The Lowdown on a Comprehensive Federal Privacy Law in the United States

With the recent release of US H8413 (Securing and Establishing Consumer Uniform Rights and Enforcement Over Data Act), it seems that the hopes of a comprehensive federal privacy law in the United States have been somewhat rekindled. However, those of us who have seen many of these bills fail or simply be forgotten about are not overly optimistic. With many countries having comprehensive laws protecting privacy, unfortunately, it does not seem like the US will have one anytime soon. In this article, we will discuss the current state of privacy laws in the US, why a comprehensive federal privacy law would be beneficial, as well as some of the roadblocks that proposed federal privacy bills face.

The Current State of Privacy Laws in the US 

At this time, the federal privacy laws that we have in the United States only cover certain sectors or types of personal information. For example, we have HIPAA, which covers protected health information, COPPA, which covers children’s personal information, and GLBA/FCRA, which cover financial information. However, there is no federal privacy law that would cover personal information commonly collected through websites and apps, such as name, email, phone number, physical address, and IP address. Due to the fact that individuals are demanding privacy rights and federal legislators are unable or unwilling to pass a comprehensive federal privacy law, states are proposing and passing their own laws. 

This creates the state privacy law patchwork, a different set of rules for protecting privacy for each state. This patchwork is extremely confusing, difficult to comply with, and difficult to understand, leading to lower compliance and lower privacy protections as opposed to a federal privacy law. Some of the issues inherent in the state privacy law patchwork include: 

1. Inconsistent applicability of privacy laws. For example, some state privacy laws apply to any business collecting the personal information of residents of that state. On the other hand, other states’ privacy laws may apply only to businesses making over $25 million in annual revenue, processing the personal information of a large number of individuals, or generating a certain amount of revenue from the sale of personal information. This makes it difficult for businesses to determine whether a particular privacy law applies to them and makes it difficult for individuals to understand whether they have privacy rights in the context of a particular business that they are dealing with; 
2. Inconsistent applicability of privacy rights. Since each state has its own privacy law, some businesses may need to comply with only a few of those laws. As such, their Privacy Policy may state that, for example, residents of California and Virginia have certain privacy rights while residents of other states would not. This means that many individuals who live in states that have not passed privacy laws, do not have any privacy rights or protections and have no recourse against companies that have violated their privacy expectations. In addition, while some businesses specifically enumerate who has certain privacy rights, others do not, leaving individuals to guess whether or not they have these rights or have to do research to determine which rights their states’ privacy law offers; 
3. Differing privacy laws offer different privacy rights and protections. Since each state writes their own laws, these laws are not consistent as to the privacy rights that they offer. For example, the Connecticut Data Privacy Act and Minnesota Consumer Data Privacy Act provide individuals with multiple privacy rights related to profiling, such as the right to question the result of the profiling whereas other state privacy laws do not provide such rights. This leaves large gaps in privacy rights for individuals who are not residents of those states. This also makes it difficult for businesses to comply as they have to verify where an individual resides before providing them with certain rights as the rights differ by state;
4. Inconsistent standards that conflict with each other. To the frustration of many businesses some states have multiple privacy laws, which can conflict with each other in terms of their compliance requirements. For example, the California Invasion of Privacy Act requires websites to opt individuals out of all cookies and allow those cookies to be placed only if the individual provides their consent. However, the California Privacy Rights Act allows individuals to be opted in to all trackers but they have the right to opt out. This creates a lot of confusion for businesses as to how to comply as these standards are different but both of these privacy laws are from the same state; 
5. Differing policy disclosure requirements. Each state writes its own privacy law and each privacy law provides the disclosures that the Privacy Policy needs to contain. With so many states writing their own requirements, there are a lot of disclosures that Privacy Policies need to contain, leading to very long policies. This makes it difficult for the business owner to obtain a comprehensive Privacy Policy but also leads to annoyance from consumers who have to read all of these disclosures just to understand what the business is doing with their personal information. In addition, differing requirements can lead to confusing policies. For example, some states allow businesses 45 days to respond to consumer privacy rights requests while others only allow 30 days. To comply, the business must state that they will respond to these requests within 30 to 45 days but that is confusing to the consumer as they don’t get an overly clear definition of how long it will take the business to respond; 
6. Burdensome tracking of privacy bills. Since each state is proposing and passing their own privacy laws, businesses need to track the privacy bills in each state to understand and know what new privacy laws are going to be enacted. This is an extremely time consuming process that relies on multiple sources and software providers, which can make it costly as well. 

