On December 9, 2021, Alan Friel, Co-Chair of the SPB Global Data Privacy, Cybersecurity & Digital Assets Practice, led a fireside chat between U.S. Congresswoman Suzan DelBene and Alastair Mactaggart, as part of the session on Privacy, Security, Data Protection and Trust at the International Institute of Communications’ (“IIC”) Washington DC Telecommunications & Media Forum (“TMF”). A recording of the discussion is available here.
Congresswoman DelBene serves as the Vice Chair of the powerful House Ways and Means Committee, is the co-chair of the Women’s High-Tech Coalition, and has introduced a federal consumer privacy legislation, the Information Transparency & Personal Data Control Act (“H.R. 1816”). Mr. Mactaggart is the force behind California’s privacy laws and is the Board Chair and Founder of the Californians for Consumer Privacy, the organization that sponsored Proposition 24 (the California Privacy Rights Act or the “CPRA”) and the California Consumer Privacy Act of 2018 (“CCPA”).
The panelists discussed recently enacted U.S. state privacy laws and Congresswoman DelBene’s privacy bill, H.R. 1816, which was referred to the Subcommittee on Consumer Protection and Commerce in March 2021. While the two policymakers agreed on the importance of consumer privacy legislation, their points of view on what that should mean for consumers and businesses diverged, and a spirited debate ensued. Highlights are as follows:
A National Privacy Standard?
The panelists agreed it would be valuable to have a national privacy standard for safeguarding consumers’ personal data. Congresswoman DelBene explained that a national privacy standard would:
- curtail consumer confusion by making it so that consumers’ privacy rights do not change as much as they currently do when consumers travel from state to state;
- alleviate the burden on businesses, especially small businesses, who may have to use considerable resources to comply with the requirements of each state privacy law; and
Mr. Mactaggart agreed, explaining that a national privacy standard would grant privacy protections to people around the country. However, he raised that H. R. 1816 in its current form would preempt state privacy laws by prohibiting states from adopting, enforcing (or continuing to enforce) laws and regulations related to data privacy, with exceptions. Mr. Mactaggart recommended that a national privacy standard “should be a floor, not a ceiling,” and should not preempt stricter, non-conflicting state laws so states have an opportunity to strengthen privacy protections to meet the needs of their constituents. He pointed to the Health Insurance Portability and Accountability Act (“HIPAA”) and Sarbanes-Oxley Act of 2002 as examples of federal laws that have created legal baselines by establishing minimum consumer protection requirements while also allowing states to strengthen protections for their constituents.
Transparency and Enabling Choice Regarding Use
H.R. 1816, as currently drafted, does not include an express right of access (other than with respect to sensitive information), transportable copies, or rights of correction or deletion. The Congressperson explained that her intent was to propose a bill focused on fundamental policy and consumer rights that sets a solid foundation on which federal legislators can continue building. Mr. Mactaggart expressed that although he understands the Congressperson’s goal, the effect of H.R. 1816 (which, in its current form, preempts state laws) would be to deprive consumers in states with existing privacy laws (e.g., California) of rights they currently enjoy. For example, according to Mr. Mactaggart, passing H.R. 1816 as currently drafted would deprive Californians of their rights to see, delete, or correct their information, among other things. He recommended that a national privacy standard not remove existing privacy protections granted to consumers under state laws.
Scope of Rulemaking
The panelists agreed that an independent agency should be granted rulemaking authority. H.R. 1816, if passed, would grant rulemaking authority to the Federal Trade Commission (FTC) for privacy issues. In California, the California Privacy Protection Agency (CPPA) has rulemaking authority for privacy.
Enforcement Authorities and Penalties for Non-Compliance
The panelists agreed that the FTC is the most qualified federal agency to lead privacy enforcement. H.R. 1816, if passed, would be enforceable by both the FTC, a federal agency that has experience and expertise to lead meaningful privacy enforcement, and state attorneys general (but only if the FTC has not acted). In California, the CPPA has administrative enforcement authority to enforce the CCPA/CPRA.
Private Right of Action
The panelists agreed that granting a private right of action creates challenges for covered businesses. The Congressperson explained that H.R. 1816 does not have a private right of action because the threat of litigation can be very costly, especially for small businesses. Mr. Mactaggart agreed and clarified that although there is a private right of action under the CCPA, the right is limited to a specific subset of personal information, and only for instances where a business is negligent in its data security practices.
Public Policy Balance Between Transparency and Choice in Digital Advertising
The panelists agreed that advertising is an important tool in commerce, but that it should be balanced with consumer protection considerations.
- Mactaggart advised that privacy laws should contemplate including a distinction between contextual advertising and behavioral advertising, which he believes to be a more invasive form of advertising.
- The Congressperson added that consumers should have the ability to opt-in and opt-out of information sharing depending on the context of their relationship and interaction with a business, and consumers should be provided with tools to help them understand their privacy rights, such as privacy notices that are easy to understand.
Sensitive Personal Information
The panelists agreed that certain types of information are more sensitive, and therefore, should be subjected to a heightened protection standard.
- The Congressperson explained that companies should be required to obtain affirmative express consent before they can collect and share sensitive personal information (e.g., financial information, health or genetic information, information about children, citizenship or immigration status, gender, religious beliefs, etc.).
- Mactaggart added that in California, the new category of “sensitive information” was added to balance giving consumers meaningful privacy rights with the need to enable businesses to utilize data to provide services to consumers.
Where to go from here?
Interestingly, the Congressperson expressed an openness to learn more and noted that her bill was merely a first draft to get the legislative process moving and welcomed input from stakeholders. Mr. Mactaggart offered to sit down with her staff. Where this will go next is unclear, but it appears that the discussion will continue. A recording of the discussion is available here. The IIC/TMF also covered international privacy issues. A blog post on that is available here.