News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Tracking the politics of US privacy legislation Related reading: COPRA and CDPA: Similarities, Gray Areas and Differences

rss_feed

""

Observers of the debate around the potential for a new federal data privacy law know that dozens of relevant bills have been introduced and debated in U.S. Congress over the past couple of legislative sessions. While they make for good reading and discussion material, do any of them have a realistic shot at survival? If so, which of them are the most likely to eventually make their way into law?

As the IAPP continues to track these proposals, a very basic but important realization should come into focus: Given the current divided government in the U.S., any successful privacy legislation will require bipartisan support. Currently, only a handful of bills have sponsors from both parties.

Thus, this article distinguishes between pieces of federal data privacy legislation that have secured support only from one side of the political aisle and those that enjoy bipartisan support. It addresses a couple of provisions — private right of action and preemption — where the biggest partisan gap seems to exist. It also discusses the Consumer Online Privacy Rights Act, sponsored by Senate Committee on Commerce, Science, and Transportation Ranking Member Maria Cantwell, D-Wash., and the Consumer Data Privacy Act, sponsored by Chairman Roger Wicker, R-Miss., focusing on their areas of overlap and divergence. It concludes with a summary and analysis of all federal data privacy bills with bipartisan sponsorship that have been introduced this session of Congress — nine in total that I could identify as of the time of this writing — to see where agreement exists between Democrats and Republicans regarding privacy protection at the federal level.

Privacy’s partisan provisions

Democrat-sponsored bills make up the bulk of federal privacy legislation introduced in this Congress.

Among the most recent bills, the Online Privacy Act was introduced in the House of Representatives by Reps. Anna Eshoo, D-Calif., and Zoe Lofgren, D-Calif. This bill would create a new Digital Privacy Agency with 1,600 employees; provide users with the rights to access, correction, deletion and data portability; and also allow private rights of action. While some advocates believe that a private right of action should be part of federal privacy legislation, it has thus far failed to secure bipartisan support. Wicker has reportedly referred to a private right of action as “totally a non-starter.” Even “moderate Democrats” would be upset by the inclusion of a private right of action. Thus, it seems that the private right of action is unlikely to be included in a bipartisan bill, and any future bills that include it will have low chances of survival.

Another divide between Democrats and Republicans is whether and, if so, to what extent, federal data privacy legislation should preempt state law. The inclusion of preemption in a federal data privacy law has received disparate support from Democrats and Republicans. One of the rationales for preemption is that, in exchange for accepting a heavier compliance burden at the federal level, industry should be protected from additional, divergent privacy obligations at the state level. On the other hand, states have served as innovators in privacy law, paving the way for broader federal privacy protections. In addition, state attorneys general have served as “nimble privacy enforcement pioneers.” That being the case, the argument against preemption is that “states should have the ability to offer greater protection of rights to their citizens.”

Democrats and Republicans seem to be at opposite ends of the preemption spectrum, with the latter supporting it and the former opposing it. In the context of these discussions, Republicans in both chambers “have expressed strong interest” in preemption. One congressional aide even suggested that members of Congress have come to the understanding that “preemption language … would be necessary to pass a bill in this Congress.”

Some Democrats, meanwhile, particularly from the California caucus in the House, have been vocal about their opposition to preemption. Rep. Jackie Speier, D-Calif., told reporters that she would “look askance at any measure that tried to preempt” the California Consumer Privacy Act. Rep. Jan Schakowsky, D-Ill., has similarly stated that she is “generally against preemption” but indicated she would support a federal floor-style preemption that would not weaken state protections. Speaker Nancy Pelosi, D-Calif., has also reportedly said that the House would not pass preemptive federal data privacy legislation that weakens protections enshrined in the CCPA. In her words, preemption that weakens state law is something “that’s just not going to happen.” Democrats in the Senate, such as Sen. Ed Markey, D-Mass., however, have said they might accede to preemption in exchange for beefed-up enforcement powers for the FTC.

As Alston & Bird Senior Counsel Peter Swire has explained, preemption is a “technically complex, as well as politically controversial,” issue. To simplify things a bit, preemption has received its strongest support from Republicans, while Democrats have reacted to it in mixed ways, ranging from slight opposition to toleration to conditional support for certain types of preemption.

Privacy and politics

It is almost a tautology to say that lawmaking is a political process. Legislative possibilities are at least partially determined by which party controls the two chambers of Congress and the White House. That is, regardless of the merits of these individual bills and the hard work that went into crafting them, the current political reality of a divided Congress would seem to dictate that bills sponsored by members from only one party have a lower chance of passage than bills sponsored by a coalition of members from both parties.

Thus, with these facts in mind, it is worth focusing on those privacy bills that have bipartisan support or count both Democrats and Republicans among their cosponsors. So, where does bipartisan agreement exist regarding federal data privacy legislation?

