A National Approach to Data Privacy? Competing Proposals for a Federal Privacy Bill

January 22, 2019

On January 16, 2019, Senator Rubio introduced a bill, entitled the American Data Dissemination Act (ADDA), that proposes a national standard to regulate the way private companies handle consumer data. The bill uses the Privacy Act of 1974, which applies solely to data handling by governmental agencies, as a framework for a broader national standard. However, the bill would preempt stronger state privacy regulations, such as California’s recently-enacted privacy statute, causing concern that, if enacted, the bill would entrench lenient privacy standards nationally. While a national privacy statute is a laudable goal, legislators should be careful not to set the bar for national data privacy too low. Because the ADDA is the first national data privacy bill to be introduced in 2019, but exists alongside several competing proposals, it merits discussion. In evaluating multiple federal privacy bill proposals, Congress should ensure optimal protections for consumers in order to align the United States with international standards after the passage of Europe’s GDPR.

You have a bipartisan sense that some type of privacy legislation needs to happen, and at the same time, you have industry pushing for it. We’re certainly in a moment that’s been different from moments in the past.

Neema Singh Guliani, Senior Legislative Counsel, ACLU

The Privacy Act of 1974, on which the ADDA bill is based, limits the way federal agencies can gather and use personal data, creating a baseline for individual privacy in the government records context. The 1974 Act mandates that a federal agency: show an individual what records the agency has on the individual; follow the Fair Information Practices (FIPs) when processing individual data; and limit sharing of individual data among agencies. The 1974 Act also creates a right for individuals to bring suit for violations.

While adapting the 1974 Act to cover private companies would be a good first step in forming a national data privacy system, the ADDA bill’s relatively weak data protections and preemption clause could be interpreted as a means to prevent stronger privacy protections, such as California’s privacy statute, from taking effect. The California Consumer Privacy Act, set to take effect in January 2020, is the most comprehensive consumer data privacy protection law in the United States. The California Act allows: consumers to discover what personal information a business has on them; consumers to request deletion of personal information collected from them; consumers to opt-out of having their personal information sold; and, with some exceptions, the ability to continue receiving equal service from the business after consumers exercise these rights. Unsurprisingly, the California Act has faced strong opposition from industry groups that seek to weaken its protections for consumers.

Although the Federal Trade Commission (FTC) has faced recent criticism for being too lenient in enforcing patchwork federal privacy laws, most notably in the recurring Facebook scandals, the FTC plays a prominent role in the ADDA bill.  The ADDA bill instructs the FTC to provide Congress with a set of privacy standards adapted from the Privacy Act of 1974. Congress would then have up to two years to pass the final national privacy standard, which would be based on the FTC’s recommendations. Only if Congress failed to pass a final version within two years would the FTC gain independent rulemaking authority over national privacy standards.

By way of contrast, a coalition of consumer advocacy groups recently published a proposal to, among other reforms, form a federal data protection agency. Rather than rely on the FTC to enforce data privacy among its plethora of tasks, the proposed data protection agency would focus solely on data regulation and protection. Other proposals, such as a November 2018 bill introduced by Senator Wyden, would keep the FTC at the center of a more robust system of privacy regulation that would include increased fines and potential prison sentences for violators. Meanwhile, multiple congressional committees, including a subcommittee of the Senate Commerce, Science and Transportation Committee, are working on federal privacy bill proposals. Given the range of proposals and increased activity in the area, it will be interesting to see where efforts to enact a federal privacy bill lead in 2019.

Aaron Dalton, 21 January 2019