Apr 4, 2019 - Technology

How the U.S. could get a national privacy law

Illustration of a hand with pen crossing out eyes in a pattern

Illustration: Lazaro Gamio/Axios

Democratic senators involved in a key bipartisan working group left a Wednesday evening meeting with little to say about whether they were making progress on a national privacy bill Republicans hope will preempt state measures.

Why it matters: There is a unique convergence of forces behind privacy regulation. If the U.S. is ever going to pass a federal privacy law, the time might be now — and that's brought a wide array of stakeholders out of the woodwork to give advice.

The big picture: Republican lawmakers and groups like the U.S. Chamber of Commerce, typically hostile to regulation, are currently advocating federal privacy laws.

  • They hope a national measure will block states from passing their own privacy laws and supersede any that do pass (like California's).
  • With anti-regulatory entities looking for a national solution, advocacy groups have also been emboldened to publish policy papers on privacy regulations with the legitimate belief they might pass.

Browser-maker Mozilla, for example, released a framework for regulation Thursday focusing on a few key issues.

  • One is to require "purpose-based consent" for companies to take data. If Facebook, say, solicited users' cellphone numbers to help authenticate their identities, it couldn't then use the information for another purpose, like targeting ads.
  • Mozilla also called for the Federal Trade Commission to gain more rule-making and enforcement power over privacy, a stance that the FTC also takes.

Details: The working group includes Senate Commerce Committee chairman Roger Wicker (R-Miss.), as well as panel members Sens. Richard Blumenthal (D-Conn.), Jerry Moran (R-Kan.) and Brian Schatz (D-Hawaii).

  • Democrats have indicated they won't preempt states without getting an aggressive national bill in return.
  • "It was a useful meeting, and as far as a timeframe, nothing was decided today about some next step, but I’ve been optimistic for a long time," said Moran as he left the meeting.
  • Democrats were less eager to comment, though Blumenthal said that the meeting "is another in a series that I'm sure we'll have."

The intrigue: In the public mind, the debate around passing privacy regulation would pit ad-centric web companies like Facebook or Google against Congress. The reality is far different.

  • For one, said Mozilla's Heather West, framing the debate as a continuum between privacy and Facebook ignores the bulk of the companies that would need to be regulated.
  • West said her favorite example of a company left out by tailoring debate to Facebook is John Deere. "They have an incredible data-driven product for farmers that takes all of this data in, including their schedule, meteorological data and fertilizer," she said. "That actually means they have a ton of data about someone's life. A tractor company could theoretically use that data for unexpected purposes."

The fallout: The mix of advocates for a privacy law has created wildly different visions of what a final version could look like.

  • Businesses that operate in multiple sectors argue that the current regulatory framework — with different industries operating under different rules — is unworkable in an innovative economy.
  • Peter Winn, who directs the Department of Justice's Office of Privacy and Civil Liberties, argued the opposite at a Wednesday AEI event, saying industry-specific laws could cater to the unique risk profiles of each industry.

David McCabe contributed reporting.

Go deeper