The request by a group of prominent Democratic senators that the Federal Trade Commission (FTC) launch a rulemaking process on data privacy signals Congress is not close to passing a federal law anytime soon, experts say.
In a Sept. 20 letter to FTC Chair Lina Khan, Richard Blumenthal (D-Conn.), Elizabeth Warren (D-Mass.), Amy Klobuchar (D-Minn.), and six other senators said, “FTC action on this front (national privacy legislation) will ensure that Americans have every tool at their disposal to protect their privacy in today’s online marketplace.”
The letter urged the FTC to “undertake a rulemaking process with the goal of protecting consumer data; the rulemaking should consider strong protections for the data of members of marginalized communities, prohibitions on certain practices (such as the exploitative targeting of children and teens), opt-in consent rules on use of personal data, and global opt-out standards.”
Experts say the request sends a message about the state of federal privacy legislation.
“Sending this letter is an acknowledgement that there is not the commitment for a comprehensive privacy law to make meaningful progress in Congress,” said Vivek Mohan, a partner in Mayer Brown’s Cybersecurity and Data Privacy practice. “I think they are trying to signal their continuing support for some action on the issue.”
“In the absence of federal regulation, we are stuck right now,” said Dominique Shelton Leipzig, partner at Perkins Coie and co-chair of the firm’s Ad Tech Privacy and Data Management practice. “Companies are eager to receive some guidance on data privacy, and if the FTC steps forward with some guidance, it would be welcomed, provided of course that the business perspective is included.”
Khan, relatively new to leading the FTC, is likely inclined to tackle rulemaking on data privacy, based on her strong opinions on how to rein in privacy abuses by Big Tech. Newly nominated FTC Commissioner Alvaro Bedoya, an expert on data privacy legislation, would likely buttress that support if he is confirmed to fill the seat soon to be vacated by Rohit Chopra, who will take over as director of the Consumer Financial Protection Bureau.
“Sending this letter is an acknowledgement that there is not the commitment for a comprehensive privacy law to make meaningful progress in Congress. I think they are trying to signal their continuing support for some action on the issue.”
Vivek Mohan, Partner, Mayer Brown
Any rules the FTC would develop on data privacy will likely take years, Mohan said.
“It’s not realistic to expect rules to be generated this year or even next year,” he said. “It is an extremely laborious process that can take up to six years.”
The rulemaking process could “put a marker in the ground” on several topics of interest in the data privacy space, like consent standards and digital advertising, Mohan said. These markers would provide guidance to businesses on how to craft their data privacy policies in the absence of federal legislation, he said.
“The FTC has a couple of opportunities to take the mantle here,” he said.
The issue of federal data privacy legislation is top of mind for compliance experts, with five agreeing in a Compliance Week Q&A earlier this year that a nationwide law is desperately needed. Business groups like the U.S. Chamber of Commerce and the National Small Business Association have also shown their support for federal legislation.
Although Democrats asked the FTC to take the lead on a data privacy law, protecting consumers from the harm that might stem from companies buying and selling their personal data has strong bipartisan support. There are six data privacy bills currently under consideration in both the Senate and the House, with another 18 bills awaiting action in either chamber, according to the International Association of Privacy Professionals’ (IAPP) federal privacy legislation tracker. To this point, the bills have languished, most of them never securing a hearing before a Senate or House committee.
States are picking up the slack, most prominently California, where the California Consumer Privacy Act (CCPA) was enacted in January 2020 and the California Privacy Rights Act (CPRA) will take effect in January 2023. Virginia and Colorado have passed their own data privacy laws, which are set to take effect in 2023.
But states are worried Congress might seek to preempt their privacy laws, if indeed it ever passes federal legislation. The IAPP tracker says there are five privacy bills before Congress—four of which have been filed by Republicans—that would include preemption, if enacted.
The Electronic Frontier Foundation, a nonprofit group that advocates for stronger data privacy laws, warned weak federal privacy legislation that preempts state laws could do more harm than good to consumers’ rights in the digital space.
“It would be helpful to have one nationwide set of protections” on data privacy, the EFF wrote in a 2019 blog post. “However, consumers lose—and big tech companies win—if those federal protections are weaker than state protections.”
In February 2020, then-California Attorney General Xavier Becerra wrote a letter to Congress suggesting any federal privacy legislation should “build on” state law, instead of wiping it out with preemption.