“There’s no way the federal government is going to create a federal privacy law.” “It’s just not going to happen.” “Not a chance, no way, forget it.” “There isn’t a political will in Washington to get it done, and so we can all just assume that it’ll all be only the states issuing regulations for the near future.”
Yes, well, I realize that there’s been a great deal of chatter about the sudden push for legislation in Washington to address data security and the protection of consumer privacy. Some of it, certainly, came on the heels of GDPR, but a great deal more seemed to emerge in the wake of California’s development of the CalCPA, which creates the first substantively major development in American data security law in a generation. That effort has elicited some negative comparisons for Washington, along the lines of “why can’t Congress get its act together?”
The answer is complicated, but it has a great deal to do with two things. First, the very tech sector giants that lobbied against AB375 have a powerful voice in Washington, and that voice has consistently said “leave the Internet alone.” The second is that Congress….kind of doesn’t get the Internet.
I want to be careful here, and not just because I’m currently logged onto free wifi called “NSA Mobile Ops” (Hi guys!) It’s easy to malign legislators for not understanding the lingo. Everybody mocked Ted Stevens for saying that the Internet is “not something that you just dump something on. It’s not a big truck. It’s a series of tubes.” And Lindsay Graham was pilloried for asking Mark Zuckerberg “is Twitter the same as what you do?” The thing is, Stevens wasn’t really wrong (at a certain level of abstraction) and Graham was posing a rhetorical question about monopolistic practices, and not whether Facebook and Twitter did the same thing (which, as a frequent user of both, he already knew.)
What I mean by “Congress doesn’t get the Internet” is that, as a whole, Congress has very little experience handling Internet-related matters. Sure, they wrote CAN-SPAM (in 2003) and they technically have the power to regulate more broadly under the Commerce Clause, but really, they haven’t done much. That’s why the FTC has become the power player in privacy and internet regulation in the United States: Congress’s inactivity created a regulatory void, and the Commission stepped in to fill it.
So what happens when the legislature wades into an area it has little competency and little prior experience? The interest groups that lobby for (and often write) legislation have an outsized role to play, which loops us back to the first point I raised about interest groups. Depending on whom you ask, lobbyist-drafted legislation is either a horrible erosion of democracy or a good way to ensure that experts craft legislation. For our purposes, it’s a distinction without a difference, because the primary question concern for us is which lobby group will get influence over the drafting. Big tech companies? The US Chamber of Commerce? Privacy advocacy groups? You’ll get very different laws depending on who sits at the table.
So, what do the present spate of proposed federal laws say about who is involved? Interestingly, they demonstrate that no one has captured sufficient momentum to get a major law (whether friendly to Silicon Valley or to the Electronic Privacy Information Center) onto the books, and that no single lobbying group has garnered a great deal of interest for any law more broadly. The White House has talked with stakeholders and suggested an expansion of the NIST standards, and there is a proposed fintech law that might pass, but that’s about it. Legislators have noted their own frustration with the lack of progress as well as their constituents’, but nothing seems to be changing.
This isn’t a long way of saying that my predictions about “there isn’t going to be a federal law” weren’t wrong. I mean they weren’t, but that’s not the point. The point here is that these discussions inside Washington and out are important because they represent the very beginning of the conversation about privacy law in this country. That means that, regardless of your take on privacy and data security, the time to solidify your position and prepare your meaningful arguments is now, because there is a relatively small window during which you can make an impact on the development of the laws that will eventually emerge.
For instance, the FTC is hosting a listening campaign this fall, which is a great opportunity to provide input and learn what the key regulator is doing. It’s also certain that your company, and those in your sector, are far more attuned to the issues you face in data security and consumer protection than a staffer at FTC or someone from another industry. It may be worthwhile to collaborate on a white paper discussing how to balance consumer rights and business sense from your perspective to add to the conversation — and it’s unlikely that FTC would simply ignore a well-reasoned position.
Put simply, this is the opportunity to engage in the process that can, and probably will eventually produce an American data security law. Don’t miss it.