Cheat sheet: What to expect in state and federal privacy regulation in 2021
The promise of comprehensive federal privacy law has been dangled like a carrot before consumer watchdogs and privacy advocates for at least a decade. But without a nationwide privacy law protecting personal data privacy and security, the U.S. lags behind the European Union and several other countries across the globe — not to mention a growing number of states.
Looking ahead, experts disagree on the likelihood that a federal privacy law will pass this year or even this Congress. However, privacy lawyers and others interviewed by Digiday for this article say what happens in states will influence what happens at the federal level.
Here is a primer on where matters stand regarding state and federal privacy regulation:
- States are pushing full steam ahead on privacy law. The more states pile on privacy laws, the more pressure there is from business to create a simpler, perhaps weaker federal law.
- Despite bipartisan support for a federal privacy law, there remain significant gaps in approaches on the right and left, namely whether a federal law would override state and local laws and whether individuals get the right to sue violators.
The states are where the action is
Privacy bills are moving through multiple state legislatures, and more state laws will only increase pressure on the federal government to get a U.S.-wide law passed. Companies including Facebook and industry organizations like the Interactive Advertising Bureau have advocated for federal privacy legislation. Businesses want a single law to comply with, rather than many — especially if it’s weaker than what states have on the books.
“The one thing that might create the political pressure [for federal privacy legislation] is more individual states coming up with crazy draconian laws,” said Alan Chapell, president of privacy law firm Chapell and Associates.
The big influencers on state privacy bills are Europe’s sweeping General Data Protection Regulation and California’s now-strengthened privacy law. Maine’s 2019 privacy law, among the nation’s strictest, also holds weight.
New York tough
A tough New York bill has been criticized by businesses because it would require that consumers opt in to data collection, use and sales. It also considers things like user-generated content and online identifiers to be protected personal data. New York matters, of course, because it’s home to so many ad tech and media firms.
Weaker in Washington State…
Then there’s Washington, home to Amazon and Microsoft. Both firms support The Washington Privacy Act, but consumer and privacy advocates including the ACLU of Washington oppose the bill for not offering individuals sufficiently strong privacy protections or legal recourse. “What we don’t want to see is a weak state-level bill being modeled to form a federal level bill,” Jennifer Lee, tech and liberty manager for the civil liberties group, told Digiday.
The Washington bill would give the state attorney general the exclusive authority to bring legal action against violating companies, rather than giving individuals that right, which pleases businesses including Microsoft.
“If the Washington Privacy Act passes, that will likely influence other states who will be interested in passing similar protections for their own residents,” said Stacey Gray, senior counsel at Future of Privacy Forum, during a December media briefing.
Federal privacy proposals
By mid-2020 there were at least 11 privacy bills floating around Congress, not to mention others addressing specific issues related to privacy such as facial recognition and biometric data.
But privacy law watchers including Chris Pedigo, svp of government affairs at publisher group Digital Content Next, say two bills sponsored by the leaders of the Senate Commerce Committee are expected to serve as a launchpad for whatever final legislation comes out of negotiations, if anything does. Privacy law observers expect future legislation to emerge once lawmakers pick up negotiations on these earlier bills:
Introduced by Washington Democrat Sen. Maria Cantwell, COPRA calls for tighter restrictions on everyday digital ad practices compared to other federal bills. In particular, it would require “affirmative express consent” from consumers for processing and sharing of sensitive information which would include “information revealing online activities over time and across third-party website or on-line services.” In other words, the data building blocks of behavioral targeting.
“That by and large makes this an opt-in bill for the sharing of personal data,” wrote Justin Brookman, director of privacy and technology policy at Consumer Reports.
This bill is an amalgam of earlier privacy legislation, sponsored by Mississippi Republican Sen. Roger Wicker. The Safe Data Act is closer to other federal privacy bills in that it gives consumers the right to opt out of data collection, rather than requiring an opt-in for data use.
And, while it does require that individuals give affirmative express consent before sensitive data can be processed or transferred to a third party, the definition is less broad than what’s in COPRA. Still, it does consider precise geo-location information and persistent identifiers in the sensitive data category.
Sticking points: whose laws apply, who can sue
There are two more significant gaps between the Republican and Democratic approaches to federal privacy law that could stall agreement.
- First is whether a federal law would override state and local privacy law. Cantwell’s Democratic bill would not preempt state or local laws. Wicker’s Republican bill would. In general, privacy and consumer advocates want local and state laws to remain in effect, in part, because they could be stricter and give individuals the right to sue companies. Businesses, on the other hand, often lament the dreaded “patchwork” of state and local laws that keep their privacy counsels and developers busy with data rule compliance.
- The other sticking point centers on who has the right to sue companies that violate the law. The COPRA bill favored by Democrats supports the right for individuals to sue companies that flout the rules, opening up a wide world of opportunities for class action lawsuits. The Safe Data Act favored by Republicans would allow only state attorneys general to sue.
Other obstacles to federal law
Several other tech and data policy issues might clog up the legislative agenda, preventing movement on a privacy law. The congressional docket might include addressing big tech antitrust, quelling social media-fueled disinformation, possible changes to Section 230 of the Communications Decency Act (which protects digital media firms from certain content liability) and updating security rules for cross-border data transfers.
“The question is will the complexity of urgency on [Section] 230 and competition issues and others just swamp up the calendar, but we’re really at the finish line,” said Future of Privacy Forum CEO Jules Polentsky during that December media briefing.
Room for compromise?
Polentsky suggested passage of a privacy law could be an opportunity for a bipartisan win (for those congressional members who are actually into the whole “unity” thing).
“There’s a lot of room for nuance and compromise” on issues such as preemption, Polentsky said.
But Pedigo of Digital Content Next said a federal privacy law is “unlikely” because “Congress is fairly divided. They’re going through another impeachment proceeding now, so that tends to divide things even further.”
Cheat Sheet: At IAB Podcast Upfront, diverse voices take center stage while podcast advertising revenue and audiences boom
Most of the companies that presented at the IAB Podcast Upfront signaled they had or were going to add more diversity to their programming, both in hosts and content.
Member ExclusiveMedia Briefing: What media companies’ latest earnings reports say about the state of the industry
Media companies' Q1 earnings reports signaled a continued return to business as usual — for better or worse, depending on the company's digital business.
‘Brands tend to be selective’: OMG report offers options to media buyers facing upfront inventory crunch
With a tight upfront TV marketplace expected, one agency group is recommending alternatives in video and CTV.
SponsoredHow The Company Store is reimagining customer experiences for pandemic-era growth
Throughout the pandemic, some retail categories have been inherently successful. Home furnishings and décor are among them; with consumers spending so much more time at home, updates and renovations flourished. Criteo data from the first half of 2020 showed sales for items like outdoor furniture sets up 434% year over year, with other home items […]
‘You’re fixing a number, not changing the culture’: Confessions of a media exec on diversity quotas
In the rush to improve diversity rates, businesses are in danger of overlooking more fundamental ways to sustain inclusivity in the workplace, according to our latest Confessions interviewee.
‘Direct revenue driver’: How local broadcaster News 12 is partnering with Google to build a younger audience
Local broadcaster used support and funding from Google News Initiative to build a new tool that can automatically identify and feed video content into new website verticals.