In the first part of this series, I discussed some of the political and structural problems that must be solved to pass any general U.S. data protection law. In this part, I discuss two of the most important substantive policy issues. They are the private right of action and federal preemption of state law. These may be the two hardest issues with the greatest gap between the business community on one side and consumer advocates on the other.
A PROA allows a consumer to sue a data controller (government or private sector) for violating their rights. A PROA may include class-action lawsuits on behalf of multiple consumers. From the perspective of consumers, class actions are crucial because the damages potentially available in a lawsuit brought by a single consumer are likely to be insufficient to support litigation. Private litigation is sometimes the only hope for enforcement because state and federal agencies do not have enough resources. Business sees class actions as an unwarranted expense that produces little gain for anyone other than trial lawyers, and there’s no love lost between business and trial lawyers.
Compromise here is not impossible, but it will not be easy.
The first compromise allows state attorneys general to enforce the federal privacy law. There’s plenty of precedent here, and this is something likely to be part of even the narrowest business-supported bill. After all, state AGs are not all that aggressive. This is a step, but it won’t be enough for consumers.
Another compromise is some form of enhanced enforcement by whatever federal agency or agencies have responsibility under the new law. People often point to the Federal Trade Commission as an effective privacy enforcer, but the FTC brings a relative handful of privacy cases. Still, better enforcement by an agency is not an impossibility. The Office for Civil Rights at the Department of Health and Human Services brings enforcement actions under HIPAA, the federal health privacy rules. In the recent past, the OCR brought more privacy and security cases than the FTC by two orders of magnitude. Meaningful agency enforcement is not an impossibility.
Other compromises might allow some class actions but impose procedural or other barriers. A procedural barrier might require notice to the offender, with meaningful corrective action allowed as either an affirmative defense or in mitigation of damages. Limits on recoverable damages could also serve as a compromise. Some class-action lawyers told me that laws that allow the for recovery of gigantic damages (e.g., $100 per individual per violation per day) are barriers because the damages are so enormous that judges look for ways to find for defendants.
Some consumer groups look for and rely on class-action awards in the form of cy pres settlements of class actions where the damages per class member are too small to compensate individuals. There is much controversy here on all sides. Some question the efficacy of cy pres awards altogether, while consumer groups fight among themselves about who should get the money. Limits and procedures here might form a compromise.
Federal preemption of state privacy laws is perhaps the ultimate goal of the business community. Interest here increased lately because of the new California Consumer Privacy Act of 2018, scheduled to take effect in 2020.
Federal preemption of state privacy laws is perhaps the ultimate goal of the business community. Interest here increased lately because of the new California Consumer Privacy Act of 2018, scheduled to take effect in 2020. Business not only worries about the California law but also the possibility that other states could pass similar laws with different requirements. Compliance with 50 state laws could easily be a nightmare. Business has an argument here. This is especially true in security, where complying with mildly variable state law requirements could be expensive or technically impossible.
On the other side, consumer advocates would surely call a weak federal privacy law with preemption a Privacy Prevention Act. Consumer groups feel just as strongly that states must be free to try new laws and provide protections better than federal law. Some federal laws began as a law passed by one state. The Drivers Privacy Protection Act is a good example. Further, consumers point to the federal health privacy rules as a precedent. HIPAA allows stronger state laws to remain in force. That has worked okay, but that’s not to say that there are no problems.
Further, there’s a new fly in the preemption ointment from net neutrality debates. A California proposal would enforce net neutrality indirectly by prohibiting the state from contracting with any service provider that does not meet designated standards. That “market-based" approach would be much harder for a federal law to preempt. It wouldn’t work as neatly for privacy, but some major data companies could not afford to ignore large states.
What are possible compromises?
First, federal preemption could be prospective only, covering new state laws but allowing existing laws to remain in force. The Fair Credit Reporting Act is an example.
Second, federal preemption could be limited. It is likely that all sides could agree on preemptive federal security standards. Other carve outs could be for enforcement or state records.
Third, federal preemption could be time limited. One way to do this is to preempt existing state laws but allow states to enact legislation starting five years after the effective date of the federal law. That would let the dust settle, identify gaps and shortcomings, and allow everyone to take up the fight later. Don’t like five years? How about three or ten years?
This doesn’t exhaust the realm of possible compromises, but neither of the two hardest issues is immune to compromise where both sides get something and give up something. For both sides, the losses will (and should) hurt.
Ultimately, the question is what do you get for compromising. There’s something here that both sides want that could form the basis for an overall compromise on a broad federal privacy law. That something is the subject of the next part.
If you want to comment on this post, you need to login.