When we talk about a U.S. federal privacy law in the current environment, what we really mean is a comprehensive federal privacy law. The actual first federal privacy laws came into existence in 1974 and still exist today. The Family Educational Rights and Privacy Act (FERPA) applies to schools and educational institutions that receive funding from the Department of Education, while the aptly named Privacy Act applies to federal agencies’ collection and use of personally identifiable information (PII). There are several reasons why these laws were passed in 1974 and only applied to government-funded activities, but for now let’s just say that trust in the government wasn’t at an all-time high.
Several pieces of privacy legislation passed in the late 1990s. In 1996, The Health Insurance Portability and Accountability Act (HIPAA) addressed healthcare privacy; in 1998, the Children’s Online Privacy Protection Act (COPPA) ensured protection for children’s privacy; and in 1999, the Gramm Leach Bliley Act (GLBA) required financial institutions to safeguard customers’ sensitive data.
Why Privacy Laws Are So Important
Even if you’re not familiar with these laws, they touch your life in one way or another. Thanks to privacy legislation, you sign a privacy form at every doctor visit and your bank sends you an annual privacy statement in the mail. But life is more than banking and healthcare and government interaction, and this is where the comprehensive gap lies. Not every business that collects consumer data is covered by one of these sectoral laws, meaning they are left without clear federal guidance on how that data is collected and protected. This also leaves individuals without formal legal rights to ask for copies of their information or have that information deleted upon request. However, many companies (such as Spectus) offer these rights to users because it is the right thing to do.
In the absence of federal law, some companies have banded together in self-regulatory bodies such as the NAI to form their own rules on data ethics in a voluntary effort to simplify and clarify the environment for consumers and businesses alike. And while this works very well in our industry, the call for a comprehensive privacy law has never been louder across all industries. Uncertainty leads to inefficiencies and errors and opens the door for bad actors. For companies that want to operate in the shadows, this is a gift. But for the majority of companies that want to operate ethically and in the best interest of their customers and clients, it creates confusion and unnecessary expense, and forces U.S. states to attempt to fill the void by crafting their own privacy laws. Several have done so already, and without a comprehensive federal privacy law we could all be facing 50 similar-but-different privacy laws that we must comply with simultaneously, which can paralyze commerce and give consumers a disjointed and inconsistent experience. Nobody wins in that scenario.
So What Is Congress Doing?
A flurry of cleverly named bills are currently floating around Washington D.C. in various states of drafting, committee, and review, in what seems like a maze with no exit—meaning actually being voted on and passed. Over 50 bills are currently active at the federal level addressing privacy in one way or another. The latest to inspire hope was introduced in both the House and Senate on June 3, the American Data Privacy and Protection Act (ADPPA). With bipartisan sponsorship, loads of press, and rumors of compromise on both sides, we may see one of the rarest of unicorns—actual, major legislation passed in a midterm election year. Time is short however, as any legislation needs to pass before the August Congressional recess as post-recess activities will be focused almost exclusively on campaigning for November. So it either passes in the next two months, or sometime after next January we will start the game anew. Let’s take a glass half-full approach and examine the merits of this potential law.
The ADPPA vs. Existing Privacy Legislation
The ADPPA bears many similarities to other attempts at privacy legislation such as the SAFE Data Act, introduced in 2021, so the contents are not unfamiliar to the players in Congress. ADPPA would introduce requirements at the federal level that are similar to those in California’s CCPA and the EU’s GDPR such as:
- Consumer rights of access, correction, deletion, and the right to receive data in a portable format
- Business requirements to practice ‘data minimization’, meaning using only the minimum amount of personal information necessary to accomplish the task at hand
- ‘Privacy by Design’ – which is a set of well-known privacy principles that guide the design and engineering of systems that process personal information
- Clarity on the roles of businesses that share data with each other
How it might play out
These are all great strides forward, and will be welcomed by companies that are leading the way in privacy, and hopefully shape-up or ship-out those that are not. But like most federal privacy debates, it will be shaped along two fronts.
- The first is “private right of action”, otherwise known as the ability for lawsuits to be filed against companies for violating the act. While most state laws (with limited exceptions such as California) restrict enforcement of their privacy laws to the respective state attorney general or privacy regulatory agency, the ADPPA as drafted would permit litigation in some instances in addition to enforcement by the Federal Trade Commission. This is a hotly contested political issue and beyond the scope of this article, but it is where much of the discussion and chance of success for the bill will be focused.
- The second is “preemption”, which simply means that the federal law would apply instead of state laws covering the same privacy topics. Again, this is a fiercely contested issue with states that have comprehensive state privacy laws (such as California, Virginia, Colorado, Utah) faced with handing over their present authority to Washington D.C. in exchange for potentially fewer rights for their citizens.
What The Future Holds
As you can see, the path to passage of this or any other federal privacy bill is an uphill climb. That’s why we have been waiting so long for something that the majority of Americans want. That shouldn’t stop our leaders from working through the differences and ending the debate for good on when it will happen. The people want it, business wants it, and we all deserve clarity and consistency so we can move on to what we do best. Until then, we are left with a patchwork of state privacy laws to comply with while many states’ residents have little or no privacy protections.
To learn more about what Spectus is doing to protect consumer privacy, explore our Privacy Center or contact us at privacy@spectus.ai