FPF Hosted a CPDP 2021 Panel on US Privacy Law: The Beginning of a New Era
By Srivats Shankar, FPF Legal Intern
For the 14th annual Computers, Privacy and Data Protection conference, which took place between 27 and 29 January, 2021, FPF hosted a panel of experts to discuss “US Privacy Law: The Beginning of a New Era”, whose recording has just been published. The panel was moderated by Dr. Gabriela Zanfir-Fortuna, who was joined by Anupam Chander, Professor of Law at Georgetown University; Jared Bomberg, Senior Counsel for the Senate Committee on Commerce, Science and Transportation; Stacey Schesser, Office of California Attorney General; and Lydia Parnes, Partner at Wilson Sonsini’s Privacy and Cybersecurity Practice.
Broadly, the panel discussed the events that have prompted the shift towards privacy protection in the US in recent years, including the latest privacy law initiatives at the state and federal level. The discussion addressed how regulators are enforcing current laws and preparing for what’s to come, and how these developments may strengthen the Trans-Atlantic relationship in the digital age.
Professor Anupam Chander discussed the most consequential developments in US privacy law in recent years, which he identified as the passage of the California Consumer Privacy Act (CCPA) in 2018, the Supreme Court decision of Carpenter v. US, and the passage of the Consumer Privacy Rights Act (CPRA) in 2020. According to Professor Chander, these developments will define the law of privacy over the next decade.
Jared Bomberg discussed developments at the federal level in the United States, including the increasing focus by Congress on a comprehensive consumer privacy legislation. In the Senate, the two leading proposals are the Consumer Online Privacy Rights Act (COPRA), led by Senator Cantwell (D-WA) and the SAFE DATA Act, led by Senator Wicker (R-MS). Both bills have many cosponsors. Among these and other privacy bills, there is commonality regarding the right of access, correction, deletion, and portability. Meanwhile, key differences include the existence of a private right of action, the extent to which a federal law would preempt state laws, and the incorporation of fiduciary responsibilities.
Stacey Schesser discussed the privacy law in California, including the enactment of the CCPA and the response of companies to the law. Following the passage of the GDPR, many companies have come to support compliance with the CCPA. California, by virtue of its large population and major economy, has required many businesses across the United States to come into compliance with the CCPA. Schesser notes that they have seen consumer frustration with opt-out mechanisms and deletion of personal information, alongside challenges with companies interpreting the law in different ways. However, she noted that many companies have complied with the CCPA within the 30 day notice and cure period after being notified of a violation. The initial rollout of Attorney General regulations have attempted to identify the scope of enforcement especially with reference to unique problems such as dark patterns.
Lydia Parnes discussed the enforcement of privacy law in the US. She observed that the Federal Trade Commission (FTC) has been fairly aggressive in exercising its enforcement powers. Commissioner Slaughter who became Acting Chairwoman has promoted the usage of civil penalties in privacy rights cases. These enforcement actions have become “baseline norms” for companies to follow. They don’t just affect the individual company but the industry at large. Parnes noted that the FTC has limited resources and enforcement by state agencies would be an effective way to facilitate change.
In the Q&A session, attendees raised issues of global interoperability, agency enforcement, and competition. Professor Anupam Chander emphasized the importance of the Schrems II decision, and the need for the US and Europe to come to another “modus vivendi.” This could be established without a “national” policy on privacy, to protect the information of foreign individuals whose data may be stored in the United States.
In response to a question about enforcement, Jared Bomberg emphasized that agencies like the FTC need more resources and that there is some acceptance that the FTC should continue enforcement in its existing fashion. He further noted that the Attorney General could also supplement and collaborate on enforcement. Bomberg also stressed the need for a private right of action. Market constraints also play a role in limiting the ability of the customer to protect their rights, and the current lack of transparency with the power dynamic has created a situation where customers do not understand what they have signed up for.
In closing, the panelists received a question on the likelihood of seeing a federal privacy law in the next two years. The consensus as Jared put it was that it could be “100% and 0%.”
Watch the full recording of the panel by following this link.