Divya Blog

2023, Let’s Make it Our Legacy: the Year to Pass Federal Privacy

Written by: Divya Sridhar and Grant Gendron

America wants privacy, but our policymakers remain divided about getting a deal done. The benefits of a federal privacy law are clear: these are the 5 “S”s: we need a federal privacy law for stability, solidarity, sales, security, and to stay up to speed. Privacy legislation is critical to keeping the American dream intact. 

There are at least five critical reasons for why Congress needs to act NOW to pass federal privacy legislation. 

In 2023, passing a federal privacy law is: 

1) a critical part of the 2023 federal directive of U.S. policymakers; 

2) imperative based on its economic impact on the global economy and cross border data flows;

3) long overdue to keep America globally competitive and technologically relevant; 

4) deemed essential to strengthening our nation’s national security; and 

5) the ultimate exemplar of leadership, dignity, and strength for the United States. 

Read each of our posts to learn more about the facts and figures that make the case.

U.S. Policymakers Are Elevating Privacy as Part of their 2023 Directive

 In at least one way, the new year has begun where 2022 ended: with a call from the highest ranks of government to advance federal privacy legislation. In a recent Wall Street Journal op-ed, President Biden urged Congress to unite in a bipartisan way to pass federal privacy legislation that would place new guardrails on business and ensure special protections for children and vulnerable communities. Leaders from Congress [House Energy & Commerce Committee Chair Cathy McMorris Rodgers and Representative Frank Pallone] and the Administration [Alan Davidson, Assistant Secretary for Communications and Information at the U.S. Department of Commerce] have echoed this sentiment.

The years’ long effort to advance federal privacy legislation holds promise in the 118th Congress. Though the House of Representatives has flipped to being a Republican majority, key members – including Chair Cathy McMorris Rodgers and Ranking Member Rep. Pallone – have long advocated for federal privacy legislation. And key members in the Senate – including Senators Cantwell and Cruz, Majority and Ranking Leader, respectively, on the Senate Commerce Committee – have expressed support for this effort. 

Last year, federal privacy legislation came closer than it had in many years to being finalized. The “Three Corners” introduced and quickly advanced federal privacy legislation in the summer of 2022, as a nod from Rep. Frank Pallone (then Chair of the House Energy and Commerce (E&C) Committee); Leader Cathy McMorris Rodgers (then Ranking Member of House E&C);  and Senator Roger Wicker (then Ranking Member of the Senate Commerce Committee) about privacy legislation being a top priority of theirs. The bill sailed through the House subcommittee on consumer protection, but stopped short of making its way to the House floor for a vote prior to the midterms. 

Recent developments at the FTC, including its Advanced Notice of Proposed Rulemaking (“ANPR”) on Commercial Surveillance and Data Security, to tackle privacy, also signals the need for movement at the federal level. But, federal legislation would be a more impactful, purposeful and divisive approach, which FTC Chairs also highlighted. (SIIA’s comment can be found here.) 

 Moving legislation forward is the best way to get the wheels in motion. Policymakers must finalize negotiations on what a federal standard on privacy looks like for the United States.

Inaction on Privacy is Directly Harming the U.S. Economy

As of this writing, there are at least eight states with active consumer privacy legislation, and it has only been a few weeks into the new year. We expect much more activity in the coming months. For reference, by last October, more than 34 states had introduced or passed privacy bills (in at least one chamber) focused on commercial collection and use of personal data. Five state consumer privacy laws (California, Virginia, Colorado, Utah, and Connecticut) are on the books and are at various stages of implementation and enforced. Keeping up with the patchwork of state laws (to say nothing of laws abroad) is now a full-time job. 

The Information Technology and Innovation Foundation (ITIF) analyzed the impact of the state privacy patchwork on businesses, particularly those that serve customers across state lines. It notes that businesses engaging in interstate commerce are subject to a combination of different state privacy laws, which creates a multiplier effect and has led to expensive and redundant compliance efforts. The costs are not negligible: it is estimated that state privacy laws could lead to somewhere between $98 billion and $112 billion annually, which over a 10-year period would lead to over $1 trillion in out-of-state costs for businesses. 

