New proposals to protect consumer privacy in the U.S. seem to be appearing every day. There are now more than 90 privacy proposals that federal, state, and local regulators and policymakers are considering as privacy continues to dominate the news cycle. Hogan Lovells partners Mark Brennan and Nicola Fulford led a panel of industry stakeholders at the INCOMPAS Policy Summit in discussing what to expect from Congress, state legislatures, the FCC and the FTC, and how companies can start to prepare for the uncertain future of privacy.
Panelists first considered what role the EU’s General Data Protection Regulation (GDPR) has played, or should play, in shaping U.S. privacy law and whether it is a good framework to follow. Jules Polonetsky, CEO, Future of Privacy Forum, said that while the U.S. has a proud tradition of data protection law, of course we should look to the GDPR for guidance. Polonetsky said businesses that operate globally have just gone through useful work by asking where data is stored, and what the purpose of collection is to comply with GDPR. He also noted that the process had highlighted the confusion and uncertainty GDPR has created and showed that the U.S. must adopt clear, comprehensive, and enforceable privacy legislation.
Whether the California Consumer Privacy Act (CCPA) or another proposal will provide that clarity remains to be seen. Joseph “Joey” Wender, Senior Policy Advisor for Senator Ed Markey (D-MA) said passing legislation this year, whether it be the CCPA or other proposals, is challenging but doable. He said there are three main drivers pushing legislation forward: GDPR, the many high-profile privacy breaches in recent years, and the CCPA. Now that the world is thinking about privacy, and there is a state law on the books effective in 2020, the need for a national standard is really gaining traction, according to Wender. However, disagreement remains on many issues: How will pre-emption function? What notice and choice will be required? And what agency will have rulemaking or enforcement authority?
Panelists also considered whether the FTC should be the enforcer, or whether state Attorneys General will keep hold of some authority. Jim Trilling, Senior Attorney, Division of Privacy and Identity Protection, Federal Trade Commission, said the FTC should be the enforcer and has much experience enforcing privacy issues through the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act, and other legislation. Trilling explained the FTC has worked on privacy in a variety of industries and has been using resources to build up in-house expertise on privacy, putting it in the best position to enforce federal U.S. privacy legislation.