A few years ago, after decades of debate, Congress came closer than ever to finally passing a federal privacy law. The Facebook-Cambridge Analytica scandal had laid bare the weakness of U.S. privacy laws and shown vividly how data can be reused and exploited for purposes we don’t expect or want. California had just enacted its own privacy law, raising the specter of multiple, conflicting laws at the state level. The EU had recently struck down the Safe Harbor Agreement, citing the weakness of U.S. privacy protections and halting many cross-border data flows. Consumer concerns about privacy had never been greater. And the similarities between Democratic and Republican privacy bills suggested compromise might finally be possible.
What happened? As so often has occurred over the past two decades, Congress failed to reach a deal. Then other events overtook us. Trump unexpectedly won the 2016 election. Covid spread throughout the world, killing people and shutting businesses. And as the tech platforms grew bigger and more powerful – seemingly untouched by Covid, market forces, and current law – the debate in Congress moved from protecting consumer privacy to reducing the size and power of these giants. Yes, the issues overlap, but they’re quite different too: Limiting the size and power of the platforms won’t ensure that they protect our privacy. And it won’t protect privacy across the vast ecosystem of companies that collect, infer, combine, use, and share personal details and predictions about us.
But we still need federal privacy legislation – in fact, we need it more than ever. In the 20+ years since Congress first started debating the issue, we’ve seen massive data collection, breaches, and misuse that harm consumers and give a black eye even to those companies trying to do right. Companies increasingly rely on algorithms to make decisions about consumers without adequate legal standards to guide them, creating real risks of discrimination. Consumer concerns about privacy continue to grow – shown not just in surveys, but in their refusal to use contact-tracing apps during the pandemic.
As if that weren’t enough, Virginia and Colorado have now joined California in enacting privacy laws, filling the federal vacuum but also making the fear of disparate state laws very real. The U.S. continues to run afoul of the EU with regard to data transfers. The FTC, despite years of effort to protect privacy using the general-purpose FTC Act, lacks sufficient authority and resources to hold companies fully accountable. Finally, recent Supreme Court rulings – limiting the FTC’s ability to obtain monetary relief and narrowly construing what constitutes privacy harm for purpose of standing – weaken privacy oversight and accountability even further.
Any one of these factors could and should have been a “tipping point” triggering Congress to act. But many “tipping points” have come and gone over the years. Congress needs to tackle the hard issues that divide it – including whether to preempt state privacy laws and permit private rights of action – and provide the leadership we have a right to expect. Consumers and businesses alike need clear privacy rules they can rely on as they navigate our complex world.
Jessica Rich is the Former Director of Consumer Protection at the Federal Trade Commission. She is currently Of Counsel at Kelley Drye & Warren and a Distinguished Fellow at Georgetown Law’s Institute for Technology Law and Policy