These different laws can disrupt business flow (and add further costs) if the legislation and any respective guidance takes a unique approach to how businesses and other entities must comply. For example, Colorado’s recent draft guidance includes an approach to the universal opt out mechanism that differs from California’s regulatory approach. The states also have unique views on definitions, including how the states categorize the entities that are expected to comply with the law; the exemptions these entities receive; and the way the state lawmakers define terms such as “sensitive data”, “biometric data”, and “automated decision making/profiling.” These distinctions have significant consequences for business compliance. Knowing that a federal privacy bill is coming could seemingly influence states’ approaches to their own legislation this year. But the bottom line is that one uniform bill – covering consumer privacy practices across the nation – is better than many bifurcated approaches. 

In addition to draining U.S. businesses, inaction disproportionately harms small businesses and new market entrants. ITIF states that small businesses could face $20–23 billion in out-of-state compliance costs annually. These businesses are the backbone of the U.S. economy. The Harvard Business Review documents that they account for 48% of all U.S. jobs and contribute to 43% of the U.S. GDP. We need to keep them afloat and thriving. 

Enforcement plays a part in this math too. As any Chief Privacy Officer and Chief Security Officer knows, privacy violations and data-breaches can be existentially costly for businesses.  Expensive litigation and enforcement actions are becoming more common by the month, with recent enforcement actions by the FTC related to Ed-Tech company Chegg, data broker Kochava, and California’s action against beauty product company Sephora making headlines. Last December, Epic Games agreed to settle privacy and dark-patterns claims for its Fortnite game in an amount exceeding $500M, including the FTC’s largest administrative enforcement yet.

Passing a uniform privacy standard that levels the playing field and includes appropriate exemptions is a necessary first step to protecting our economy from fiscal standstills that result from stagnant cross border data flows, unnecessary multiplier effects, and expensive litigation.

Privacy is Essential to the United States’s Competitiveness Abroad

In 2018, the European Union set a critical precedent on what privacy regulation should look like for its member states by passing the GDPR. Since then, many countries have followed in the EU’s footsteps and finalized privacy laws, leaving the United States behind. These include privacy acts in countries like Canada, New Zealand, Brazil, Singapore, Thailand, Germany, Switzerland, and proposed developments in the UK and India. 

More recently, the EU, United States, and other countries are working to streamline interoperability on data privacy rules, through new bilateral and multilateral data privacy agreements, global cross border mechanisms, and cooperations. Key among them is the recent draft adequacy decision for the U.S. and EU’s Trans-Atlantic Data Privacy Framework (TADPF). The EU itself continues charging ahead to set standards for the rest of the world, most recently with the EU AI Act and the Data Act. For its part, the Organization for Economic Co-operation and Development (OECD) has adopted the first intergovernmental agreement towards safeguards for privacy, civil liberty, and human rights, as it concerns securing personal data in the context of national security and law enforcement.

If we look strictly at the numbers, cross border data flows are essential to the global economy. In 2022, 2 trillion dollars worth of data was affected by cross border flows, which is expected to rise to an estimated 15 trillion dollars by 2025. The United States will be at a disadvantage negotiating cross border data flows if it lacks its own national privacy standard.  

We must act now on data privacy to keep up in the global race on emerging technology, as data is the foundation underlying emerging technology. Without a privacy law in place in the United States, the United States will appear behind the >150 countries that have already passed privacy laws. These optics do not paint the United States as a fair trade and tech economic partner, even if it is leading the development of privacy-related pillars and principles in the Indo-Pacific Economic Framework for Posterity (the IPEF) and the Trade and Technology Council (TTC)

By passing a federal privacy law, the United States can take part in shaping a pro-innovation, pro-democratic privacy landscape to counter this digital authoritarianism movement that imposes serious obstacles to trade

