Republicans Issue Draft of Federal Data Privacy Legislation

Senate Commerce Committee chair Roger Wicker (R-Mississippi) proposed draft legislation that he said will support tough protections for consumer data and address the concerns of Democrats. Last week, Senator Maria Cantwell (D-Washington), the Committee’s top Democrat, proposed a data privacy law. The idea, Wicker continued, is to create a national privacy law that will override state privacy laws passed by California and other states. He and others believe state laws will create an unwieldy patchwork.

The Wall Street Journal reports that, “lawmakers had hoped to reach a bipartisan consensus months ago, but have been hung up on a handful of issues.” With California’s privacy law due to take effect January 1, the senators feel increased urgency to come up with a national legislative solution. Big Tech companies that prefer a federal law are pressuring Congress, and Senate Republicans “have been frustrated by what they view as Democrats’ slow pace in negotiating a nationwide privacy bill during 2019.”

Similar to Cantwell’s bill, Wicker’s “would give consumers more control over their data and impose new obligations on companies to protect privacy.” Although the Republican bill “includes so-called pre-emption of state laws and doesn’t include a private right of action for individual consumers,” Wicker believes his bill “would meet or exceed California’s standards for consumer protection.”

One example he gave is that his legislation requires “affected tech firms to disclose their privacy policies and practices [and] … express opt-in consent from consumers before a company could collect or transfer their sensitive data, including many types of health and personal identification information.”

At the Brookings Institution, fellow Cameron Kerry, also a former senior Obama administration official, noted that California’s law puts the onus on consumers to opt out of sale of their personal data but Wicker’s proposal does “what we really need to be doing, [which] is putting the obligation on business.”

Wicker pointed out that California’s law “doesn’t include a private right of action for data-privacy violations … although it does provide a limited right of action for data breaches.” Electronic Privacy Information Center president Marc Rotenberg deemed Wicker’s characterization of his legislation as stronger than California’s as “generous reading.”

As bipartisan talks loom, Cantwell described herself as optimistic. “We’re obviously serious about getting a strong privacy bill and we had to do a lot of homework,” she said.  Next up, she added, begins “the very tough stage of talking with our colleagues about what strong enforcement would really look like.” Wicker, less optimistic, said he “began to wonder over this Thanksgiving break if we’re both as determined to reach a bipartisan consensus as I thought.”