"Soon" (But Not Too Soon), House Republicans Introduce Privacy Bills

In a Tuesday post to the Free State Foundation blog, I repeated the quote – which I first referenced in a January Perspectives from FSF Scholars – that the House Energy and Commerce Committee Privacy Working Group could introduce comprehensive data privacy legislation "soon." In this instance, "soon" translated to "Wednesday." That's when the House Committees on Energy and Commerce and Financial Services jointly introduced a pair of companion bills: the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (SECURE Data Act) and the Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act (GUARD Financial Data Act).

The SECURE Data Act is the handiwork of the aforementioned working group, led by Representative John Joyce, M.D. (R-PA). The working group is composed of Republican members of the House Energy and Commerce Committee, which is chaired by Representative Brett Guthrie (R-KY). The GUARD Financial Data Act, meanwhile, is the product of the Financial Services Committee, led by Chairman French Hill (R-AR).

The two bills are designed to work in tandem: the SECURE Data Act covers consumer data handled by nonfinancial entities but exempts financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA), while the GUARD Financial Data Act modernizes the GLBA for the financial sector but exempts nonfinancial firms. As a joint one-pager released by the two committees explained, together the bills "form a common-sense Federal approach that will bring American privacy protections into the twenty-first century."

At a high level, the SECURE Data Act builds on – and, crucially, would preempt – the state-level "patchwork" that I have long lamented. It also wisely rejects a private right of action, leaving enforcement to the FTC and state attorneys general.

*    *    *

The SECURE Data Act establishes a set of now-familiar consumer rights, including the right to access, correct, delete, and transfer personal data. It also creates opt-out rights for targeted advertising, data sales, and certain automated profiling decisions. Processing of "sensitive data" would require opt-in consent, and parental consent would be required for the processing of data of teens (that is, those between the ages of 13 and 16). The processing of data of children under the age of 13 would remain subject to the provisions of the Children's Online Privacy Protection Act of 1998.

On the business side, the bill imposes data-minimization obligations that would limit the collection of data to what is "adequate, relevant, and reasonably necessary." It also includes data security requirements, privacy notice mandates, and data-protection-assessment requirements. Data brokers would be required to register with the FTC, which would maintain a searchable public registry. And businesses would have to disclose whether personal data is transferred to, processed in, or sold to foreign adversaries.

The SECURE Data Act would apply to businesses that process the personal data of at least 200,000 consumers annually. A separate threshold would cover data sellers that process the data of at least 100,000 consumers and derive over 25 percent of their revenue from the sale of personal data. Businesses with less than $25 million in adjusted gross annual revenue would be exempt.

As noted above, the bill does not create a private right of action. Instead, the FTC and state attorneys general would share enforcement authority. As I previously argued, exclusive enforcement by the FTC is far more likely to serve consumer interests than a private right of action, which would create problematic financial incentives for the plaintiffs' bar.

Perhaps most significant is the SECURE Data Act's broad preemption language, which provides that no state may "prescribe, maintain, or enforce any law, rule, regulation, requirement, standard, or other provision having the force and effect of law, if such law, rule, regulation, requirement, standard, or other provision relates to the provisions of this Act." This would appear to preempt the entire "patchwork" of state-specific privacy laws, now numbering 21, replacing them with a single, workable, nationwide standard.

*    *    *

Of course, the standard caveats apply. As a Republican-only bill, the SECURE Data Act will need to attract bipartisan support if it is to become law. And the usual sticking points – in particular, the bill's rejection of a private right of action and its strong preemption language – could impede its progress, something we certainly have seen happen before to similar pieces of legislation.

Nevertheless, the SECURE Data Act seems to strike an appropriate balance between protecting privacy and fostering innovation, a point made by NCTA – The Internet & Television Association in its supportive statement: the SECURE Data Act's "unified approach will strengthen consumer trust, give individuals meaningful control over their personal information, and provide businesses the certainty needed to innovate, protect data, and drive growth while eliminating the confusing patchwork of state laws that burdens consumers and businesses."