Privacy is Increasingly Essential to Uphold National Security

Comprehensive federal privacy legislation is also critical to advance national (and international) security. The recent scandals regarding potential misuses of data by TikTok has put this squarely in the spotlight. Several states, along with the federal government, have banned the use of TikTok on government devices. Congress has also introduced bipartisan legislation to ban the notorious TikTok app based on data security and privacy concerns. Lax privacy rules can foster greater mistrust in the online ecosystem and enable the spread of misinformation. This issue is now front and center with scrutiny focused on Twitter following moves by Elon Musk that would weaken privacy protections and trust and safety oversight (echoed in this 2022 whistleblower testimony). 

A uniform set of rules on data privacy is fundamental to the spirit of innovation, productive research, and creative authorship and will mitigate these national security concerns. Discussion about furthering the principles of a free-flowing internet has been made by G7 leaders, the World Trade Organization and the Organization for Economic Cooperation and Development. 

To this end, the Administration – as part of its broader goals to support the G7 and secure its place on the world stage – has undertaken at least three critical efforts in the past few months that underscore the impact of data privacy on national security. These efforts include the new Open Government National Action Plan, privacy as part of the 2022 National Security Strategy, and the White House cyber labeling initiative on the IOT. 

  • The Open Government Action Plan aims to increase the public’s access to data and improve how data is used by the government while improving the delivery of services and benefits. By publishing this plan and advocating for a more data rich ecosystem, with the government as the central decision maker, the Administration is signaling the need for new opportunities, embedded carefully in protections and guardrails that uphold national security. This initiative works hand in hand with federal privacy legislation. 
  • The 2022 National Security Strategy recognizes that an international technology ecosystem is critical to protecting our security and privacy, as a core component of “U.S. and allied technology leadership.” The international economic system should be “fit for contemporary realities,” including “high standards and protections for stability, privacy, and security” to reinforce the U.S.’s “global primacy.” 
  • Additionally, the White House announced a cyber labeling initiative for the Internet of Things (IoT) in October 2022. After a listening session with attendees including the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), the FTC, the Consumer Product Safety Commission, and manufacturers, standards-setting bodies, and other stakeholders, the White House identified concerns about the ease with which bad actors can exploit poorly secured devices to steal data, cause disruption, or conduct surveillance. A contemplated solution is a cybersecurity label barcode that could be scanned for real-time security information. 

These efforts would only be further bolstered and have more cohesive outcomes for the government and its stakeholders, if the United States were to pass a federal privacy law.

The United States can Demonstrate Leadership Through its own Unique Model for Privacy and Innovation

The United States recognizes the EU GDPR’s shortcomings and must avoid passing a law repeating similar mistakes. We can learn from the GDPR experiment but cannot (and should not) model it exactly. There are several compelling reasons why.

Despite any of its privacy benefits, the GDPR has deterred innovation. First, the GDPR does not include exemptions for small and medium sized enterprises (SMEs), which harms those players who are the backbone of the U.S. economy. Second, the National Bureau of Economic Research (NBER) researched the GDPR’s impact, including implications for both the supply and demand sides of the equation. After reviewing 4.1 million apps at the Google Play Store from 2016 to 2019, NBER notes that GDPR has induced the exit of about a third of available apps; and, since GDPR implementation, has led to half the number of new market entrants in the app marketplace. On the demand side, GDPR reduces consumer surplus and aggregate app usage by about one third. And, the research suggests that GDPR has generated significant consent fatigue, making it a less commendable model from a consumer and business usability standpoint. This is to say nothing of the immense fines being paid to Europe for tracking or targeted advertising in violation of the GDPR. 

For these reasons, other countries like the United Kingdom have made the steady shift from a pro GDPR model, to a UK GDPR, and now to a forthcoming model that will bolster competition and innovation. All the while, the UK retained appropriate safeguards for individual privacy and data protection. The Inaugural Meeting of U.S. and UK Comprehensive Dialogue on Technology & Data further underscores this theme. 

