Democratic Privacy Bill Allows Lawsuits Over Data Violations (1)

The measure would penalize companies that don’t meet data protection standards and allow consumers to sue in certain circumstances if their private data is violated. The bill from Sen. Maria Cantwell (D-Wash.), the ranking member of the Senate Commerce, Science and Transportation Committee, elaborates on privacy principles that Democrats released last week.

“In the growing online world, consumers deserve two things: privacy rights and a strong law to enforce them,” Cantwell said in a statement. “They should be like your Miranda rights—clear as a bell as to what they are and what constitutes a violation.”

The text from lawmakers on the panel who oversee data and consumer protection issues is the highest-level proposal to emerge after months of stalled efforts that have disappointed companies seeking to avoid strict and divergent state regimes.

Senators are trying to act before a California consumer privacy law goes into effect on Jan. 1, but that goal is almost certainty out of reach. Lawmakers have just three legislative weeks to work out a compromise and get it through both chambers of Congress. Other priorities, 2020 election activities, and the ongoing impeachment inquiry will likely slow any progress.

Cantwell has been working since the summer on a bipartisan privacy bill with Commerce Chairman Roger Wicker (R-Miss.), who said in a statement he is “committed to continuing to work with the ranking member and my colleagues on both sides of the aisle to get a bill that can get across the finish line.”

The Democratic bill will likely be part of the committee’s Dec. 4 hearing on legislative proposals to protect consumer privacy.

“Any privacy bill will need bipartisan support to become law,” Wicker said.

Alex Wong/Getty Images. Sens. Maria Cantwell (D-Wash.) and Roger Wicker (R-Miss.), shown at an Oct. 29 hearing, are continuing talks on privacy legislation as Cantwell unveils a bill based on Democratic priorities.

House lawmakers are also working on a measure. House Energy and Commerce Committee member Jan Schakowsky (D-Ill.) is discussing a bipartisan proposal with Rep. Cathy McMorris Rodgers (R-Wash.).

Sens. Brian Schatz (D-Hawaii), Ed Markey (D-Mass.), and Amy Klobuchar (D-Minn.) are also cosponsors of the Democratic bill.

Privacy Lawsuits

The bill includes a private right of action, which Democrats have prized as a way to allow consumers to seek civil action in a state or federal court. Under the bill, if the plaintiffs prevail, courts could award damages up to $1,000 per violation per day, in addition to declaratory relief.

Cantwell’s measure would codify U.S. Supreme Court privacy litigation standards that clarify when consumers can sue in federal court. It would make a violation of the measure “a concrete and particularized injury in fact,” echoing the Court’s decision in Spokeo v. Robins (2016), which suggested plaintiffs should have suffered such injuries to initiate lawsuits and has become a lingering question over private rights of action.

But that provision may lead to court challenges from businesses when an alleged privacy violation affects every user rather than a specific or small subset of consumers, privacy academics said.

There will “unquestionably” be court challenges to this standard, said Peter Ormerod, assistant professor of business law at Western Carolina University. “If a company denies a right to everyone, that raises concrete and particularization problems,” he said.

Wicker and other Republicans oppose the private right of action and want a federal bill to pre-empt any state laws, including California’s.

The Democratic bill wouldn’t pre-empt most state laws and regulations unless they are in direct conflict with the federal law.

Craig Albright, vice president of legislative strategy for BSA, a tech trade association for software companies such as Microsoft Corp., welcomed the bill in a statement but said the group doesn’t “agree with everything” the legislation proposes.

“Any lasting solution will have to be bipartisan,” Albright said, adding that there should be “one clear national standard.”

Data Rights, Civil Rights

Other provisions would require companies to minimize the data they collect from users and how they share it and would give consumers the right to control their personal data, including the right to know, access, delete, correct, and restrict the transfer and retention of their records.

The bill also contains privacy safeguards that would better protect teenagers, a signature issue for Markey who was an original author of the Children’s Online Privacy Protection Act of 1998 when he was in the House. New civil rights protections in the measure would give enforcement authority to the Federal Trade Commission to take action against unlawful discrimination online.

The proposal would hold chief executive officers, privacy officers, and data security officers responsible for decisions that affect privacy, backed by penalties when they fail to protect data. Democrats have criticized recent decisions by the FTC for failing to hold executives personally accountable, particularly in the case of Facebook Inc., which paid a $5 billion fine for privacy lapses this year.

Cantwell’s bill would set out a small business exception for companies that make less than $25 million per year, handle the data of fewer than 100,000 individuals or households, and derive less than 50% of profits from transferring individuals’ data.

Not So Fast

Cantwell’s measure provides “necessary tools for reining in the hegemonic power technology companies have over us,” said Ari Ezra Waldman, director of the New York Law School’s innovation center for law and technology. But the proposal relies on a structure that can be “easily undermined by industry, and it doesn’t adequately address the problem that privacy harms are not always quantifiable in the traditional sense,” he said.

Although some groups with close ties to big tech companies said they are optimistic the measure signals an appetite for Congress to move forward on privacy, they also expressed discomfort.

“This legislation fails to strike the right balance between consumer privacy and commercial innovation,” said Daniel Castro, president of the Information Technology and Innovation Foundation. “It would severely restrict legitimate uses of consumer data, limiting the opportunities for companies to collect, use, and share data to innovate in the digital economy.”

Castro’s non-profit think tank counts executives from Microsoft, Intel Corp., and other companies on its board.

Others pushed back on the bill because it doesn’t pre-empt a rise of state privacy measures.

“This bill is creating a ‘Sophie’s Choice’ for America’s mid-sized businesses,” said Carl Szabo, vice president of NetChoice, a right-leaning tech trade association that counts Alphabet Inc.‘s Google and Facebook as members. “Do they want a patchwork of state laws or a tsunami of class action lawsuits?”

Szabo’s group has been among those looking to congressional legislation to overrule state laws.

“There’s no point in doing a federal privacy bill unless it creates a standard, nationwide law and eliminates the patchwork problem,” Szabo said. “We don’t need a 51st privacy law.”

(Updates with reporting throughout.)

To contact the reporters on this story: Rebecca Kern in Washington at rkern@bgov.com; Daniel R. Stoller in Washington at dstoller@bloomberglaw.com; Ben Brody (Bloomberg News) at btenerellabr@bloomberg.net

To contact the editors responsible for this story: Zachary Sherwood at zsherwood@bgov.com; Loren Duggan at lduggan@bgov.com; John Hughes at jhughes@bloomberglaw.com