Business Groups Call for Federal Privacy Legislation, But Will It Work?

On January 13, 2022, the U.S. Chamber of Commerce (Chamber) joined the rallying call for a federal privacy law.

On January 13, 2022, the U.S. Chamber of Commerce (Chamber) joined the rallying call for a federal privacy law. The Chamber sent a letter to Congress calling on lawmakers to enact federal privacy legislation. The letter was joined by local business groups from across the country and argued that comprehensive privacy legislation is necessary to address the growing patchwork of state laws.

“We, the undersigned, urge Congress to pass comprehensive privacy legislation. It has been 1,285 days since the California Consumer Privacy Act, America’s first comprehensive data protection law, was signed,” the letter states. “Consumers and businesses should not be forced to wait longer for legislation that equally protects the privacy of all Americans.”

Lack of Federal Privacy Standard

Congress has considered several federal data privacy bills in recent years. However, none have gained enough bipartisan support to become law. In an April 2020 report, the Congressional Research Service found that the bills introduced in the 116^th Congress shared several common elements in that each regulates the use of personal information by: (1) recognizing individuals’ rights to control their personal information; (2) requiring a defined class of entities to take steps to respect those rights; and (3) creating procedures to enforce those requirements. In most cases, prior federal privacy bills were derailed when lawmakers couldn’t agree who should enforce the law and whether more restrictive state laws should be preempted. The main sticking point, both on federal and state levels, continues to be whether to provide a private cause of action to individuals affected by a cybersecurity incident.

State Privacy Laws

In the absence of a federal data privacy standard, states have enacted their own laws. Signed into law in 2018 and made effective January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) grants consumers the right to request that a business to disclose how it uses their personal information. It also includes a number of other data protections for consumers, including the right to request deletion of personal information and the right to opt out of the sale of personal information by a business. The law is scheduled for an overhaul next year pursuant to the California Privacy Rights Act (CPRA), which will impose more stringent data privacy requirements and will become effective on January 1, 2023.

Virginia was one of several states to approve a comprehensive data privacy law in 2021. The Consumer Data Protection Act (CDPA), which incorporates elements of the European Union’s General Data Protection Regulation (GDPR), as well as California’s CCPA and CPRA, will go into effect on January 1, 2023. Notably, the CDPA does not include a private right of action. Colorado adopted a similar law in 2021. Its comprehensive data privacy legislation, the Colorado Privacy Act, is also slated to take effect in 2023. To date, twenty-six other states and the District of Columbia have also considered data protection legislation.

Chamber of Commerce Letter

In its letter, the Chamber highlighted that while many state data privacy laws share similarities to the CCPA and the GDPR, they also differ in their scope, duties, and enforcement, which causes significant compliance challenges for businesses. The Chamber also argued that establishing a unified, national standard would benefit both businesses and the public, writing:

Data is foundational to America’s economic growth and keeping society safe, healthy and inclusive. Technologies like artificial intelligence are leading to vaccine development and expanding opportunities financially to those who have traditionally been underserved. Fundamental to the use of data is trust. A national privacy law that is clear and fair to business and empowering to consumers will foster the digital ecosystem necessary for America to compete.

In addition to the U.S. Chamber of Commerce, the letter was signed by local chambers of commerce from Arizona, California, Massachusetts, New York, New Jersey, Texas, Illinois, Georgia, Indiana, Maryland, Pennsylvania, Utah, Washington and several other states. The coalition also included the Association of National Advertisers, TechNet, National Business Coalition on E-Commerce and Privacy, National Association of Federally-Insured Credit Unions and the Foodservice Equipment Distributors Association.

Key Takeaway

As the Chamber highlighted in its letter, the patchwork of state-level regulations poses significant challenges for businesses. At this point, it is unclear if 2022 is the year that Congress finally pushes a federal privacy bill across the finish line. Accordingly, it imperative to stay on top of this rapidly evolving area of law.

If you have questions, please contact us

If you have any questions or if you would like to discuss the matter further, please contact me, Maryam Meseha, or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.