Another week, another hearing discussing privacy legislation on Capitol Hill. This time, it was the Senate Judiciary Committee who gathered recently to discuss the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) that will go into effect January 1, 2020, and other issues considering a federal privacy legislation.
It’s evident that the 116th Congress is doing something in moving the discussion on privacy forward. But in light of the several bills already proposed on both sides of the aisle, the question remains if the regulators will get it right this time.
Following major data scandals and breaches in the past year, lawmakers of both parties have shown that they are serious about taking up privacy legislation. A handful of senators — including Ron Wyden, D-Oregon, Brian Schatz, D-Hawaii, Marco Rubio, R-Florida, Amy Klobuchar, D-Minnesota, and John Kennedy, R-Louisiana — have all introduced bills in the past five months. All proposals represent their own model of privacy regulation, and while each of them takes a stand in fleshing out specific obligations and rights, only some of the provisions and ideas may end up in a final proposal.
So, the question is what issues and principles should we expect to factor in at the core of a comprehensive federal privacy regulatory model?
The issue of pre-emption, whether the federal government assumes authority over balkanized state policies, is the most contentious in the data privacy debate.
California has passed the CCPA, and other states are following suit. This, however, creates a privacy patchwork of state-based “solutions,” which will likely create more problems than it solves. Inconsistent state privacy laws already impose excessive compliance burdens for content creators and small businesses, making it difficult for these companies to compete with internet giants. Small businesses and entrepreneurs are in need of clear and nationally uniform privacy guidelines to help them grow.
Currently, several of the legislative proposals could impede innovation and restrict choices for consumers. To ensure the continuation of United States’ success as a leader in technological innovation, it is the policymakers’ responsibility to make sure that strong privacy protections are not at odds and do not threaten innovation and research, and do not impose burdens on the small players. As such, a workable legislative framework should include clear provisions that promote education and innovation and do not punish small and medium companies at the benefit of the largest players, as the GDPR does.
Clear rules should empower entrepreneurs and businesses to design for privacy upfront, rather than having to wait for a data breach or another data misuse scandal to force the rollback of a product or service.
An additional key ingredient for getting the privacy legislation recipe right is reasonable data security and corporate responsibility. Data breaches are subjecting billions of consumers to the threat of identity theft and loss of privacy. Yet, despite major security advancements, there is no sign of slowing down the amount of data breaches and number of consumers affected every year.
A recent study published by the American Consumer Institute, titled “How Safe Are Popular Apps,” shows that many popular apps are not as secure as they should be, highlighting the need to continually improve the products and cybersecurity practices to protect customers from breaches.
Drafting comprehensive privacy legislation is a complex endeavor and these recommendations are by no means exhaustive and prescriptive, but they should serve as guideposts to steer legislators toward the right path. The stakes are too high to unintentionally lock ourselves in a context that would prevent us from innovating.
We have all of the right signals showing us that policymakers want to legislate, and this Congress has an opportunity for bipartisan agreement on protecting personal information privacy. Yet, time is probably a crucial aspect that will influence the content of a 100-plus-page piece of legislation.
Congress has less than 10 months until CCPA and other state legislation kicks in to figure out an optimal solution for protecting the online privacy of American consumers. The current patchwork of state privacy laws has not served Americans well, and it’s threatening to become more confusing and complex for businesses to thrive and consumers to enjoy the latest technology. It’s time for lawmakers to roll up their sleeves and get this right. There is no more time to be lost.