The Committee on House Administration (CHA) held a hearing last month to discuss data privacy risks and reforms needed in the public and private sectors. Lawmakers from both parties agree that a uniform national law is needed. But the push has been endlessly bogged down amid disputes over whether a national law should override state measures and whether it should give consumers a right to sue companies over privacy breaches. As a result, Congress has repeatedly missed its deadlines to produce a bipartisan bill.
According to witness Daniel Castro, Vice President, Information Technology & Innovation Foundation (ITIF), since 2018, 34 states have passed or introduced seventy-two privacy bills regulating the commercial collection and use of personal data. Every time a state passes a new privacy law, it not only imposes costs on in-state businesses, but also on many out-of-state businesses. ITIF estimates that, in the absence of federal privacy legislation that preempts states from passing their own laws, state privacy laws could impose costs on out-of-state businesses of $98 to $112 billion annually, exceeding $1 trillion over a 10-year period — and at least $200 billion of that burden would fall on small businesses.
To date, California, Colorado, and Virginia are the only states that have passed comprehensive data privacy legislation. Maryland is considering the Biometric Identifiers Privacy Act (BIPA) which would require that companies obtain consent before collecting biometric information and tell consumers what information is being taken and stored and for how long. It would also ban companies from profiting off consumers’ biometric information, create rules for when companies must delete this information, and establish a private right of action, allowing consumers to sue companies that break the rules even if there is no harm. New York’s proposed law, the New York Privacy Act, also includes a private right of action.
Legislation, such as the New York Privacy Act and Maryland’s BIPA, containing a private right of action provision, exposes companies to a flood of expensive lawsuits. Even when these lawsuits have no merit, companies must pay lawyers long enough for the lawsuits to be dismissed. “The only people who benefit from this arrangement are privacy lawyers,” says Castro. And while some laws, such as the California Consumer Privacy Act (CCPA), include a 30-day correction period giving companies time to comply, Castro contends that Congress should pass federal privacy legislation that preempts states, protects consumers, and promotes innovation.
Caitriona Fitzgerald, Deputy Director, Electronic Privacy Information Center (EPIC) discussed how sensitive health data is now collected and used ubiquitously. While the Health Insurance Portability and Accountability Act (HIPAA) provides some protection for individuals, it is limited in scope. Fitzgerald added that there is a potential for third-party data risks involving Electronic Health Information (EHI). For example, under the 21st Century Cures Act, EHI may be shared, via an app, between patients, physicians, hospitals, payers, and employers.
Fitzgerald praised the reintroduction of the Online Privacy Act, H.R. 6027, sponsored by CHA Chairperson Zoe Lofgren (D-CA) and Representative Anna Eshoo (D-CA). The legislation creates user data rights, places limitations and obligations on companies collecting and using data and establishes the Digital Privacy Agency (DPA) to enforce privacy laws.
While Fitzgerald supports the creation of a federal data protection agency, Castro does not believe a new federal agency is necessary. Instead, he feels the Federal Trade Commission (FTC) is capable and enforcement should be handled at the state level through attorneys general with sufficient resources.
Despite the differences on the issue of liability and enforcement, both parties agree that one uniform national law is needed. Witness Shoshana Zuboff, author of The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, suggested Congress look to the Digital Services Act and Digital Markets Act in the EU as a model. Castro suggested Congress consider Virginia’s Consumer Data Protection Act (CDPA), which takes effect January 1, 2023.
As members ponder different models, federal action on data privacy is unlikely to go anywhere in 2022. States will continue to forge ahead with their own data privacy laws. The witnesses invited to the committee hearing agreed that passing a comprehensive, bipartisan data privacy law should be at the top of Congress’ technology policy agenda.
PRINTING United Alliance will continue to monitor the status of federal data privacy legislation and work with our industry partners to advocate for one comprehensive national data privacy law.
Stephanie Buka is the Government Affairs Coordinator at PRINTING United Alliance, the most comprehensive member-based printing and graphic arts association in the United States, comprised of the vast communities which it represents. The Alliance serves industry professionals across market segments with pertinent education, training, workshops, events, research, government and legislative representation, safety, and environmental sustainability guidance, as well as resources from the leading media company in the industry – NAPCO Media. Now a division of PRINTING United Alliance, Ideallianceis the global leader in standards training and certification for printing and graphic arts operations across the entire industry supply chain.