Alex - stock.adobe.com
The outlook for a federal data privacy law in 2022 is grim, despite bipartisan support in Congress for it.
A federal privacy law would set limits on the use of consumer data collected by social media platforms and e-commerce firms. Multiple pieces of federal data privacy legislation have been proposed over the years, but Congress has shifted its focus to regulating big tech firms through the application of antitrust laws, said Lee Tien, senior staff attorney at the nonprofit digital rights group Electronic Frontier Foundation.
Lee TienSenior staff attorney, Electronic Frontier Foundation
"All of the energy on privacy has sort of flattened out," Tien said. "There's a certain amount of mental fatigue on privacy right now."
Among the privacy bills is the bipartisan Social Media Privacy Protection and Consumer Rights Act introduced by Sens. Amy Klobuchar (D-Minn.), John Kennedy (R-La.), Joe Manchin (D-W.Va.), and Richard Burr (R-N.C.), and the Information Transparency and Personal Data Control Act proposed by former Microsoft executive Rep. Suzan DelBene (D-Wash.).
In the absence of Congressional action, states are adopting privacy laws, which could present a problem to businesses.
"The states have been responsive to the need for more privacy oversight," said Sen. Marsha Blackburn (R-Tenn.), during a webinar hosted by think tank R Street Institute. "But if we're not careful, we'll end up with a patchwork of state regulations."
What's holding up a federal data privacy law
Three issues are impeding the progress of a federal data privacy law, said Cory Simpson, executive vice president at Resolute Strategic Services, during the webinar.
One challenge involves the relationship between a federal data privacy law and emerging state laws. For a federal data privacy law to progress, Simpson said policymakers would need to outline to what degree federal law should preempt state law. States like California, Virginia and Maine have already implemented privacy laws, with many others considering moving forward with their own versions.
Two other issues impeding federal data privacy law adoption involve questions of enforcement of the privacy law, Simpson said.
"One being whether individuals should be empowered to private right of action under the federal law," he said. "The other being a question as to what role the Federal Trade Commission should play in enforcing federal legislation."
The FTC is the federal government's enforcement arm for antitrust law, as well as consumer protection. Some lawmakers believe the FTC has too much power.
Recommendations for moving forward
To avoid the patchwork of state laws, the federal data privacy law would need to preempt state law with some carveouts where states could continue to have authority, said Lauren Zabierek, executive director of the Cyber Project at Harvard Kennedy School's Belfer Center for Science and International Affairs, who spoke during the webinar.
A federal data privacy law also needs a specific definition of what entities and data it covers, as well as enforcement mechanisms such as private right of action.
Zabierek said a private right of action should balance curbing frivolous lawsuits with protecting consumer data and include different types of remedies, such as injunctive relief instead of monetary awards in some cases.
The goal "is to create a safer ecosystem where consumer privacy and data security is taken seriously," she said.
Primary enforcement of the federal data privacy law, however, should lie with the FTC, Zabierek said. Though the FTC's rulemaking authority is currently under question, it's still equipped to successfully enforce a privacy law.
Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget, she was a general reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.