The recent passage of the California Consumer Privacy Act (CCPR) earlier this summer and the entry into force of the General Data Protection Regulation (GDPR) last May has put consumer privacy squarely on the national agenda. Now there are signs that government is responding. While a number of privacy bills have been introduced in Congress that never made it out of committee, Senator John Thune (R-SD), the ranking Republican on the Senate Commerce Committee, recently indicated this may be changing. Thune opened a recent hearing of the Committee at which Google, Amazon, Twitter and AT&T commented that both Republicans and Democrats support a national privacy law, but noted: “the question is what shape that law should take.” The companies testifying expressed support for preemptive federal legislation that gives consumers more control over their data and stresses transparency, but avoids a one-size-fits-all approach that might stifle innovation.

In the wake of the hearing, the U.S. Department of Commerce National Telecommunications and Information Administration (NTIA) is now seeking comments on several high-level goals that are intended to protect consumer privacy while encouraging innovation. The strategy outlined in the Request for Comments is “outcome-based” rather than prescriptive and offers seven key objectives:

  1. The collection, use, sharing and storage of personal data should be transparent;
  2. Users should be able to exercise reasonable control over the collection, use, storage, and disclosure of their personal data;
  3. Data minimization principles should apply;
  4. Organizations should ensure safeguards are in place to protect personal data from loss and unauthorized use;
  5. Consumers should have the right to rectify and delete their personal data;
  6. Privacy tools should be flexible enough to encourage innovation while also protecting consumer data;
  7. Organizations should be accountable for data processing activities.

Comments are due to NTIA by October 26, 2018.

A number of trade associations, fearing unduly prescriptive federal legislation or a patchwork of state privacy laws, have also weighed in. The Chamber of Commerce, The Internet Association and other organizations recently published privacy proposals that call for preemptive, process-driven rules, themes that were echoed during the recent Commerce committee hearing. Senator Thune stated that a second hearing will take place starting in early October at which Alastair Mactaggart, the driving force behind the California ballot initiative whose withdrawal resulted in enactment of the CCPA, and European Data Protection Board (EDPB) Chairwoman Andrea Jelinek will testify.

Privacy legislation will likely continue to be a hot topic for the rest of the year, and for the new Congress in January, and we anticipate that state legislatures will also be looking at privacy and data security in 2019.