Aug. 22, 2022 – For years, the issue of regulating data privacy has been addressed largely by individual states, with little comprehensive action on the federal level. But that may be about to change in light of a more aggressive Federal Trade Commission (FTC), a new bipartisan proposal in Congress, and the U.S. Supreme Court’s decision overturning Roe v. Wade.
“Concern about security breaches, intentional misuse of personal data, and increasingly invasive collection of data has been growing for years,” according to Coalition for Healthcare Communication Executive Director Jon Bigelow. “New developments – such as the metaverse, use of contact tracing applications for COVID-19 exposure, and widespread use of facial recognition — raise the stakes,” he said.
In 2019 and early 2020, momentum was building for a bipartisan effort to establish federal data privacy and security regulation that goes beyond the heavy reliance on consumer opt-in and opt-out provisions in European and California laws, but this momentum came to a grinding halt as the COVID-19 pandemic seized national attention. Since then, a few additional states have enacted laws in this area, but this patchwork of different laws in different states makes compliance more difficult for industry.
“We would benefit by having data regulation at the federal level,” according to Bigelow, who pointed out that at least three factors recently have changed the prospects for federal regulation.
FTC prepares to crack down
The regulatory agency tasked with enforcing data privacy protections is now poised to act. Since taking office in 2021, FTC Chair Lina Khan has made clear her intention to take a more aggressive stance toward big tech companies on both antitrust issues and data privacy, but she was stymied by the lack of a majority on the board.
That stalemate was broken in May when Alvaro Bedoya – founding director of Georgetown Law School’s Center on Privacy and Technology – was confirmed by the Senate, bringing deeper understanding of data issues to the board and giving Khan a majority on most issues. The FTC is expected to focus on regulation of artificial intelligence, facial recognition, and health apps and wearables.
On Aug. 11, the FTC announced that it is exploring rules “to crack down on harmful commercial surveillance and lax data security.”
Congress taking action
Several members of Congress have continued to work on privacy proposals behind the scenes. For example, in June a discussion draft for new legislation was introduced jointly by Sen. Roger Wicker (R-Miss.), who is Ranking Member of the Senate Commerce Committee, along with Reps. Frank Pallone (D-N.J.) and Cathy McMorris Rodgers (R-Wash.), respectively the Chair and Ranking Member of the House Energy and Commerce Committee.
This American Data Privacy and Protection Act (ADPPA) bill, which was voted out of committee (54-2) in July, would require covered entities to minimize the data they collect, establish objective boundaries around use of that data, set rules on how data are processed, allow consumers to turn off targeted advertising, and enhance protections for children and adolescents.
Crucially, ADPPA offers a compromise solution to the two issues that were stumbling blocks in the bipartisan push in 2019-2020. Bigelow explained. It would (as Republicans wanted) pre-empt most state privacy laws, although permit a handful of provisions from the California Consumer Privacy Act (CCPA) to stand. And it includes (as Democrats wanted) a limited “private right of action” beyond routine enforcement by the FTC or state Attorneys General – that is, consumers can sue if they believe their rights have been violated.
Impact of Supreme Court decision
The late June decision overturning Roe v. Wade has sharpened attention on the importance of data privacy. “Both advocates and foes of abortion rights have come to realize that a vast amount of personal data can be weaponized as states attempt to prosecute women and their healthcare providers for seeking or providing abortions,” Bigelow noted.
For example, wearable devices help women track menstrual cycles, text messages may show conversations about considering crossing state lines to seek abortion services, and GPS information on smartphones reveals locations travelled to. There are fears that, depending on how states craft their legislation, law enforcement officers can access this data.
Forces are coming together
The ADPPA bill is notable because it has the support of leaders from both parties, but the timeline is problematic.
“Realistically, I see no way a bill this important, far-reaching, and complex could go from proposal to law in the remaining time of this congressional session,” Bigelow said. “But the effort suggests that the two parties are within reach of a workable compromise on data privacy. That’s important, given the high probability that control of Congress will be split between Democrats and Republicans after the midterms. The groundwork established in 2022 could result in moving federal data privacy regulation forward in 2023.”
The abortion issue, he stated, “is the wild card,” because “on the one hand, it may make Congress more eager to move rather than allow a chaotic mix of different state laws. On the other hand, to the extent data privacy regulation becomes embroiled in one of our hottest culture-war issues, new political pressures may reduce the interest in bipartisan agreement. And whatever data privacy regulations are passed, there likely will be legal challenges in the context of anti-abortion laws.”