May 17, 2021 – Widespread public concern over the security and privacy of personal data is putting increased pressure on state and federal legislators to regulate data collection, tracking and targeting, and today this issue is “at an inflection point about what we are going to start seeing from the federal government,” according to Alison Pepper, EVP, Government Relations, at the 4A’s.
At a May 12 Coalition for Healthcare Communication Webinar, “Data Privacy: Federal Regulation or a State-by-State Maze of Rules?” Pepper framed the data privacy issue, predicted where she thinks legislation may be headed in the future, and underscored what roadblocks may be in its way. (Click here to view Pepper’s slides.)
CHC Executive Director and moderator Jon Bigelow noted at the beginning of the Webinar that when it comes to regulating data privacy, “the European Union has acted, some states have acted, but so far the federal government has not acted on data privacy and security, at least not yet.” This federal government inaction could lead to companies having to grapple with different requirements in different states, which is a daunting proposition.
Pepper stated that although concern over data privacy “has been building for years,” and the scandal around Cambridge Analytica sharing personal data of Facebook users for political purposes “did really focus the issue, what it didn’t do was lead to any sort of tangible action in Congress.” She noted that there have been 50 comprehensive data privacy bills introduced in the past few years, but none moved past the committee level.
There are two big issues that are blocking the progress of federal legislation, according to Pepper:
- Private right of action, which “is very much a party line issue,” with Democrats wanting a private right of action and Republicans opposing it. “That’s an ideological difference that really transcends the privacy issue,” she said.
- Federal preemption, “which also transcends the privacy debates,” according to Pepper, who said that typically Republicans favor states’ rights and Democrats like to see federal law overriding states’ rights.
“These two issues have been the holdup almost every time a privacy bill starts to move through Congress,” she said, and cause “immediate squabbling.”
There have been 20 bills introduced around various privacy issues since January, but more than half of them are focused on social network and platform regulation and reforming Section 230 of the 1996 Telecommunications Act/Communications Decency Act that allows website companies to moderate websites without legal liability. “These two issues are kind of sucking the oxygen out of the room on Capitol Hill right now,” she remarked, adding that Section 230 reform is “playing an outsized role in the debates we are having.”
Section 230 reform also breaks down along party lines, she stated, with Republicans asserting that platforms are suppressing conservative speech under Section 230 and Democrats asserting that Section 230 is not putting enough pressure on platforms to rein in misinformation and disinformation.
In the meanwhile, states are acting on privacy issues. The California Consumer Privacy Act (CCPA) has been in effect for over a year now. On March 2, Gov. Ralph Northam (D) signed the Virginia Consumer Data Protection Act, to take effect in 2023. On March 11, Gov. Spencer Cox (R) signed Utah’s Cybersecurity Affirmative Defense Act into law. Legislation is advancing in many other state legislatures as well (20 according to Pepper).
On April 29, Florida’s Senate passed a comprehensive law on data privacy by a vote of 29-11; the House had previously approved a different version by a nearly-unanimous 118-1, and Gov. Ron DeSantis (R) supported the concept. However, the two houses could not agree to reconcile the two versions before the April 30 end of the legislative session, and DeSantis wanted to push through a social media de-platforming bill and transgender sports legislation, “so he was willing to let go of the privacy bill,” Pepper explained. That said, she predicts that Florida will pick up this issue again, perhaps as early as September.
Because the potential for 50 different privacy laws is not good for either consumers or businesses, Privacy for America, a coalition of top trade organizations representing a broad cross-section of the American economy, has been relaunched to work with Congress to support enactment of federal consumer data privacy and security regulation, Pepper told CHC webinar attendees.
“We have been working with Republicans and Democrats and all committees with jurisdiction to help them understand … what we think privacy legislation should look like,” Pepper said. She said the goals is to craft legislation that covers the entire spectrum of marketing data uses outside of specific laws such as the Health Insurance Portability and Accountability Act. “There is a pretty warm reception on the Hill to some of the concepts in the Privacy for America draft legislation.”
Whether states or the federal government move the needle forward on data privacy issues, any potential legislation is going to be influenced by several factors, according to Pepper:
- What browsers and operating systems are doing
- What impact those changes have on everyone else in the marketplace from a competition perspective
- What is happening with consumer advocacy groups
- Any consumer harms that emerge
One of the biggest wildcards in the federal privacy legislative arena, however, is anti-trust law, Pepper told webinar attendees, because if government is trying to rein in the power of companies that are continuously consolidating and growing stronger, goals are at cross purposes. “What I would like you to keep the closest eye on in the next year or two is where the anti-trust stuff is going, because it’s likely the most influential thing going on here,” Pepper advised.
Looking to the future of federal data privacy regulation, Pepper also suggested that an appropriate solution that is currently “percolating” is a melding of the consent required by the EU’s General Data Protection Regulation and the opt-out provision of the CCPA, where there is consent needed for some things, and opt-out for other things, depending on the inherent risks or harms.
“I think there’s increasingly a chance that whatever federal privacy law we end up with is not going to be a binary thing,” Pepper said.