As it develops a federal privacy law, the United States must take our Constitution’s First Amendment rights of free speech into consideration (which are not woven into the EU’s GDPR). SIIA has played a pivotal role in shaping the development of state consumer privacy laws – including in Colorado and California – to ensure that they include these considerations and would pass constitutional muster. 

America can benefit from the excellent lessons learned from the GDPR. It should prompt us to tailor a U.S. law to help, rather than hinder, the political economy. It should also prompt us to focus on carefully factoring in the individual rights we are granted by the U.S. Constitution. 

In a nutshell:

While there are many more reasons than the ones stated here, we hope these five will prompt Congress to act NOW to move federal privacy legislation forward. 

You can see our previous blog on the topic here.

Media Library (2)

Draft Regulations Comments on Colorado Privacy Act

On behalf of the Software and Information Industry Association (SIIA), we write in response to General Weiser offices’ request for input with regard to the draft rules supporting the Colorado Privacy Act (CPA).

We write to propose several modifications that would make the CPA draft regulations
stronger

Read the full letter here.

Thank you for considering our suggested revisions to the CPA draft regulations. We are happy to discuss in further detail, as appropriate.

Media Library (6)

SIIA letter to the California Privacy Protection Agency

SIIA writes in response to the California Privacy Protection Agency’s draft modified rules to implement the California Privacy Rights Act (CPRA) and update existing regulations under the California Consumer Privacy Act (CCPA).

We commend the CPPA for taking SIIA’s (and other stakeholders’) constructive feedback and have provided recommendations to align better the CPRA regulations with the letter and spirit of the statute. SIIA recommends the following edits –Read here.

 

Privacy Leg

5 Reasons Congress Needs to Act NOW on Federal Privacy Legislation

 

In a nutshell: Voters want it. The other branches of government agree we need it. The United States and the global economy are hurt without it. The United States can and should do more to set the rules of the road.

While there are many more reasons than the ones stated here, we hope that these five reasons alone will prompt Congress to act NOW to move federal privacy legislation forward.

There are at least five critical reasons why Congress needs to act NOW to pass federal privacy legislation. 

1) Polling research demonstrates that privacy – not tech regulation – is one of the top issues voters care about. 

In recent months, tech regulation – through competition and antitrust reform – have been at the forefront of Congressional hearings and the public discourse. But, the verdict is out about where voters really want to see action: polling research states that approximately 76% of Americans choose privacy and data security to be the top priority for them, compared to 16% who choose competition and antitrust issues. Other results from Morning Consult and Politico reaffirm this resounding public interest: more than half of all American voters support passage of a federal data privacy law.

As we begin making our way into the upcoming midterm election season – legislators need to make data privacy a priority to fulfill the compelling requests of voters. Let’s give voters what they want!

2) There is a united consensus across the branches of Government to move privacy forward as a priority.

In his State of the Union speech earlier in the year, President Biden called for strengthening privacy protections, signaling to Congress to act. And the FTC’s Chair Lina Khan noted in her first public address that she anticipates privacy and data security rulemaking as an opportunity to further update the FTC’s approach to data practices. This, coupled with the latest news regarding a leaked draft majority ruling by the Supreme Court on individual rights to privacy, are an important wake-up call to Congress that it must take action now. Action can have wide-ranging implications across every aspect of our lives.

The best way to get the wheels in motion is to move legislation forward and to finalize negotiations on what standard makes sense for the United States.

3)  The cost of inaction is devastating for the U.S. economy.  

At least 34 states have passed or introduced privacy bills focused on commercial collection and use of personal data. Five state consumer privacy laws – in California, Virginia, Colorado, Utah, and Connecticut – are on the books and are in the process of being implemented. Some would say keeping up with the plethora of state consumer privacy laws may be harder than keeping up with the Kardashians!

