Senate Hearing Panel Suggests a Bipartisan National Data Privacy Standard Could Include a Private Right of Action

A recent hearing at the Senate Committee on Commerce, Science, and Transportation explored the contours for a comprehensive and bipartisan federal data privacy law. Titled "Examining Legislative Proposals to Protect Consumer Data Privacy," the hearing featured an all-female panel of experts, including two former FTC leaders, and representatives from industry, academia, and consumer rights groups.

The panel discussion centered on current privacy legislation proposed by U.S. Senators Maria Cantwell (D-Wash.) and Roger Wicker (R-Miss.) which would provide consumers with greater security, transparency, choice and control over their personal information on- and off-line, and provide the Federal Trade Commission (FTC) with additional resources and authority to regulate. The hearing and written testimony are available on the Senate Committee's website.

Senator Cantwell's Consumer Online Privacy Rights Act (COPRA) and Senator Wicker's Consumer Data Privacy Act of 2019 (CDPA) cover much of the same ground and establish principles, rights and regulations that echo the California Consumer Privacy Act (CCPA) and the European General Data Privacy Regulation (GDPR). These include granting consumers rights: (1) of access, correction, deletion, and portability for personal information; (2) to give affirmative express consent before collection and processing of sensitive categories of information; and (3) to opt out of the sale or transfer of personal information. The legislative proposals also establish similar boundaries on how companies can collect, use, and share information and impose obligations on companies, including data minimization, use limitations, data security, and the responsibility to bind other companies that receive personal information to the same obligations.

Both bills recommend expanded FTC enforcement and rulemaking authority and provide state Attorneys General with authority to enforce a new law. The panelists contributed insight on a significant point of contention, specifically whether a new federal data privacy law should include a private right of action, allowing individual consumers to bring cases in addition to regulators. On one hand, with a strong new law that gives the FTC and state AGs the ability to enforce, a private right of action may not provide additional data privacy benefit. On the other hand, the FTC would need a radical increase in staff, technology and financial resources to effectively enforce any new law (it was noted in the hearing that the FTC currently has 40 dedicated data privacy staff, while the UK has more than 500 and Ireland more than 100)—increases that may not be realized. One solution proposed by the panelists would be to specifically delineate what provisions can be enforced via private right of action and under what conditions, thus avoiding abusive litigation and directing consumer redress to the most egregious violations and harms. Litigation controls could be crafted, including how a case proceeds to court, the standard by which statutory damages are triggered, the use of injunctive relief as well as imposing upon companies the responsibility for escalating and resolving data privacy issues through internal administrative processes.

Everyone agrees on the urgency and need of getting a new federal law passed given the looming effective date of CCPA and other patchwork laws, but details over the private right of action, federal preemption, and incorporation of related/important issues raised in other bills (The Filter Bubble Transparency Act, for example) will slow this roll.