The European Union General Data Privacy Regulation, adopted in 2016 and effective in 2018, was one of the first major pieces of data privacy legislation, and in many ways it has set the standard for other privacy laws.
In the absence of a comprehensive United States Federal privacy law, California subsequently enacted the California Consumer Privacy Act of 2018, effective Jan. 1, 2020, and subsequently amended by the California Privacy Rights Act.
Rather than adopt the same or similar provisions, standards and terminology that the European law had established, California embarked on its own version of a privacy law. Several other states have subsequently adopted their own comprehensive privacy laws, most of them being somewhat similar to each other, and in some ways more similar to the European law than to the California law.
This patchwork of state laws creates substantial compliance challenges for businesses. Even the state laws that are similar have nuances that prevent having a single set of standards/rules that businesses can follow to comply. A common business practice has been to use a base set of standards and then have separate addenda to cover the variations of each state and country law.
However, anything beyond a handful of states becomes extremely difficult to manage (and frankly even a handful is a handful). So, what is the resolution? At least in theory, the enactment of a federal privacy law that preempts (overrides) state privacy laws would remedy this problem.
Having a single U.S. law to comply with creates efficiencies, cost savings and clarity for businesses (especially smaller ones), making compliance more manageable, and therefore more likely. Higher rates of compliance significantly benefits the individuals whose personal information is being collected and used. Furthermore, by removing the impediments to businesses created by multiple privacy laws, presumably the cost savings to businesses can be passed on to consumers.
And speaking of removing impediments to doing business, on two separate occasions the legal arrangement between the U.S. and the EU allowing for transfer of personal information from the EU to the U.S. has been struck down, in large part because (according to the EU court rendering the decisions) the U.S. does not have privacy protections comparable to those in the EU.
A comprehensive federal privacy law would go a long way toward removing that argument, especially if it is coordinated with federal surveillance undertakings and laws. This step would help facilitate the exchange of information and overall cooperation between U.S. and EU companies, which could be beneficial for all involved parties.
The federal legislature has been kicking around a federal privacy law in one form or another for quite some time. There have been two major hurdles to advancing the law: (1) whether a federal privacy law should preempt state privacy laws, and (2) whether individuals (or only government authorities) should be allowed to bring lawsuits in connection with violation of the law.
The split has generally been along party lines, with the Republicans favoring preemption but no right to private action, and the Democrats opposing preemption but supporting private rights of action. Interestingly, the most current version of the federal privacy law (known as the American Data Privacy and Protection Act) overwhelmingly passed out of the House Committee on Energy and Commerce last year with clear bipartisan support, but a contingent against the bill (headed by California legislators) resisted – and now the future of the bill is uncertain.
Unfortunately, sometimes well-intended laws get mired down in so many complexities that it is virtually impossible, particularly for smaller businesses, to comply. The balance between not hindering business, while protecting the important and legitimate privacy interests of individuals, is one that must be thoughtfully struck in a way that works for all stakeholders.
A straightforward, comprehensive and preemptive law that focuses on the key areas of concern and that requires compliance nationwide, at least in theory, would provide greater protection for individuals and provide a manageable framework for businesses to comply with.