ITIF analyzed the impact of the state privacy patchwork on businesses, particularly those that serve customers across state lines. It notes that businesses that serve customers across state lines are subject to not just one, but a combination of state privacy laws, which creates a multiplier effect and has led to expensive and redundant compliance efforts. The costs are not negligible: it is estimated that state privacy laws could lead to somewhere between $98 billion and $112 billion annually, which over a 10-year period would lead to an excess of $1 trillion in out-of-state costs for businesses. The failure of Congress to act is a drain on U.S. businesses, crippling the U.S. economy, and disproportionately harms small businesses and new market entrants.

Further, ITIF states that small businesses could face $20–23 billion in out-of-state compliance costs annually. These businesses are the backbone of the U.S. economy. Harvard Business Review documents that they account for 48% of all U.S. jobs and contribute to 43% of the U.S. GDP. We need to keep them afloat and thriving. 

Passing a uniform privacy standard that levels the playing field and includes appropriate exemptions is a necessary first step to supporting our local mom and pops.

4) Privacy plays an important role in helping the United States keep its foothold in the geopolitical economy.

In 2018, the European Union set a critical precedent – some would say a dangerous one – on what privacy regulation should look like for its member states by passing the GDPR. Since then, many countries have followed in the EU’s footsteps and finalized privacy laws, leaving the United States behind. More recently, the EU, United States, and many other countries are also working through new bilateral and multilateral data privacy agreements and cooperation. Without a privacy law in place in the United States, some would argue that it creates an unlevel playing field to reach decisions about adequacy and being a “fair” trade and tech economic partner. 

Following GDPR and in the absence of any U.S. action, the EU, India and close to 50 other countries are shaping efforts grounded in data localization, a climate that is unworkable from a trade perspective. Countries may view data localization as a means to furthering their own economic interests and to keeping stronger control and oversight over data privacy and security practices within their borders. Such values run counter to the pro-democratic nature of U.S. technology, innovation, and competition policies.

We live in a borderless, digital economy, where governments cannot and should not be permitted to store and process copies of proprietary data on their turf – it goes against the fundamental spirit of innovation, productive research and creative authorship and it harbors serious national security concerns. Discussion about furthering the principles of a free-flowing internet has been made by G7 leaders, the World Trade Organization and the Organization for Economic Cooperation and Development.

By passing a privacy law, the United States can take part in shaping a pro-innovation, pro-democratic privacy landscape to counter this digital authoritarianism movement that imposes serious obstacles to trade

5) The United States can demonstrate leadership through its own unique model for privacy, using a pro-innovation lens, as well as factoring in our federal constitutional rights and history. 

The United States is aware of the shortcomings of GDPR and must avoid passing a law that would repeat mistakes made by countries complying with the GDPR. We can learn from the GDPR experiment – but cannot and should not – model it exactly. There are a handful of compelling reasons why.

It is clearly evidenced that, regardless of the privacy benefits, GDPR has deterred innovation. First, the GDPR does not include exemptions for SMEs, which as noted earlier, would be problematic for these players who are the backbone of the U.S. economy. Second, the National Bureau of Economic Research (NBER) just came out with research about the impact of GDPR, including implications for both the supply and demand side of the equation. After reviewing 4.1 million apps at the Google Play Store from 2016 to 2019, NBER notes that GDPR has induced the exit of about a third of available apps; and, since GDPR implementation, has led to half the number of new market entrants in the app marketplace. On the demand side, GDPR reduces consumer surplus and aggregate app usage by about one third. And, the research suggests that GDPR has generated significant consent fatigue, making it a less commendable model from a consumer and business usability standpoint.

In addition to this, as it develops a federal privacy law, the United States would need to take U.S. First Amendment rights, including free speech and individual rights, into consideration (which, of course, is not woven into the EU GDPR). SIIA has played a pivotal role in shaping the development of state consumer privacy laws to ensure that they include these considerations and would pass constitutional muster. 

We can benefit from the excellent lessons learned from the GDPR. It should prompt us to tailor a U.S. law to help, rather than hinder, the political economy. It should also prompt us to focus on carefully factoring in the individual rights we are granted by the U.S. Constitution.