Point: Protecting privacy should be federal government’s job

The current checkerboard covers specific sectors or categories of data. These address much of the most sensitive data, such as heath and financial records, genetic information, and data from children. And broad enforcement by the Federal Trade Commission and state attorneys general aimed at breaches of privacy and data security have done much to strengthen business privacy practices.

But today, most of the data we generate through web searches, social media, e-commerce, and smartphone apps falls outside these sectors and categories. Widespread deployment of connected devices in everything from watches to cars, appliances, and traffic signals (among countless other things) blurs their boundaries. Privacy policies are necessary statements but insufficient to protect individual privacy.

States and even municipalities are stepping in to fill these gaps. Most notably, California adopted a broad law in June establishing detailed requirements for what companies that collect personal data about California residents must disclose, and giving consumers greater control over their data. A number of states are considering adopting California’s model, and states have adopted varying laws on privacy for data brokers, biometrics, drones, education technology, and other data collection that causes public concern.

That public concern has been magnified by high-profile data breaches, growing consciousness about how much of our data can be tracked, and increased awareness that the European Union has a comprehensive and detailed law on privacy and data protection. These same factors have driven interest in federal law, and Senate Commerce Committee Chairman John Thune opened hearings on legislation this fall by saying “the question is no longer whether we need a federal to protect consumers’ privacy. The question is what shape that law should take.”

The push for federal legislation also gets a strong drive from a desire for a federal baseline that can preempt state laws. This makes a great deal of sense. 

Only the federal government can fill enough of the gaps in the current matrix and harmonize regimes in a comprehensive way. State law is necessarily piecemeal.

Only the federal government can protect all Americans. Consider the example of state data breach notification laws, which have had significant impact on information security. California adopted the first such law in 2002; earlier this year, Alabama became the 50th state to adopt a breach notification law. People in Alabama should not have to wait 16 years for comprehensive privacy protection, nor should those in other states have to wait 5 or 10 years.

For businesses, a federal law that spells out their obligations and people’s privacy rights is an opportunity to establish privacy expectations that will be consistent across the country, avoiding a patchwork of state laws that vary, overlap, or conflict and increasing consumer protection and trust in new technologies without stifling innovation. This is why broad-based business organizations like the Business Roundtable and U.S. Chamber of Commerce, as well as technology trade associations and a growing number of individual companies, have endorsed the passage of federal legislation. Their proposals have included individual rights such as access to one’s data and the ability to correct it—ideas that would have been non-starters for businesses not long ago.

A federal law can be a win-win solution, a grand bargain of strong protection in return for federal preemption. That’s a win for business, a win for privacy advocates, and win for consumers.

Cameron F. Kerry is senior counsel at Sidley Austin and former general counsel and acting secretary at the U.S. Department of Commerce.