Is Federal Data Privacy Legislation On The Way?

All 50 states in the U.S. now have breech notification laws. Many are similar, but some are unique. Places like California, Illinois, New York and Massachusetts have been relatively aggressive in developing a set of regulations to protect their residents from data privacy shenanigans as well as the effects of cybersecurity incidents. Others—I’m looking at you South Dakota—have not.

But we are reaching a critical point in the development of data privacy and cybersecurity law that compliance with the laws of every state are getting to be more and more challenging. The majority of businesses simply throw up their hands, knowing they should do “something”, but they are not really sure what that “something” should be.

More and more, we’re hearing calls for a single, unifying privacy law. One statute to rule them all. Of course, we must be careful what we wish for. If the federal law preempts legislation like the CCPA, or topples the Illinois Biometric Act’s private right to sue, many businesses may welcome the change. Yet, the law could turn the other way instead, opening up data breech litigation in federal courts across the country.

In 2019, Sen. Ed Markey, D-Mass., introduced the Privacy Bill of Rights Act which was followed by the United States Consumer Data Privacy Act. The bills began debate on the issue, but ultimately did not pass.

Realizing that the legislation was bound to fail without a catchy acronym, Sen. Roger Wicker, R-Miss., proposed the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (“SAFE DATA Act”) in September 2020. The SAFE DATA Act in its current form proposes complete state preemption (Sec. 405(a)), thus gutting the CCPA, NY SHIELD Act and Illinois Biometric Act. Further, many of its requirements would not apply to small and mid-sized business with less than 500 employees, less than $50 million in annual revenue, and who do not collect or process the personal data of fewer than 1 million individuals. (Sec. 2(12)). Last, there is no mention of a private right of action. However, State Attorneys General would be empowered to bring suit under the Act. (Sec. 402(a)).

My sense is that there is not yet enough consensus on certain thorny issues, like the private right of action, state preemption and the scope of applicability, for this bill to pass, but it’s a starting point. Further, it seems that federal action, one way or another, is picking up steam, with the likely result being some action, even if half-hearted.

We’ll stay tuned and see what comes of it.