforts have not yet yielded the desired Federal legislation, as states like California and Washington have worked to create their own privacy laws.
“The real sticking points [in Federal privacy legislation] are preemption and the private right of action,” said Cameron Kerry, former acting secretary of the Department of Commerce and a visiting fellow at Brookings, during the June 3 event. Kerry is a co-author of the recent Brookings report, “Bridging the Gaps: A Path Forward to Federal Privacy Legislation,” which seeks solutions to those sticking points.
Kerry said he talked to people on Capitol Hill about Federal privacy legislation on March 11 and “came away surprisingly optimistic that we could move forward.”
The issue of preemption of state laws by a Federal law is one of the two issues where “Wicker and Cantwell are the furthest apart,” the report states. “Our report seeks to unfreeze the privacy debate by exploring and offering a middle ground.”
“The standard that we propose is to preempt laws that address collection, processing, sharing, or security of covered data ‘to the extent inconsistent with’ a Federal law,” said Kerry, regarding Federal preemption. He further recommended that the law be revisited after eight years.
The report generally recommends that the private right of action be limited to those with “actual damages.” Kerry, who acknowledged he is part of a Microsoft advisory board, said this recommendation is to address the concern about the increased litigation, or “gotcha lawsuits.”
“Privacy is a journey,” said Julie Brill, chief privacy officer at Microsoft and a former FTC commissioner. “What we need to do is get good provisions in place, and then come back, see how they’ve worked, and then improve them.”