Bipartisan data privacy bills

COPRA and CDPA

Introduced or circulated publicly in late November, the Consumer Online Privacy Rights Act and Consumer Data Privacy Act provide some of the best indication to date of the consensus on federal privacy legislation that has emerged between Democrats and Republicans on the Senate Committee on Commerce, Science, and Transportation. Both are comprehensive proposals for a consumer privacy law that would span a broad swath of the economy and enshrine fundamental privacy protections at the federal level. In addition to their similarities in scope, both bills would require covered entities to obtain “affirmative express consent” from individuals before processing or transferring their sensitive covered data. In addition, they would both require covered entities to provide transparent privacy policies, maintain “reasonable data security practices,” designate privacy officers and data security officers, conduct annual privacy impact/risk assessments, and not deny goods or services to individuals who seek to exercise a privacy right.

Yet, while many of their provisions are nearly identical, there are several notable differences between the two texts. In several ways, such as regarding the definitions of “covered data” and “sensitive covered data,” COPRA and CDPA are neither in perfect harmony nor completely out of tune. Within these gray areas, the two bills employ similar or even identical language up to a point but then diverge in ways that would be critical to how they would likely be enforced.

A couple of the clearest-cut differences between COPRA and CDPA are the preemption of state law and a private right of action. While CDPA would preempt any state law related to data privacy or security (with the exception of data breach laws), COPRA would leave in place state laws that afford a greater level of protection than it does. The private right of action is another issue where the two bills sit on opposite sides of the fence. For anyone interested in a more detailed analysis of COPRA and CDPA, please see my latest white paper, which examines these issues in greater depth.

Filter Bubble Transparency Act

On Oct. 31, the Filter Bubble Transparency Act was introduced in the Senate by Sen. John Thune, R-S.D., and is co-sponsored by Sens. Richard Blumenthal, D-Conn., Mark Warner, D-Va., Jerry Moran, R-Kan., and Marsha Blackburn, R-Tenn. This bill requires websites that use personal data to filter search results or order news feeds to notify users that they do so. It also requires them to offer users an unadulterated version of their search results or news feeds that are not based on any personal data. This bill has been referred to the Senate Committee on Commerce, Science, and Transportation. Of all the bipartisan bills, this one has also gained the most co-sponsors — four — to date.

Social Media Privacy Protection and Consumer Rights Act

Introduced in January, the Social Media Privacy Protection and Consumer Rights Act of 2019 is sponsored by Sen. Amy Klobuchar, D-Minn., and co-sponsored by Sens. John Kennedy, R-La., Richard Burr, R-N.C., and Joe Manchin III, D-W.Va. This bill requires online platform operators to provide notice to users that their data is being collected and used by the operator, as well as any third parties. It would also give users a right of access to a copy of their data and require operators to notify users in the event of a data breach. This bill has been referred to the Senate Committee on Commerce, Science, and Transportation. With three co-sponsors, this bill ranks second in terms of number of co-sponsors.

Do Not Track Act

The Do Not Track Act, introduced in May by Sen. Joshua Hawley, R-Mo., and co-sponsored by Sens. Dianne Feinstein, D-Calif., and Warner, requires the FTC to establish and enforce a Do Not Track system. Under the bill, covered entities are prevented from collecting data from users that send DNT signals (“other than such data as is necessary” for the operation of its website, service or application), using that data for a secondary purpose, such as targeted advertising, or sharing the data with third parties unless the user “expressly consents.” Covered entities are also prohibited from denying access to services or providing different levels of access or service to users who employ the DNT signal. This bill has been referred to the Senate Committee on Commerce, Science, and Transportation.

DASHBOARD Act

The Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data Act was introduced in June by Sen. Warner and co-sponsored by Sen. Hawley. This bill requires social media services with more than 100 million monthly active users to disclose not only the types of data they collect, but also the value of that data. Moreover, the bill would give users the right to request the deletion of all or individual fields of data that commercial data operators have collected about them. In late October, this bill was the subject of hearings in the Senate Committee on Banking, Housing, and Urban Affairs.

ACCESS Act

Introduced in late October, the Augmenting Compatibility and Competition by Enabling Service Switching Act is another bill sponsored by Sen. Warner and co-sponsored by Sens. Blumenthal and Hawley. This bill requires large communication platform providers to, at the request of the user, “initiate the secure transfer of user data,” essentially granting users the right to data portability. The bill has been referred to the Senate Committee on Commerce, Science, and Transportation.