While there are many more examples, you can see how having a state privacy law patchwork is extremely burdensome to businesses who need to comply with these laws and extremely confusing for individuals who just want to have privacy rights and control over their personal information. 

The Benefits of a Comprehensive Federal Privacy Law 

As we have seen with other comprehensive privacy laws such as GDPR or PIPEDA, a federal privacy law is extremely beneficial for everyone involved. The purpose of a federal privacy law is to harmonize the applicability and requirements of privacy compliance so that there is one set of rules to follow. The benefits of a comprehensive federal privacy law would include: 

1. Consistent applicability requirements. For example, a federal privacy law could apply to anyone collecting personal information of residents of the United States, making it clear that most businesses need to offer privacy protections for individuals; 
2. Standardize privacy rights. A federal privacy law could offer a comprehensive set of privacy rights to everyone residing in the United States; 
3. Consistent set of policy disclosures. A federal privacy law could state what disclosures Privacy Policies need to contain, keeping those policies relatively short and confusion-free; 
4. No more tracking of privacy bills. If a federal privacy law was enacted, it could ensure that businesses no longer have to spend time and money tracking bills; 
5. Higher enforcement. Some states do not have the bandwidth to fully and consistently enforce their privacy laws. However, a federal privacy law could establish a federal agency with a larger budget to enforce that law. 

Passing a comprehensive federal privacy law would not just lead to lower costs and complexity of compliance for businesses, but it would also lead to more privacy protections and coverage for individuals, which would be a real win-win. 

Roadblocks for Federal Privacy Bills 

At this point, it should be clear that a comprehensive federal privacy law would be extremely beneficial. So why is it that these proposed federal bills simply do not pass? There are a few roadblocks that all of these bills face, which is why they have historically failed: 

1. Preemption. Preemption is the question of whether or not the federal privacy law should override the protections provided by state privacy laws. This is a big point of contention as many states do not want their residents to lose privacy rights and protections that they had under the state privacy law if a federal privacy law is enacted. However, this argument can be quickly curtailed by the federal privacy law providing the same or increased privacy protections as the state privacy laws; 
2. Private right of action. Private right of action is the question of whether or not the federal privacy bill should allow consumers to sue businesses directly for violating the privacy law, as opposed to having a government entity enforce the law. While private right of action ensures that the privacy law will be enforced (as consumers can sue directly), many business groups are not happy with this idea as they could be subject to the high costs of lawsuits if they fail to comply. While this is my personal opinion, private right of action should be allowed as it ensures that businesses comply and allows consumers to obtain recourse for violations; 
3. Applicability to small businesses. This question asks whether the federal privacy law should exempt small businesses and apply to large businesses only. There are also options where certain portions of the law apply to small businesses while the more cumbersome parts apply to large businesses only. In my personal opinion, the privacy law should apply to all businesses, regardless of size as small businesses can also violate the privacy of consumers. However, the government should provide extensive resources and guidance on how to comply, to reduce the financial burden of compliance on small businesses. 

The truth is that while there are many points of contention with a federal privacy law, that does not mean that we should just give up on the idea entirely. There are many countries with comprehensive privacy laws that have figured out how to resolve these points of contention and provide individuals with privacy rights and protections. And, a comprehensive privacy law would actually make it much easier for businesses to manage their compliance as opposed to the state privacy law patchwork that we have now.