keyboard with digital lock

Will the U.S. Adopt a National Data Privacy Law?

July 8, 2019 | Purdue Global Law School

There is widespread agreement among consumer groups, tech companies, and lawmakers that the U.S. needs a national privacy law. However, there is a lack of consensus as to what a federal privacy law should look like and whether it should override state legislation. These stumbling blocks have impeded bipartisan efforts to draft privacy policy proposals. Organizations that collect personal information on consumers are faced with a patchwork of state, federal, and international privacy laws.

A Patchwork of Privacy Laws

The U.S. is one of the few industrialized nations without an overarching privacy standard. There are dozens of privacy laws and regulations at the federal level, many of which predate the Internet Age.

Several were passed in response to specific issues or situations. For example:

  • The Video Privacy Protection Act of 1998, 18 U.S.C. § 2710, was enacted after Supreme Court nominee Robert Bork’s video rental records were published in the Washington City Paper.

  • The Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721, was in part a response to the murder of actress Rebecca Schaeffer by an obsessed fan who obtained her address through Department of Motor Vehicle records.

The Federal Trade Commission (FTC) is the agency most responsible for establishing and enforcing federal privacy policies, but it has limited rulemaking authority. FTC regulations impose fairly strict privacy requirements on organizations in industries such as health care and financial services, as well as those that collect data from children under 13. Most other businesses are left to self-regulate.

Some federal laws, including the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), require covered entities to disclose what information they collect from consumers and how that information is shared and protected. However, there is no federal law requiring all organizations to publish a privacy policy. The FTC does expect organizations to abide by their own privacy policies or else be subject to an action for deceptive and/or unfair trade practices under Section 5 of the FTC Act.

Congress’s Recent Failed Attempts

A number of privacy bills have been introduced in recent months, but none has made it past committee. For example:

  • In November 2018, U.S. Sen. Ron Wydon (D-OR) introduced the Consumer Data Protection Act, which would enable consumers to control how large companies use their information and impose fines of up to 4% of gross revenue for violations.

  • In December 2018, 15 senators introduced the Data Care Act, which would require organizations to protect the personal information they collect from consumers, and authorize both the FTC and state attorneys general to enforce its provisions.

  • In January 2019, U.S. Sen. Marco Rubio (R-FL) introduced the American Data Dissemination Act, which would build upon the Privacy Act of 1974. The bill would also preempt state law and require the FTC to develop detailed recommendations and proposed regulations. However, FTC Chairman Joseph Simons has said the agency wants clear legislation, not broad rule-making authority.

On February 26, 2019, a six-member panel of the Committee on Energy and Commerce convened a hearing entitled “Protecting Consumer Privacy in the Era of Big Data.” Members of the Subcommittee on Consumer Protection and Commerce said they hoped to present a policy proposal by Memorial Day, but have moved that target date to later in the summer of 2019.

States Take the Lead in Data Privacy

There is growing momentum at the state level to close the gaps left by federal law. California is leading the charge with the California Consumer Privacy Act (CCPA). When it goes into effect on January 1, 2020, the CCPA will give California consumers far-reaching rights to know what information a company holds about them, how that information is used, and whether it is disclosed or sold. Consumers may opt out of the sale of their information and even have the information deleted in most instances.

number of other states, including Connecticut, Hawaii, Rhode Island, and Washington, are considering similar legislation that incorporates many of the principles of the European Union (EU) General Data Protection Regulation (GDPR). Considered the gold standard in internet privacy law, the GDPR requires organizations to give EU citizens access to their data and to correct any inaccuracies. The law also gives EU citizens a “right to be forgotten” by having their information removed from the internet.

The GDPR has had a notable impact on privacy practices in the U.S. Because it applies to EU citizens anywhere in the world, large organizations have been forced to rethink their data-handling processes. Some organization, such as Apple, have committed to applying GDPR provisions globally, while others have said they will provide similar protections in other countries.

The CCPA and other state laws could have a similar effect. It is simpler for organizations to use the most stringent privacy regulations as the basis for their data-handling processes than to implement separate processes for individual states, countries, or regions. Unless Congress can agree on what a federal privacy law should look like and how it should be enforced, the CCPA and GDPR could become the de facto privacy standards in the U.S.

Learn More About Data Security and the Law

As the nation continues to grapple with data security legislation and the urgent need to keep citizens' personal identifying information safe, cybersecurity and privacy legal experts will be increasingly needed in both the public and private sector. Purdue Global Law School offers an online Executive Juris Doctor program with a law and technology track that provides advanced legal training on cybersecurity issues. Single courses in technology and the law are also available. Request more information today.

About The Author

Purdue Global Law School

Established in 1998, Purdue Global Law School (formerly Concord Law School) is Purdue University's fully online law school for working adults.