These days, there seems to be a lot of energy around a federal comprehensive privacy law in the United States. When the US Congress started passing privacy laws in the 1970s, 80s, and 90s, it eschewed the route of passing a comprehensive privacy law, opting instead for the sectoral approach — passing a series of narrow industry-specific laws. Then, in the late 1990s and early 2000s, there was a brief debate in the US about passing a comprehensive privacy law, when a few companies suggested it. But most companies shot down the idea. They liked the sectoral approach. They were okay with being regulated by a patchwork of various federal and state privacy laws.
At the time, when discussing the issue at conferences and events, I said that this view was short-sighted. The rest of the world was starting to move toward a comprehensive privacy law. The patchwork of laws left many gaps and holes in privacy protection and had countless inconsistencies. Congress did nothing.
Congressional Paralysis and the Rise of the States
Since 2000, Congress has largely been unable to pass many privacy laws. It has largely passed amendments to existing laws, but it hasn’t passed many major pieces of sectoral privacy regulation, let alone a broader privacy law. Partisanship, as well as a lack of compromise and maturity, have rendered Congress unable to craft laws with the nuance and balance needed to address privacy and data security issues. During this time, the states have passed a blizzard of laws. Every state has passed a data breach notification law. States have passed countless privacy laws too — especially California.
A New Urge for Congress to Act
The EU’s General Data Protection Regulation (GDPR), which started being enforced in May 2018, and the passage of California’s Consumer Privacy Act (CCPA) have reignited the debate over a comprehensive federal privacy law. “It’s time,” many people are saying. Now, industry is crying out for a comprehensive federal law. In November 2018, in response to a call for comments on a federal privacy law by the NTIA, numerous companies responded by stating that they were now in favor of a federal privacy law.
But with this Congress, I think that a comprehensive privacy law is unlikely.
Privacy involves so many complicated issues, such as the definition of personal information, the scope of the law, the right to deletion, the right to data portability, vendor management, Privacy by Design, preemption, remedies, a private right of action, and so many more. Resolving just one of these issues is difficult for a Congress that has become nearly incapable of compromise.
Preemption alone will be a very complicated issue. It’s hard to figure out exactly how to preempt and how much to preempt. And, Congress is already divided about whether to preempt. Representatives of large influential states like California won’t want to cede their power to regulate such a sprawling and important issue.
Thus, I am not optimistic that Congress can enact a comprehensive privacy law.
A Way Forward: FTC Rulemaking
There is one way that Congress might be able to pull it off. How?
Congress could grant the FTC special rulemaking authority to come up with a comprehensive privacy regulation. Right now, the FTC has rulemaking authority under specific sectoral privacy statutes such as COPPA and GLBA, among others. Under its broadest jurisdiction, the FTC Act Section 5, the FTC has limited and cumbersome rulemaking powers — effectively limiting its ability to craft a regulation. A special grant of power by Congress could allow the FTC to create a regulation.
Although far from perfect, the FTC has done a good job over the years enforcing against privacy and data security violations. In my article with Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014), we discuss the cases the FTC has brought and how the FTC has enforced consistently and based on widely-accepted norms and practices.
The FTC should be given a broader scope of power than its Section 5 jurisdictional scope. Section 5 is broad, but it has some big gaps. For example, Section 5 doesn’t apply to non-profits, and many non-profit organizations can violate privacy. If the regulation didn’t cover non-profits, future Cambridge Analyticas could be formed as non-profits to escape from the regulation.
Looking to the HIPAA Experience
It would be wise to look at the HIPAA experience for guidance. Figuring out health privacy was far too intricate for Congress to tackle itself, so Congress tasked the Department of Health and Human Services (HHS) with creating regulations. HHS created the HIPAA regulation (which is actually a series of rules). In my view, HIPAA is one of the best US privacy laws, if not the best. HIPAA is far from perfect, but it’s about as close as the US comes to GDPR-style protections. I think that HIPAA is a good blueprint. I wouldn’t copy HIPAA wholesale, but I think HIPAA has many important elements that should be in a privacy law: use restrictions, consent requirements, de-identification provisions, vendor management requirements, enforcement power that follows the data, powerful sanctions, significant governance provisions, among other things.
Preemption Isn’t Necessary if the Law Is Good
A common argument for federal preemption of state laws is that without preemption, the states will continue to pass privacy laws in a frenzy, and complying with a jumble of inconsistent laws will be impossible. Despite these fears, HIPAA didn’t preempt state laws, and we haven’t seen a tsunami of state health privacy laws that are stricter than HIPAA.
The reason for the CCPA is because US policymakers have had inadequate solutions to privacy problems. They have dismissed people’s concerns as irrational or as not really valid because of the so-called “privacy paradox” where people say they want privacy but then surrender their data. But in California, the public made it clear that they care about privacy. The referendum that sparked the CCPA received 629,000 signatures and was poised to pass by a substantial margin. Policymakers and naysayers have downplayed the problem for too long. People care, and they want meaningful protections.
The answer is simple. If policymakers were to satisfy the demand, then the urgent push for new privacy laws in the states would start to dry up. When Congress is asleep at the wheel, and people are quite concerned about a problem, there will naturally be a lot of state legislative activity. Instead of dismissing people’s concerns, alleviating them would go much further to stopping the wave of state laws. Preemption wouldn’t be necessary.
Paul Schwartz’s great article, Preemption and Privacy, 118 Yale L.J. 902 (2008) sets forth many compelling arguments why federal preemption of the states would be a mistake. Peter Swire has an excellent two-part essay series at IAPP’s blog on preemption (Part I / Part II). The gist of Swire’s argument in Part II is that a badly-drafted preemption provision could have disastrous unintended consequences, interfering with numerous state laws (wiretap laws, medical confidentiality laws, education privacy laws, etc.). Preemption could interfere with potentially thousands of laws and create an enormous mess of litigation about the scope of preemption.
Consider, for example, this ridiculous preemption provision in the Chamber of Commerce’s proposed federal privacy law:
The provisions of this Act shall supersede any provisions of the statutes, laws, regulations, rules, ordinances, requirements, or the equivalent, of any State, or any locality or political subdivision of a State, including, but not limited to, any tort, duty, or consumer protection or unfair practice law, to the extent that such provisions relate to, or serve as the basis for enforcement action as it relates to, the privacy or security of personal information.
This provision is so broad, vague, and simpleminded. It is a laughably silly response to a very complex issue.
I fear that many in industry and in Congress will desperately cling to the view that preemption is a must, that without it the state legislation won’t stop. But preemption is such a tricky issue, and it likely will bog down the effort to pass a comprehensive law. It is far easier to do what HIPAA did and use a floor rather than a ceiling. This sidesteps a bog of quicksand that will kill most attempts at a comprehensive law.
So my recipe is simple: Learn from the HIPAA experience. Punt the details to the FTC to figure out in a rulemaking. Sidestep the issue of preemption by using a floor rather than a ceiling. Give some enforcement power to state attorneys general. And, use HIPAA as a starting point. There’s a lot there that works. This is the best, most practical path I see.
Looking at privacy laws in the past can teach a useful lesson: If the law is strong with meaningful protections and has state AG enforcement, there isn’t much of a need to preempt. The states will back off.
Although the path I sketch above is pragmatic and workable, I would still put the odds of a comprehensive federal privacy law as fairly low.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers. This post was originally posted on LinkedIn.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum (Oct. 14-16, 2019 in Washington, DC), an annual event designed for seasoned professionals.
The CCPA summarized in just 1 page!
Click here to download the full-page version.