Is There Any Way Forward for Privacy Legislation in the United States?

What is the future of consumer privacy legislation in the United States? Let’s start with a look at federal and state approaches to consumer privacy laws. I offer a highly selective review of federal privacy laws. As we go along here, pay attention to the congressional committees that originated the bills.

The first federal consumer privacy law was the Fair Credit Reporting Act (FCRA), passed in 1970 when overwhelming unfairness in credit reporting resulted in pioneering, if inadequate, legislation giving consumers rights. It was not commonly regarded as a privacy law at the time because privacy was undefined. It took several major amendments over the following decades to make the FCRA truly effective. The FCRA came from the congressional banking committees.

The Privacy Act of 1974, a law that applies only to federal agencies, had a long policy runway dating back to a vague and impossible to implement mid-1960s proposal for a national databank of federal agency records. This law came from the Government Affairs committees. The only major amendment came in 1988.

The Family Educational Rights and Privacy Act (FERPA) also passed in 1974, has an incredible history. It started life as a Senate floor amendment by James Buckley. The law was so impossible to implement that the federal department responsible for it came back to Congress asking for help. FERPA was a nearly complete rewrite of the original, resulting in a significantly different law. The amended law came from congressional education committees.

The privacy provisions in the 1984 Cable Communication Policy Act came about in part because a key congressional staffer on the Commerce committee had knowledge of privacy from a previous job on the Privacy Protection Study Commission. He had enough leverage as a key player to put privacy provisions in the broader law. Industry accepted privacy regulation as a small price for a bigger bill that it badly wanted. This law was a Commerce Committee product.

The Video Privacy Protection Act came in response to the disclosure of records of video rentals by Judge Robert Bork during his epic Supreme Court confirmation battle. The Judiciary Committee originated this law in large part because Members of Congress feared that someone would release their video rental history. The Judiciary Committee could only offer a criminal provision and a civil remedy and not a meaningful regulatory regime. The law is still on the books. Just for fun, do you remember when the last video rental store closed?

The Health Insurance Portability and Accountability Act (HIPAA) sought to update the health care system in a variety of ways, and privacy was an afterthought. A lack of agreement on privacy resulted in a provision that gave Congress three years to pass a health privacy law and told the Department of Health and Human Services (HHS) to issue rules if Congress failed. Congress indeed failed, and we ended up with HHS rules. The HHS rules were decent, and some states later adjusted their own health privacy laws to conform more with the federal rule. HIPAA was the product of several different congressional committees, including the health committee and the finance committee.

The privacy provisions in the massive Gramm-Leach-Bliley financial services modernization law of 1999 were a tiny part of a large law from the House and Senate banking committees. Industry didn’t really object to the privacy part, and if you know the details, you know why. The consumer privacy provisions do almost nothing for consumers. In fact, consumers would be better off if the privacy parts of GLB were repealed. Industry uses the law as a shield, telling the states that banks are already covered by federal privacy law. That argument worked, at least for a while. That may be changing, however, because some states are beginning to understand the shortcomings of GLB privacy.

I could go on with this quick-and-dirty history, but the point should be clear. Congress has shown itself incapable over decades of producing any coherent approach to privacy. As a result, the US now has multiple narrow privacy laws with different definitions, standards, and approaches, all of them out-of-date. It seems impossible now to reconcile existing laws or to address the many gaping holes. No congressional committee can address privacy comprehensively. Even when only one committee has jurisdiction, meaningful reform of old laws is a rarity.

Americans can only watch longingly as the European Union found a way (whether you like the specifics or not) to take a comprehensive approach to privacy. The EU started the process at the end of the 20th century, as the basics of privacy began to achieve a broader international consensus. It produced a major improvement the second time around with the General Data Protection Regulation (GDPR) in 2016. Even with two bites at the apple, the EU is still working at it, because privacy laws are hard to write, enforce, and keep current. Nevertheless, the EU is far ahead of the US in having a mostly coherent privacy regulation. The rest of the world follows the EU lead. It is not a surprise that no one copies US privacy law.

Is there a way forward for the US? The states are often described as the laboratory of democracy, and this is turning out to be the case with privacy laws. That may be the key to progress.

Modern state consumer privacy laws mostly began in California less than ten years ago. It’s a messy story, but California probably still has the strongest consumer privacy law. By now, about 20 states have their own consumer privacy laws, dodging and weaving around the existing federal laws to plug some but not all unaddressed holes. In early efforts, business lobbyists talked state legislators who wanted privacy laws into passing weak laws from a consumer perspective. Consumer groups got out-lobbied.

A remarkable thing is now slowly beginning to emerge. As states got experience with their laws, they also looked around at other state laws to see what worked. State legislators are now amending their first efforts by adding provisions that provide consumers with better protections and better rights. The newest state laws sometimes include effective provisions from other state laws. Some state Attorneys General are using enforcement powers creatively and effectively. It's still a mixed bag, but the point is that states are more nimble and more responsive than the Congress.

Recent Congresses have made modest attempts at a national consumer privacy law, but there has not been a sufficient consensus to push any of the bills through the process. A big part of the motivation comes from those in the business community that want a preemptive federal law to prevent states from passing stronger laws. Many in the consumer advocacy community dubbed this proposal a Privacy Prevention Act. That Act would be a preemptive federal law with weak privacy standards that allow for greater exploitation of consumer data with minimal enforcement.

Privacy has not turned out to be a partisan issue. State consumer privacy laws can be found in red and blue states alike. That reality isn’t making it any easier for this Congress to act. We just saw the failure of a congressional effort to impose a moratorium on state AI laws. The Washington Post reported that the measure died because of an avalanche of opposition from all sides of the political spectrum. That may (or may not) suggest that imposing limits on states in the technology space will be hard to do.

State laws are likely to grow more uniform in important ways even as compliance details (thresholds for application, opt-out procedures, notice variations) vary. Still, if enough states end up with laws displaying more similarities than differences, the result may be the guts of something that resembles a uniform state consumer privacy law. Granted, I’ve offered a slapdash summary of what’s going on today, but the state laboratories of democracy appear to be moving in a similar direction.

Now we can perhaps see a solution that works for everyone. Once there are enough similarities in state laws, a uniform and preemptive federal law may not be out of reach. A bottom-up uniform state law (rather than one imposed by Congress) could have something to offer everyone. Consumers win with rules offering more rights and better procedures. Business wins with uniform laws that are easier and less expensive to implement. The law can offer small business simplified requirements and state Attorneys General a strong enforcement role. Another bonus is that a better uniform law has a chance to meet EU and world standards and be recognized as adequate. This would greatly benefit large international US companies. Add a regular review process so the states and other stakeholders can propose amendments to allow Congress to keep the law up to date with changes in technology.

Could this happen? It will take a few more years of developments at the state level to see. A preemptive federal consumer privacy law must evolve out of state efforts rather than be imposed on states over their objections.

Most federal privacy laws will continue to recede in relevance as technology makes them less meaningful. A state-inspired consumer privacy law could be the best way forward. It could even be combined with a federal privacy agency – a feature of privacy laws around the world – to work on reforms for existing federal privacy laws in a comprehensive way that Congress can’t do on its own. That may be the only hope for reform of the hopeless mess of existing federal privacy laws.

I’m not holding my breath, but it’s possible. There may be no other way.