BROWSER Act

Introduced in the Senate in April, the Balancing the Rights of Web Surfers Equally and Responsibly Act is sponsored by Sen. Blackburn, with Sens. Tammy Duckworth, D-Ill., and Martha McSally, R-Ariz., joining as co-sponsors in July. This bill requires broadband internet access service and edge providers to notify users of their privacy policies. It also requires covered entities to obtain opt-in approval from a user to use or disclose the user’s sensitive information and obtain opt-out consent to use or disclose non-sensitive information. This bill has been referred to the Senate Committee on Commerce, Science, and Transportation.

Protecting Personal Health Data Act

Introduced in June, the Protecting Personal Health Data Act is another data privacy bill sponsored by Sen. Klobuchar and co-sponsored by Sen. Lisa Murkowski, R-Alaska. The purpose of this bill is to address gaps in Health Insurance Portability and Accountability Act regulation by regulating entities such as wearable fitness trackers and social media sites that collect health information. It would require the promulgation of such regulations by the secretary of Department of Health and Human Services. This bill has been referred to the Senate Committee on Health, Education, Labor and Pensions.

Commercial Facial Recognition Privacy Act

The Commercial Facial Recognition Privacy Act, sponsored by Sen. Roy Blunt, R-Mo., and co-sponsored by Sen. Brian Schatz, D-Hawaii, prohibits the use of facial-recognition technologies in the absence of affirmative consent from individuals. This bill has been referred to the Senate Committee on Commerce, Science, and Transportation.

Facial Recognition Technology Warrant Act

The Facial Recognition Technology Warrant Act was introduced Nov. 14 by Sen. Christopher Coons, D-Del., and co-sponsored by Sen. Mike Lee, R-Utah. Notably, the bill would require law enforcement agencies, including the Federal Bureau of Investigation and Immigration and Customs Enforcement, to obtain a warrant to use facial-recognition technology to surveil individuals. This bill has been referred to the Senate Committee on the Judiciary.

Areas of bipartisan agreement

Regarding bipartisan agreement around data privacy, Republican and Democratic lawmakers seem to be hard at work forging agreements beyond the notice-and-choice paradigm, which had been the crux of bipartisan bills introduced before COPRA and CDPA. Indeed, several of the bipartisan privacy bills introduced this term go little further than requiring companies to provide consumers with notice of their data use policies. These include the Filter Bubble Transparency Act, Social Media Privacy Protection and Consumer Rights Act, and BROWSER Act. A few bills, though, do go further by providing a right to access: the Social Media Privacy Protection and Consumer Rights Act, DASHBOARD Act, and ACCESS Act (vis-a-vis the right to data portability). One of these, the DASHBOARD Act, also provides a right to erasure.

Yet, a side-by-side analysis of COPRA and CDPA indicates there are emerging areas of bipartisan agreement beyond notice and choice. Indeed, requirements regarding consent, transparency, data security and corporate accountability have secured bipartisan support and are all likely be included in a federal privacy bill.

Yet, a side-by-side analysis of COPRA and CDPA indicates there are emerging areas of bipartisan agreement beyond notice and choice. Indeed, requirements regarding consent, transparency, data security and corporate accountability have secured bipartisan support and are all likely be included in a federal privacy bill. Yet, any new federal law that aims to offer meaningful privacy protection but does not adequately protect the rights to opt out, access, correction and deletion, among other rights and obligations, would appear to fall short of the standard set in California.

Conclusion

The bills outlined above represent the current state of bipartisan agreement on federal data privacy legislation. While many more bills related to data privacy have been introduced this year, most have attracted sponsors/co-sponsors from only one party and, thus, are unlikely to secure the support needed for passage in a divided Congress. It seems reasonable to assume that protections outlined in these bipartisan-sponsored data privacy bills and those found in both COPRA and CDPA have the greatest chances of inclusion in a federal bill that succeeds in gaining the votes necessary for adoption.

The introduction of new data privacy bills in Congress is not likely to abate soon. Reps. Frank Pallone Jr., D-N.J., and Jan Schakowsky, D-Ill., are reportedly working with Republican lawmakers on the Energy and Commerce Committee to develop a bipartisan piece of data privacy and security legislation. Yet, with the 2020 election campaign already underway, the window of opportunity for bipartisan legislation may be closing.

As congressional hearings and negotiations around privacy continue, it seems more true than ever that bipartisanship is necessary for comprehensive federal reform of U.S. privacy regulation.

Photo by Andy Feliciotti on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Müge Fazlioglu, CIPP/E, CIPP/US IAPP Staff Contributor
Tags
U.S.
Privacy Law
Comments

If you want to comment on this post, you need to login.

Related Stories
Notes from the IAPP, Nov. 1, 2019
Greetings from Portsmouth, New Hampshire. As we move into November, developments in privacy show no signs of slowing down. Location privacy emerged as a trending news theme this week, with a federal court in Maryland ruling that a dispute over the use of consumer location data by telecommunication...
Read More queue Save This
Related Stories
Tags
U.S.
Privacy Law
Recent Comments