Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Finding possible compromises in consumer privacy laws is rarely difficult. There are many ways to slice the privacy pie, and variations abound in national laws around the world and state laws in the U.S.
Finding actual compromises is a different matter, but middle grounds are available if the political will exists.
Any proposed federal privacy law must address the two major and difficult-to-compromise issues that remain a major barrier to any new federal law. The first is private right of action, and the second is federal preemption of state law.
Let's start with a private right of action. Basically, industry hates the idea that they might be sued by class-action lawyers over technical or other violations of a federal privacy law. On the other hand, many privacy advocates see a private right of action as essential for meaningful enforcement of a privacy law. Advocates do not necessarily trust federal agencies and state attorneys general to do a good job.
How to bridge the gap between these two sides?
Allow private lawsuits only in case of willful or egregious violations. The idea is that a higher standard will diminish incentives for litigation in cases where violations of the law are technical or minor, but significant violators can still be pursued. This approach could require a preliminary determination by the court whether, accepting all the alleged facts, the violation would be willful or egregious. This will be easier if the federal law establishes clear standards for willful and egregious and includes a process — perhaps with third-party participation — for helping courts making the determination.
Limit monetary damages to actual damages but allow attorney fees. One of the challenges in privacy litigation is proving damages. Actual, out-of-pocket damages can be difficult to show even in cases where violations of standards clearly exist. If the law allows suits with limited damages but with the prospect of attorney fees, lawsuits may still happen, but the incentives will be reduced. It's a balancing act.
Cap or eliminate damages and limit attorney fees if a company cures within 60 days of the lawsuit's filing. In these cases, let the court award limited attorney fees to the plaintiff even if the court finds the cure is sufficient. A court battle over sufficiency will create some tension to ensure that any cure is good enough. Again, third-party participation remains an idea to help the court decide. This approach encourages compliance by giving companies a reason to solve problems promptly while still leaving an incentive for litigation.
Turning to federal preemption, here are two ideas.
Preempt existing state laws but allow states to enact stronger laws five or seven years after the effective date of a federal law. The idea here is to give the federal law a chance to see if it adequately addresses existing problems. This approach mildly incentivizes a modestly stronger federal law that would stave off the prospect of states filling glaring gaps later. It also stops the industry dream of a so-called privacy prevention act, a federal law that offers little meaningful protection to consumers while its preemptive effect stops states from ever enacting better privacy protections.
Allow a uniform state law to take effect if a specified number of states — 15? — pass a substantially identical law. This approach would allow state laws to be enacted after the federal law passed. It addresses the issue of uniformity by requiring the states to pass the same law. We have enough of a tradition of uniform state laws to think this might work for privacy. In any event, when there is a sufficient demand for a new privacy protection to support multiple state enactments, Congress could always short circuit the state process by adding the feature to the federal law.
Remember, these are just ideas. Anyone with other ideas is welcome to join the discussion.
I want to offer one more point about preemption. You cannot meaningfully preempt state privacy laws. It can be extremely hard to determine what constitutes a privacy law. States have dozens of different laws, regulations, court rules and the like, that address the disclosure and use of personal information in specified contexts. These include laws for voter rolls, motor vehicle records, cancer registries, licensing laws, property ownership records, and much more. Further, the federal health privacy rule, the Health Insurance Portability and Accountability Act, already allows stronger state laws to remain.
Will state privacy torts be preempted, even if nothing in a new federal law addresses the same activities? What about a data broker registration law that was clearly passed with privacy in mind but has nothing overtly to do with privacy? If that data broker registration law imposes a fee for data brokers to register, does that make it a revenue law rather than a privacy law?
A broad or vague preemption standard may require many lawsuits and many years before certainty emerges about just what state laws it preempted. The actual result of a vague federal preemption provision would be more uncertainty, more confusion, and more expense. In some ways, a broad but unclear federal preemption "cure" could be worse than the existing multiple state laws "disease."
Federal preemption could include a process to determine just which state laws are preempted. Unfortunately, a preemption word formula will be difficult to draft with precision. One idea is to establish a temporary bi-partisan commission to make decisions. Another is to assign the function to an existing agency. Whoever makes decisions should first hear from all relevant stakeholders, including corporations, civil society and the public.
The road to a federal privacy law has many twists, turns and bumps. Preemption and private rights of action are two of the barriers, but compromises can be found.
Robert Gellman is a privacy and information policy consultant.
