What the US Needs Now: A Federal Privacy Law

Last week, a number of U.S. senators, led by Senator Roger Wicker, R-Miss., chairman of the Senate Committee on Commerce, Science, and Transportation, announced that they will introduce the “COVID-19 Consumer Data Protection Act” (the “Act”). Senator Marsha Blackburn, R-Tenn., highlighted that in the current crisis, “we are leaning on technology more than ever to stay connected and obtain information.”

In recognition of the increasing role that technology plays in supporting our daily, if not minute-by-minute, lives, these Senators are putting forth the Act to establish privacy protections as organizations develop new technologies during this time of crisis. The Act lays out a number of requirements, including mandating companies that already fall under the jurisdiction of the Federal Trade Commission (“FTC”) to obtain affirmative express consent when collecting information such as personal health information, and geolocation and proximity information. 

Further, there are heightened requirements around disclosure related to the use of information at the time of collection. This goes hand-in-hand with the intended requirement that companies provide “transparency reports” to the public regarding the processing of this information collected. And, authority will be provided to State Attorneys General to enforce the Act; presumably in addition to some enforcement by the FTC within their existing data security and privacy authorities (i.e., “unfair and deceptive trade practices” under Article 5 of the FTC Act).  

The Act puts forth what is considered standard privacy best practices, encouraging an on-going dialogue that privacy is a driving force today in the development of new and innovative technologies. The European Union, in its continued enforcement and promotion of the General Data Protection Regulation (“GDPR”), is emphasizing privacy within the development of solutions to address COVID-19. In its Twenty-Third Plenary Session, the European Data Protection Board (“EDPB”) adopted two guidelines, one focused on processing healthcare data in the research context and the other focused on the collection of geolocation data.  These guidelines, issued in the context of COVID-19, can be summed up nicely as follows: 

  • Yes, the GDPR still applies to all personal data.
  • No, you cannot disregard the proactive privacy measures and protections in order to address COVID-19. 

In the United States, states that have addressed data privacy are taking the same approach. The California Consumer Privacy Act of 2018 (“CCPA”) went into effect on January 1, 2020, but enforcement actions will not commence until July 1, 2020.  And, even though a number of stakeholders requested that the California Attorney General postpone its enforcement of the CCPA, all signs point to a regulation that California intends to enforce to its fullest. In fact, the California Attorney General reminded its citizens of their rights under the CCPA, encouraging them to remain vigilant of privacy, especially in light of COVID-19. This should serve as a reminder to both businesses and consumers that privacy is important now, more than ever, in these extraordinary times.

It is great to see some active engagement at the federal level as it relates to consumer privacy. In fact, there are strong arguments that a lack of a federal privacy law is a sore spot for the U.S., both domestically and internationally. Unlike Europe and California, the U.S. does not have a true base-line to drive privacy considerations. This creates increased costs and uncertainty to businesses, neither of which is good particularly when dealing with the current pandemic. 

There are certain federal laws that provide some foundation in the privacy and security arena, but those are siloed in certain industries. The Health Insurance Portability and Accountability Act (“HIPAA”) already outlines privacy (and security) protections for protected health information (“PHI”). And, the Office of Civil Rights (“OCR”), which oversees HIPAA compliance, has signaled discretion in its enforcement for certain aspects of HIPAA including a relaxation of the HIPAA rules in electronic communication platforms to provide expanded telehealth solutions. However, the OCR emphasized in its February 2020 Bulletin that “the protections of the Privacy Rule are not set aside during an emergency” and that HIPAA “is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.”

Likewise, the Children’s Online Privacy Protection Rule (“COPPA”) and the Family Educational Rights and Privacy Act (“FERPA”) both play  an active role to ensure privacy for our children as more and more are online, both for educational purposes and entertainment. The FTC, which enforces COPPA, also provided guidance for Ed Tech Companies and Schools to address remote learning needs during COVID-19. The FTC emphasizes that notice of the data collection and processing is a key component of COPPA compliance. Additionally, the Department of Education, which enforces FERPA, provided an FAQ Document addressing the role of FERPA during COVID-19.    

The above illustrates the challenges with the fragmented approach to privacy throughout the United States. An entity may be subject to many different laws that include privacy components, and as such, is required to follow multiple sources and levels of guidance to ensure compliance with privacy during COVID-19 (and really anytime). In fact, COVID-19, and the challenges it created, provides large support for why a federal, cohesive approach to privacy could simplify privacy protections, and encourage companies to address privacy concerns on a more robust level. Having a cohesive approach would decrease costs associated with privacy and security compliance and provide certainty to organizations as they no longer need to cobble together aspects of the different laws but would be afforded a single target to shoot.

The introduction of a new consumer privacy act is a positive. Frankly, anything demonstrating a federal government commitment to protecting our privacy is positive. It also highlights that, while other jurisdictions have a baseline to already protect privacy, we are really starting almost at square one. And, the current national emergency provides an opportunity to embrace the idea of a federal privacy law, including the right to have stakeholders take part in that conversation. 

Creating a federal data privacy law is something everyone should get behind. It reduces costs, increases efficiencies, and creates predictability in regulatory compliance. In order to create a federal privacy law requires lawmakers to understand societal privacy goals. It also requires those lawmakers to focus on the fact that creating a regulatory framework increases opportunities for innovation. Laws drive innovation, they don’t inhibit it. A federal privacy law that includes input from a variety of stakeholders, including businesses, individuals, and the public sector, will ensure a balance is struck between privacy, innovation, and commerce. 

At XPAN, we advocate for our clients across a wide variety of industries. We also help our clients to understand and incorporate privacy and security throughout their operations. As part of that understanding, our clients work to help shape the changing privacy laws, and work with legislatures, Attorneys General, and the courts to develop privacy protections that balance protecting individual rights while also allowing the flexibility to evolve and innovate within the digital economy. And, like most components of privacy and security, the key is preparing for new laws and requirements, while engaging in how those laws take shape. We are just at the beginning of this data privacy and security journey, one that we know will serve organizations, government, and people well in the years and decades to come. Privacy and security laws will drive innovation and commerce if we do it the “right” way. 

Reach out to us today about how we can help you and your organization to prepare and stay informed on changes in federal privacy laws! 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.