Over the years, we have followed unsuccessful attempts by Congress to develop a national consumer privacy law. Each time, two key issues have frustrated passage, (1) the degree to which, if at all, a federal law should preempt state consumer privacy laws (CPLs); and (2) if there should be a private right of action. The now 22 state CPLs have all avoided a private right of action, so potentially that issue will not be as contentious this go-around. Also, the 22-state patchwork makes a case for the federal government to at least set a ceiling, if not completely occupy the field. However, California, Colorado, Connecticut, Oregon, Minnesota, Maryland and other states seem intent to maintain a higher level of privacy protection than a baseline, and the Congresspersons and Senators from these higher watermark states may well continue to resist preemption, or at least raise the national bar. The new House Republican bill, the SECURE Data Act, is at best pretty middle of the road compared to the patchwork of state CPLs and would establish a single national regime that completely overrides state CPLs: “No State or political subdivision of a State may prescribe, maintain, or enforce any law, rule, regulation, requirement, standard, or other provision having the force and effect of law, if such law, rule, regulation, requirement, standard, or other provision relates to the provisions of this Act.” It was introduced along with amendment to the Gramm-Leach-Bliley Act – the GUARD Financial Data Act. The House Committee on Energy & Commerce sums up both bills here.
One fairly unique proposal under the SECURE Data Act is the concept of government approval of a business’ compliance program, through a “Code of Conduct” outlining how it will comply, with independent auditor assessments, which would qualify a business for a rebuttable presumption of compliance and an opportunity to cure compliance failures. Similar schemes have been floated before, and the Tennessee CPL has something of a safe harbor tied to the NIST Privacy Framework that is somewhat akin to this. It will be interesting to see if such a public policy approach gains traction, even if the SECURE Data Act proves to be another unsuccessful attempt at federal consumer privacy legislation. Privacy World will provide more detail as the legislative process on this effort advances, if it does.
