Gridlock in Washington Could Mean More Active Statehouses
Take a deep breath – the 2020 election is finally, mercifully over. Sure, the Trump campaign is refusing to concede and two runoff races in Georgia will determine control of the Senate next year. But it’s clear that Joe Biden is the President-elect of the United States and he is extremely likely to take office with Republicans holding a majority in the Senate.
The net result? More gridlock in Washington.
A late October CNBC headline notified readers that Congress “failed to pass Big Tech legislation” in the four years leading up to the 2020 election. That failure, the network noted, included federal “digital privacy legislation, which lawmakers broadly agree is sorely needed but has been repeatedly delayed as states and other countries install their own laws.”
Given the likely partisan split in the 117th Congress (even if Democrats take the majority in the Senate after the January 2021 runoffs in Georgia, the party’s advantage will be very narrow), it is likely we will be looking a similar headlines two years from now, and possibly even four.
That prediction comes despite the fact that President-elect Joe Biden has said he favors a national privacy standard. It also comes despite broad bipartisan support on Capitol Hill for a federal model.
It’s not just lawmakers that want to move ahead; technology companies also are hungry for movement in Congress. As GeekWire reported, in a post-election blog post Microsoft President Brad Smith lamented that the United States continues “to live with a national electronic privacy law enacted in the dial-up era of the 1980s, and when it comes to issues such as safeguards for facial recognition, we have no national law at all.” Smith concluded, “We need new laws fit for the future.”
Left-leaning organizations agree. In a memo issued this past Monday, ten privacy, civil rights, and consumer organizations urged the Biden administration “to swiftly put in place robust privacy and data justice protections.” Their recommendations include:
- Passing a baseline, comprehensive federal privacy law that sets up a new federal data protection agency and does not pre-empt state laws;
- Limiting government surveillance and access to personal data, and protecting health data for all Americans;
- Protecting children and teens from corporate surveillance and predatory marketing;
- Recognizing that privacy, digital surveillance and corporate concentration are racial justice issues and ending the systemic surveillance of Black and Brown communities;
- Setting up better practices and oversight for algorithms and data management;
- Ensuring antitrust regulators account for privacy, civil rights, and digital rights impacts in the merger review process; and
- Empowering the Federal Trade Commission and Federal Communications Commission to robustly enforce privacy protections.
Given all of this agreement, why aren’t we likely to see federal data privacy law in 2021 or 2022? Because the same disagreements between Republicans and Democrats that have prevented its passage over the last many years are still in play in a continued era of divided government.
In its October story, CNBC outlined the “sticky details” that so far have kept Congress from passing a federal data privacy bill. The news network boiled the disagreements down to two main issues: in general, Democrats believe individual Americans should have the right to sue companies that they believe have violated their digital privacy rights. Second, Democrats believe the national standard “should be a baseline for the states” – those states that want to go further should have the ability to do so.
Republicans disagree with both points, CNBC noted. GOP lawmakers argue that individuals’ ability to sue will lead to frivolous lawsuits and that a federal bill that is a floor, rather than a ceiling, will result in a patchwork of policies that will “make compliance virtually impossible for smaller players.” Republicans assert that a federal data privacy framework that allows states to build their own, stronger regimes is functionally no better than the status quo.
One thing is clear, though: while Republicans and Democrats in Washington continue to disagree, states will forge ahead. Californians made that fact clear during Election 2020.
Despite the fact that the state already was home to the strictest data privacy law in the nation (the California Consumer Privacy Act, or CCPA), residents wanted more, amassing enough signatures to get a measure on the ballot last week to expand the CCPA.
That initiative, Proposition (Prop) 24, was approved on November 3 by a 56 percent to 44 percent majority. That outcome means consumers now will be able to tell businesses if they do not want their personal information shared. It also means the state will have to create an entirely new government department, the Privacy Protection Agency, to enforce the state’s consumer data privacy laws.
As we reported previously, not all privacy advocates were on board with these changes. According to FastCompany, that’s because, under Prop 24, companies also are “able to refuse requests to delete personal information if they say the data is necessary to ensure the security of their platforms” and “no longer have to respond to individual data requests.” Some civil rights and pro-immigration groups even argued Prop 24 is racially discriminatory and would “price out” working people, seniors, and Black and Latino families. Additionally, Prop 24 only applies to companies that:
- Make more than $25 million in annual revenue;
- Buy, sell, or share the personal data of more than 100,000 consumers or households annually (compared to 50,000 under the CCPA); and
- Earn 50 percent or more of their annual revenue from selling personal data.
While industry and advocates disagree on Prop 24 – and will continue to do so – there is little doubt that Americans want action on this issue. The Electronic Privacy Information Center (EPIC) has assembled several surveys that it says demonstrate support for a national privacy law. For example:
- An early 2018 Axios-SurveyMonkey poll found that 55 percent of Americans believe the government should do more to regulate technology companies in general.
- A November 2019 Pew Research Center poll found three-quarters of Americans believe there should be new regulations governing what companies can do with personal data and that showed 81 percent of Americans believe the risks of data collection by companies outweigh the benefits.
- A December 2019 Morning Consult poll found 79 percent of Americans wanted Congress to enact privacy legislation in 2020. That survey also found 65 percent of percent of respondents said data privacy is “one of the biggest issues our society faces.”
Still not convinced voters are clamoring for data privacy protections?
Even when faced with a pandemic where data collection has demonstrably promoted public health and saved lives, Americans are skeptical of what companies, or perhaps more precisely, the government will do with this information. As EPIC noted, a May 2020 Pew poll found 62 percent of Americans believe it is unacceptable for the government to use location data to ensure compliance with social distancing guidelines.
So far, state lawmakers have been eager to try to step in where the federal government has failed to drive consensus.
According to Security.Org, only three states – California, Maine, and Nevada – have “strong” data privacy laws on the books, but many more could pass legislation over the next two years. In fact, several already are working toward that goal. As the National Council of State Legislatures reported, “The number of consumer data privacy bills increased in 2020 compared to 2019, including comprehensive consumer privacy bills.” In fact, data privacy legislation was considered in at least 30 states and Puerto Rico in 2020.
Then the pandemic set in.
As the Electronic Frontier Foundation’s Hayley Tsukayama told Government Technology this past summer, the coronavirus pandemic upended state lawmakers’ prioritization of data privacy bills. Most legislatures diverted their attention to health and safety matters and adjourned without getting these bills across the finish line.
As soon as “the nation returns to some level of normalcy,” however, we should expect this legislation to be back at the top of many state legislatures’ to-do lists the magazine said. Heather Federman, who is vice president of privacy and policy at BigID, which supported Prop 24, agrees. She told Security magazine, “While the pandemic has put a halt in the progress of much state activity, we will likely see a resurgence of bills in 2021.”
Data privacy is just one issue, but it could be representative of what we see at the federal level for a host of other issues. Democrats have taken the White House, but President-elect Biden’s party failed to produce big wins in Congress. In turn, look for states to increasingly take matters into their own hands.