Congress is considering several bills involving privacy

Everything old is new again – if you wait long enough and Congress sits on its hands.

Seventeen years ago, Microsoft advocated for a federal law to protect consumers’ privacy. In April 2022, nothing has changed. Earlier this month, Microsoft Corp. President and Vice Chair Brad Smith urged Congress to pass “long overdue” federal privacy legislation.

During a speech at the International Association of Privacy Professionals’ Global Privacy Summit 2022, Smith said that “Congress has been frozen in time” and that the lack of federal privacy legislation increasingly isolates the United States and diminishes its influence in the world. Congress currently has more than 20 pieces of legislation pending in the U.S. House of Representatives and/or the U.S. Senate, and a handful have companion bills pending in both houses. Although there are reports of optimism about passing comprehensive federal privacy legislation this session, no bill has emerged that has enough obvious support to think victory is near.

Three of the bills with both House and Senate companions relate to handling of COVID-19 health data. H.R. 651/S.81 (restricts use of COVID-19 data), H.R.778/S.199 (grants to create COVID-19 tracing technology that meets privacy and security standards) and H.R. 3868/S.1932. H.R.2039/S.1209 (no vaccine passport). H.R. 2738/S.1265, cleverly named “The Fourth Amendment Is Not For Sale Act,” would bar law enforcement and intelligence agencies from obtaining a customer’s mobile device location data from data brokers without obtaining a warrant. This bill is a response to reports that Venntel, a data broker, was selling location data collected from Americans’ smartphones to government agencies, thereby allowing the agencies to circumvent warrant requirements. This is an important issue, but falls far short of comprehensive privacy protection.

One of the most interesting pieces of legislation that ought to have a chance of passage is S.500 – a bipartisan bill that would restrict the commercial use of personally identifiable health information collected from a smartwatch or similar consumer device without consent. This legislation comes in the wake of reports that security flaws in smart watch data from children was hacked and sold. The smartwatch data allowed third parties to create a detailed profile of adults and children, including their ages, places of residence, location throughout the day, phone number and photos. S.500 was introduced by Sen. Bill Cassidy (R-LA) and co-sponsored by Rep. Jacky Rosen (D-NV). It remains in the Senate Committee on Health, Education, Labor, and Pensions.

The most comprehensive bill for federal privacy is S.1494, the Consumer Data Privacy and Security Act of 2021. It was introduced by Sen. Jerry Moran (R-KS), but has no co-sponsors. The bill would establish standards for the collection of personal data, including prohibiting businesses from collecting such data without consent. Businesses would be required to publish their privacy policies, implement data security programs to safeguard such data, and provide individuals with reasonable access to, and control of, their collected data.

None of the federal bills are nearly as broad or comprehensive as California law and none include a private right of action as does the California Consumer Privacy Act. The CCPA, enacted in 2018, expanded the types of personal information protected by law, and it gives consumers the right to follow the trail of how data is shared among companies. The law protects personal information “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” CCC §1798.140(o)(1).

The CCPA also gives consumers the right to know how a collecting corporation came to conclusions about him or her based on personal data. The CCP covers “[i]nferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” CCC §1798.140(o)(1)(K).

The public supports federal privacy legislation. Last year, 61% of Americans said that the federal government should devote a great deal or quite a bit of time to “improving online data privacy and security,” according to a poll conducted by the Associated Press and University of Chicago’s NORC Center for Public Affairs Research. Politico/Morning Consult was more pointed in a poll they conducted earlier this year, asking registered voters about their support to “make it illegal for social media companies to use personal data to recommend content via algorithms.” Fifty-six percent either strongly or somewhat supported such legislation.

So why not enact federal legislation that mirrors the CCPA? The primary argument in favor of federal privacy legislation is to prevent a patchwork of individual state laws. Corporations with national operations argue that it will be too hard to comply with (potentially) 50 sets of laws. In reality, this “patchwork” approach tends to drive companies to comply with the most stringent state’s regulations – often California. In an economy where almost all products and many services are sold on a national basis, aiming for the highest common denominator is a good thing. Otherwise, the most lenient state offers an attractive haven to escape rules that corporations and data brokers don’t like.

There’s a reason, after all, that the vast majority of cruise ships register under the flag of other countries. Seventy-five percent of passengers on cruise ships are U.S. citizens, but almost none of the ships are registered in the U.S. Even though many cruise ship companies have their headquarters in Florida, by registering in another country (commonly Malta, Panama, Iberia or the Bahamas), the ship becomes part of that country’s territory, and beyond the reach of U.S. labor, insurance and environmental laws.