A Senate committee hearing last December sparked hope that a bipartisan consensus on federal privacy legislation may emerge from an otherwise dysfunctional Congress. The hearing principally addressed proposals from Sens. Roger Wicker (R-MS) and Maria Cantwell (D-WA), who serve as the Chairman and Ranking Member, respectively, of the Senate Committee on Commerce, Science, and Transportation. A third option—the American Law Institute’s Principles of Law, Data Privacy—seeks to align U.S law closer to the European model, an approach that may boost momentum for a federal privacy solution.
Momentum has not stalled, mind you. The ongoing pandemic has kept privacy front-and-center. From potential surveillance operations to remote workforce protocols, privacy-related concerns are among the top issues in the Covid-19 environment.
Indeed, Senate Republicans intend to introduce a new measure to require consumer consent before companies collect individuals’ health or location data. And incentive to establish federal privacy norms remains high as state legislators continue to propose copycat measures in the wake of the California Consumer Protection Act (CCPA).
While the main contenders in the federal arena—Wicker’s Consumer Data Privacy Act and Cantwell’s Consumer Online Privacy Rights Act—are similar in many respects, they contain significant differences, notably regarding preemption and the private right of action.
Whether industry and consumer advocates can get on board with either measure is an open question, but the ALI’s Principles of Law, Data Privacy offer a different approach.
Law professors Daniel Solove and Paul Schwartz, serving as the Reporters for the ALI Principles, note that U.S. law “remains an outlier among regulatory approaches around the world.” Nevertheless, Solove and Schwartz contend that “it is possible to craft a comprehensive approach to data privacy for the U.S. that bridges its divide with the EU.”
Re-imagining Notice and Choice
While recognizing the General Data Protection Regulation (GDPR) as “the strongest and most comprehensive privacy law in the world,” Solove and Schwartz admit that any attempt to enact the GDPR in the U.S. would be “impractical.” For one thing, it would be “too drastic a paradigm shift” for the U.S. to abandon the familiar, albeit highly criticized, notice-and-choice approach.
“The problems with the notice-and-choice approach are legion,” they say. The approach amounts to “privacy self-management,” where the “onus is placed on individuals to manage their own privacy by reading notices and making choices.”
Since no one actually reads privacy notices (except for regulators and those seeking to ensure that organizations are complying with their obligations), the Principles propose a detailed “transparency statement” that provides sufficient information for organizations to be accountable to regulators and other watchdogs, and a separate “individual notice” to inform consumers about how their personal data is being collected, used, and shared.
The individual notice would be broken into two levels—“ordinary” and “heightened”—the latter of which would be appropriate for situations where the collection of personal data would be “potentially harmful to people” or “significantly outside the norm.”
This innovative tripartite notice structure in the Principles strives “to address the problem of people not reading notices and of people having to wade through dense prose to figure out what is relevant to know.”
Let’s leave the dense prose in the “transparency statement” for the regulators. Brilliant!
Provoking Preemption Pushback?
The Principles also propose the somewhat surprising inclusion of data breach notification requirements. Surprising, because breach notification laws are already on the books in 50 states, and the contentious issue of federal preemption—with California currently in its crosshairs—would ostensibly expand to all states.
While the rationale for including breach notification provisions is admirable—it creates consistency with regard to triggers and timelines—what’s the rationale for inciting blowback from all 50 states?
There may be a method in this madness.
The Principles themselves do not address preemption. And for good reason. One of the main goals of the project is “to achieve greater consistency between U.S. privacy law and privacy law around the world”; indeed, to “bridge the divide with the EU.” With the EU’s GDPR as the standard bearer, the Principles are following the EU’s lead. Preemption of state law is therefore not an issue.
Given that the CCPA (and many CCPA-like proposals) get their inspiration also from the GDPR, the Principles should appeal to privacy-minded state legislators. And since the Principles are “preemption-free,” they may foster a climate more conducive for a productive discussion. A Brussels barometer, as it were.
That’s my hope, anyway.
Bloomberg Law Analyst Mark Smith will be moderating a panel at the Privacy + Security Forum Spring Academy May 6–8, 2020, organized by Professors Solove and Schwartz.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.