- As California's new digital privacy law nears its enforcement deadline, Congress is scrambling to come up with a stronger national law.
- Two issues — whether a state law can preempt a federal law and whether people can sue companies for alleged rights violations— are dividing Republicans and Democrats on the federal level.
- But some people working on privacy legislation are opting to postpone the most contentious discussions in favor of prioritizing strong language and enforcement.
As California's digital privacy bill hurtles toward the first day of enforcement on July 1, federal lawmakers are under pressure to establish a national standard.
Several proposals are making their way around Congress but two points of contention still threaten to hold up negotiations over new legislation. First is preemption: the question of whether a federal law should override state laws, which Republicans tend to favor to create consistency for businesses. Democrats often argue it would prevent states from creating stronger laws in the future.
Second is the question of whether individuals should be able to sue companies they believe violated their rights, a typically Democrat-backed concept known as private right of action. Republicans tend to argue it would result in frivolous and burdensome lawsuits on businesses.
These issues could prolong the debate over a federal law, leaving tech companies with greater uncertainty around how they'll need to change their businesses to comply with a growing set of state privacy laws. Tech executives have voiced their concerns to lawmakers directly, arguing that a disparate set of laws will be most burdensome on smaller businesses.
In interviews with CNBC, three members of the House of Representatives shared what they see as the path forward for privacy legislation, including how to gain bipartisan support. Despite differing views over the types of enforcement mechanisms that should be created and where the law should take precedence, they largely agreed that creating a strong federal bill with tough enforcement should take priority over discussions around the most contentious issues at play.
When it comes to the most divisive issues around digital privacy law, some lawmakers are opting to push them off.
The top Democrat and Republican on the House Subcommittee on Consumer Protection and Commerce, Rep. Jan Schakowsky, D-Ill., and Rep. Cathy McMorris Rodgers, R-Wash., have been working on a bill together that so far side-steps the questions of preemption and private right of action. That was a deliberate choice to focus on the language of the bill and get feedback from staff and industry stakeholders.
The thinking goes: Make a strong enough bill and those issues will be easier to resolve.
"If we have a great bill that is really, really strong, stronger than the California law or what Colorado or Washington state are looking at or what Europe is doing, we can have that conversation," Schakowsky said in an interview with CNBC last week, referring to the discussion around the two key issues. "But we can't start with that. … We aren't nearly there yet."
"Those issues absolutely have to be addressed. Those are important," McMorris Rodgers said last week. "In the staff draft we wanted to present strong language for people to consider so that it would be a model for the country. And our hope is that the stakeholders and industry would see this as a way to reach an agreement and then support this as the model for a national standard."
The issues may not be fully black and white.
"There may be ways to reach compromise," Schakowsky said. "Are there areas where states can fill gaps and go beyond what a federal bill would be? So you know, rather than just across the board, no preemption, we can look at that. We will look at that."
Other lawmakers have opted to tackle preemption and private right of action more directly. A bill lead by Sen. Maria Cantwell of Washington, the top Democrat on the Commerce Committee, includes the private right of action and does not preempt state laws. The Republican proposal, led by Commerce Committee Chairman Roger Wicker of Mississippi, takes the opposite stance on those issues. Still, at a committee hearing in December, senators on both sides echoed the need to come to a bipartisan solution.
A House bill proposed by two Silicon Valley Democrats, Reps. Anna Eshoo and Zoe Lofgren, does not include a provision preempting state laws. Eshoo said in an interview that she's willing to listen to her peers' thoughts on the matter but is hesitant to delete the work put forth by states.
"There's some states that are far ahead of the federal government, we haven't done a damn thing. So what are we going to say to them, wipe out what you've done? They're a thousand miles ahead of us at this point," she said.
Their bill also adds a sort of gatekeeper for individuals seeking to file suit against a company under their proposed legislation. The bill allows for individuals to sue for declaratory or injunctive relief or damages if they're not acting collectively, but for collective private civil actions, states can appoint nonprofits to pursue damages on behalf of constituents.
Some of Eshoo and Lofgren's proposals push the status quo of digital privacy enforcement far beyond what Schakowsky and McMorris Rodgers are considering.
The Silicon Valley members proposed establishing a new independent agency to handle complaints under the law and would allocate funds for it to staff up to 1,600 people. By comparison, Schakowsky and McMorris Rodgers propose adding a new bureau within the FTC and talk about employing hundreds of staffers to it, more similar to Republican and Democratic proposals floating around the Senate.
"We wanted our legislation to be comprehensive, we wanted it to be bold. We did not want to nibble around the edges," Eshoo said.
Eshoo said they opted for a new agency rather than a bureau within the FTC because the established agency lacks the culture to enforce the law.
"I'm not diminishing the people that are [at the FTC], and I'm sure that they work very hard, but you just can't say that this is a serious effort on the part of the American people relative to privacy and enforcement if you have a staff a size of mine. It just doesn't hold water," Eshoo said, adding that they looked to the structure of enforcement mechanisms in Europe to determine the appropriate approach. "If you don't have real enforcement, you're not taking it seriously. And the companies will know that. If you had 1,000 people in an agency, think of all of the floors of lawyers that are embedded in all of these companies. So in so many ways it's a drop in the bucket."
Creating a new agency is likely to see pushback from Republicans like McMorris Rodgers, who said she's generally "hesitant" about creating entirely new structures.
"I believe that the most effective way to provide the certainty as well as the enforcement is through the FTC, through the existing agency, and giving them more direction and more resources to be able to do that," McMorris Rodgers said.
The FTC currently has about 40 full-time staffers dedicated to privacy and data security issues, though experts from other areas of the commission will assist when needed, a spokesperson confirmed. In response to questions from House Energy and Commerce Committee Chairman Frank Pallone, D-N.J., FTC Chairman Joe Simons wrote in April that even having 100 new attorneys dedicated to privacy issues would have a significant impact on their enforcement abilities, allowing them to handle more cases and stay on top of emerging technologies and concerns.
Still, Eshoo and Lofgren's boldest policies could push the discussion around what should be included in a national law further than it might have otherwise gone. All three lawmakers interviewed acknowledged the urgency of pushing forward federal privacy legislation, but Eshoo said it's also important that Congress takes a strong stance this time, believing it could be a while before iterations will be made.
"I think that when Congress does pass online privacy legislation, that because it's such a major issue, it's not going to be revisited for probably a decade, quite frankly," she said. "So you want to get it right the first time."