In January, policymakers in Washington and state capitals were focused on comprehensive privacy legislation as news reports of the novel coronavirus were only beginning to come out of China. Nearly half of the states with legislative sessions in 2020 were poised to take up multi-sector privacy bills. On Capitol Hill, Congress had already rolled up its sleeves the year before to begin work on passing a national privacy law and resolve issues like enforcement and preemption.
As the world began to go on COVID-19 lockdowns in March, the focus began to change as health-related privacy came to the forefront. That doesn’t mean that work on general data protection policy stopped. States like California adopted the California Privacy Rights Act (CPRA), members of Congress introduced new privacy proposals, and the Federal Trade Commission (FTC) continued enforcement actions using its consumer protection powers.
In 2020, over 20 states proposed legislation to regulate privacy generally. The closest of the state legislatures to pass a bill was Washington State, which considered the Washington Privacy Act (WPA) that would have provided consumers with access, correction, and deletion rights, as well as the ability to opt out of data processing. Lawmakers in Olympia at the last minute attempted to insert a private right of action, which was opposed by the business community and led to the bill’s ultimate failure to pass.
California’s Attorney General Xavier Becerra released the final regulations of the California Consumer Privacy Act (CCPA) in August. The rules established requirements regarding notice, opting out of data sales, recordkeeping, how consumers submit requests, and how companies can offer loyalty programs when customers exercise their privacy rights. Questions remain about whether provisions such as global opt out rules will limit consumer choice. According to an estimate commissioned by the Office of Attorney General, the CCPA regulations could cost up to $55 billion in compliance costs for California companies.
Also in August, the California legislature failed to pass the TACT-PACT Act which sought to regulate privacy pertaining to contact tracing for COVID-19. The bill could have been harmful to businesses seeking to reopen because it did not provide an exception for workplaces and would have exposed them to expensive class action lawsuits.
Voters had the final say on privacy in California in November when they adopted the CPRA with nearly 56 percent of the vote to amend the CCPA. Becoming operative in 2023, the CPRA establishes a duty of security upon business and gives consumers the right to correct inaccurate information, direct businesses to stop processing sensitive personal information, and opt out of sharing personal information with third parties for certain behavioral advertising.
At the same time, CPRA also permanently exempts employee data, biomedical research, and some information helpful to public safety from enforcement.
One of the most novel and impactful features of the CPRA is its creation of the California Privacy Protection Agency as the chief enforcer of data protection in the Golden State. Concerns have been expressed that the agency’s board, tasked with both issuing regulations and enforcing CPRA, does not have to be confirmed by a third party.
Congressional Privacy Activity
Congress also continued its work to pass a national privacy law while focusing on COVID-19 specific data issues. On the broader front, Senator Jerry Moran (R-KS) introduced the Consumer Data Privacy and Security Act of 2020, which would require companies to obtain consent before processing sensitive data and detailed how service providers interact with consumer-facing companies.
Senate Commerce Committee Chairman Roger Wicker (R-MS) introduced his own proposal, the SAFE DATA Act, which would task the FTC with overseeing enforcement of consumer access, correction, deletion, and portability rights. The bill also went beyond privacy protection by proposing regulations dealing with search engine results. Senate Banking Committee Ranking Member Sherrod Brown (D-OH) put forward his own competing proposal that could significantly impair the use of facial recognition technology and establish a new federal data protection agency.
Congress also considered three privacy bills specifically related to COVID-19 that ranged from regulating health data broadly to digital contact tracing specifically. Similar to California’s proposed TACT-PACT Act, the business community expressed concern that workplaces would not be able to thoroughly conduct coronavirus contact tracing without a sufficient employer exemption. Although none of the COVID-19 privacy bills were enacted into law, they were representative of the broader privacy debate dealing with unresolved issues like the role of private rights of action and preemption.
Federal Trade Commission Enforcement and Investigations
2020 also witnessed the FTC’s continued vigorous consumer protection enforcement. The majority of cases undertaken and settled by the Commission involved companies accused of misrepresenting their certification or compliance with the now defunct E.U.-U.S. Privacy Shield or with the Children’s Online Privacy Protection Act. The Commission also settled several cases with companies accused of violating the Fair Credit Reporting Act for failing to provide adequate information to victims of identity theft or not providing accurate reports.
The FTC also sued MyLife, claiming the website fraudulently attempted to induce subscriptions by enticing them with inaccurate court and arrest records as well as failing to provide accurate information as a credit reporting agency. Finally, the FTC brought and settled several cases in which companies were accused of not having adequate security. Most notably is Zoom, which the FTC’s consent order required to have a comprehensive security program.
Just this week, the FTC sent a request under Section 6(b) of the FTC Act targeting nine tech companies to provide them with detailed information about their data collection practices. Commissioner Noah Philips issued the only dissent to the order, claiming:
Aside from the public burden, precious agency resources must be devoted to the mass of the information the 6(b) orders seek. Best suited to evaluate privacy practices of the recipient companies are, of course, [Division of Privacy and Identity Protection staff], and others who work with them on privacy enforcement and rulemaking…But these individuals are charged with enforcing the bulk of federal privacy law, and they are hardly legion. While the FTC privacy staff are the most impactful privacy enforcers in the world, their numbers pale next to those in countries like France, Ireland, and the Untied Kingdom. This is why this Commission, unanimously and repeatedly, has urged Congress to increase their ranks.
Commissioner Phillips is correct to point out the resource drain this information order places on the Commission. While the FTC has the most established expertise in privacy enforcement in the nation, it should be focused on enforcing truly bad actors as opposed to a burdensome fishing expedition. Congress should instead empower the Commission with a national privacy law and the staff to enforce it.
States and the federal government in 2020 delivered a mixed bag in terms of advancing data protection. Legislatures in the states have roundly rejected private rights of action while voters have called for enhanced substantive privacy rights. Members of Congress continue to debate whether state privacy laws should be preempted or who should be able to enforce such a law.
Companies and consumers are still left in a state of confusion as to who protects their privacy and how given the uneven emerging state patchwork of laws. It is for this reason, the U.S. Chamber of Commerce in its 2021 technology policy agenda calls for national privacy legislation that robustly and equally protects all Americans and is enforced by experienced federal agencies like the FTC and not through class action lawsuits.
Privacy legislation should also enable innovation to thrive. Just prior to COVID-19’s arrival in January, C_TEC released a report highlighting how data is being used to enhance public safety, expand financial inclusion, and promote public health via the usage of social determinants of health. A national privacy law should enable these beneficial uses of data to continue mitigation of COVID-19 and enable economic recovery. With a new Congress and administration on the way, it’s time to pass a national privacy law.