Cheat sheet: What to expect in state and federal privacy regulation in 2021
The promise of comprehensive federal privacy law has been dangled like a carrot before consumer watchdogs and privacy advocates for at least a decade. But without a nationwide privacy law protecting personal data privacy and security, the U.S. lags behind the European Union and several other countries across the globe — not to mention a growing number of states.
Looking ahead, experts disagree on the likelihood that a federal privacy law will pass this year or even this Congress. However, privacy lawyers and others interviewed by Digiday for this article say what happens in states will influence what happens at the federal level.
Here is a primer on where matters stand regarding state and federal privacy regulation:
- States are pushing full steam ahead on privacy law. The more states pile on privacy laws, the more pressure there is from business to create a simpler, perhaps weaker federal law.
- Despite bipartisan support for a federal privacy law, there remain significant gaps in approaches on the right and left, namely whether a federal law would override state and local laws and whether individuals get the right to sue violators.
The states are where the action is
Privacy bills are moving through multiple state legislatures, and more state laws will only increase pressure on the federal government to get a U.S.-wide law passed. Companies including Facebook and industry organizations like the Interactive Advertising Bureau have advocated for federal privacy legislation. Businesses want a single law to comply with, rather than many — especially if it’s weaker than what states have on the books.
“The one thing that might create the political pressure [for federal privacy legislation] is more individual states coming up with crazy draconian laws,” said Alan Chapell, president of privacy law firm Chapell and Associates.
The big influencers on state privacy bills are Europe’s sweeping General Data Protection Regulation and California’s now-strengthened privacy law. Maine’s 2019 privacy law, among the nation’s strictest, also holds weight.
New York tough
A tough New York bill has been criticized by businesses because it would require that consumers opt in to data collection, use and sales. It also considers things like user-generated content and online identifiers to be protected personal data. New York matters, of course, because it’s home to so many ad tech and media firms.
Weaker in Washington State…
Then there’s Washington, home to Amazon and Microsoft. Both firms support The Washington Privacy Act, but consumer and privacy advocates including the ACLU of Washington oppose the bill for not offering individuals sufficiently strong privacy protections or legal recourse. “What we don’t want to see is a weak state-level bill being modeled to form a federal level bill,” Jennifer Lee, tech and liberty manager for the civil liberties group, told Digiday.
The Washington bill would give the state attorney general the exclusive authority to bring legal action against violating companies, rather than giving individuals that right, which pleases businesses including Microsoft.
“If the Washington Privacy Act passes, that will likely influence other states who will be interested in passing similar protections for their own residents,” said Stacey Gray, senior counsel at Future of Privacy Forum, during a December media briefing.
Federal privacy proposals
By mid-2020 there were at least 11 privacy bills floating around Congress, not to mention others addressing specific issues related to privacy such as facial recognition and biometric data.
But privacy law watchers including Chris Pedigo, svp of government affairs at publisher group Digital Content Next, say two bills sponsored by the leaders of the Senate Commerce Committee are expected to serve as a launchpad for whatever final legislation comes out of negotiations, if anything does. Privacy law observers expect future legislation to emerge once lawmakers pick up negotiations on these earlier bills:
Introduced by Washington Democrat Sen. Maria Cantwell, COPRA calls for tighter restrictions on everyday digital ad practices compared to other federal bills. In particular, it would require “affirmative express consent” from consumers for processing and sharing of sensitive information which would include “information revealing online activities over time and across third-party website or on-line services.” In other words, the data building blocks of behavioral targeting.
“That by and large makes this an opt-in bill for the sharing of personal data,” wrote Justin Brookman, director of privacy and technology policy at Consumer Reports.
This bill is an amalgam of earlier privacy legislation, sponsored by Mississippi Republican Sen. Roger Wicker. The Safe Data Act is closer to other federal privacy bills in that it gives consumers the right to opt out of data collection, rather than requiring an opt-in for data use.
And, while it does require that individuals give affirmative express consent before sensitive data can be processed or transferred to a third party, the definition is less broad than what’s in COPRA. Still, it does consider precise geo-location information and persistent identifiers in the sensitive data category.
Sticking points: whose laws apply, who can sue
There are two more significant gaps between the Republican and Democratic approaches to federal privacy law that could stall agreement.
- First is whether a federal law would override state and local privacy law. Cantwell’s Democratic bill would not preempt state or local laws. Wicker’s Republican bill would. In general, privacy and consumer advocates want local and state laws to remain in effect, in part, because they could be stricter and give individuals the right to sue companies. Businesses, on the other hand, often lament the dreaded “patchwork” of state and local laws that keep their privacy counsels and developers busy with data rule compliance.
- The other sticking point centers on who has the right to sue companies that violate the law. The COPRA bill favored by Democrats supports the right for individuals to sue companies that flout the rules, opening up a wide world of opportunities for class action lawsuits. The Safe Data Act favored by Republicans would allow only state attorneys general to sue.
Other obstacles to federal law
Several other tech and data policy issues might clog up the legislative agenda, preventing movement on a privacy law. The congressional docket might include addressing big tech antitrust, quelling social media-fueled disinformation, possible changes to Section 230 of the Communications Decency Act (which protects digital media firms from certain content liability) and updating security rules for cross-border data transfers.
“The question is will the complexity of urgency on [Section] 230 and competition issues and others just swamp up the calendar, but we’re really at the finish line,” said Future of Privacy Forum CEO Jules Polentsky during that December media briefing.
Room for compromise?
Polentsky suggested passage of a privacy law could be an opportunity for a bipartisan win (for those congressional members who are actually into the whole “unity” thing).
“There’s a lot of room for nuance and compromise” on issues such as preemption, Polentsky said.
But Pedigo of Digital Content Next said a federal privacy law is “unlikely” because “Congress is fairly divided. They’re going through another impeachment proceeding now, so that tends to divide things even further.”
Cheat Sheet: Google unveils timeline for a more ‘responsible’ cookie death clock
Google elaborated on its timeline for killing off third-party cookies as part of its promises to the UK's antitrust authority.
How news publishers are using the Olympics and AR to flex their emerging tech storytelling
Big publishers like The Washington Post and USA Today are developing and expanding AR storytelling around the Olympic Games.
‘Weak Sauce’: New industry tool for opt-out from email-based tracking misses ID tech and key players like Facebook and Liveramp
The Network Advertising Initiative's new privacy control is intended to stop email-based audience matching — often referred to as onboarding.
SponsoredHow the ad industry can use its borrowed time to future-proof first-party data solutions
Trent Lloyd, co-founder and head of brand solutions, Eyeota Google’s updated timeline for its Privacy Sandbox rollout, including its two-year delay of third-party cookie deprecation on Chrome, didn’t come as a surprise to many industry observers, given the limited utility of Google’s FLoC and the slow momentum of the Privacy Sandbox in the World Wide […]
Member ExclusiveMedia Briefing: Publishers’ programmatic ad businesses have rebounded to pre-pandemic levels
This week's Media Briefing looks at how the pandemic and the cookie's eventual demise have created the conditions for the programmatic ad market that publishers have been pushing for, with a shift to private buying coinciding with prices pushing past pre-pandemic levels.
‘They will need to use multiple routes’: Shifts appear in the publisher-SSP union, as alternative identifiers proliferate
As the ad tech industry rewires itself around the contours of privacy, supply-side platforms are reinventing themselves (again).