Holm Belsheim, MJLST Staffer
When Minnesota Senator Amy Klobuchar announced her candidacy for the Presidency, she stressed the need for new and improved digital data regulation in the United States. It is perhaps telling that Klobuchar, no stranger to internet legislation, labelled data privacy and net neutrality as cornerstones of her campaign. While data bills have been frequently proposed in Washington, D.C., few members of Congress have been as consistently engaged in this area as Klobuchar. Beyond expressing her longtime commitment to the idea, the announcement may also be a savvy method to tap into recent sentiments. Over the past several years citizens have experienced increasingly intrusive breaches of their information. Target, Experian and other major breaches exposed the information of hundreds of millions of people, including a shocking 773 million records in a recent report. See if you were among them. (Disclaimer: neither I nor MJLST are affiliated with these sites, nor can we guarantee accuracy.)
Data privacy has been big news in recent years. Internationally, Brazil, India and China are have recently put forth new legislation, but the big story was the European Union’s General Data Privacy Regulation, or GDPR, which began enforcement last year. This massive regulatory scheme codifies the European presumption that an individual’s data is not available for business purposes without the individual’s explicit consent, and even then only in certain circumstances. While the scheme has been criticized as both vague and overly broad, one crystal clear element is the seriousness of its enforcement capabilities. Facebook and Google each received large fines soon after the GDPR’s official commencement, and other companies have partially withdrawn from the EU in the face of compliance requirements. No clear challenge has emerged, and it looks like the GDPR is here to stay.
Domestically, the United States has nothing like the GDPR. The existing patchwork of federal and state laws leave much to be desired. Members of Congress propose new laws regularly, most of which then die in committee or are shelved. California has perhaps taken the boldest step in recent years, with its expansive California Consumer Protection Act (CCPA) scheduled to begin enforcement in 2020. While different from the GDPR, the CCPA similarly proposes heightened standards for companies to comply with, more remedies and transparency for consumers, and specific enforcement regimes to ensure requirements are met.
The consumer-friendly CCPA has drawn enormous scrutiny and criticism. While evincing modest support, or perhaps just lip service, tech titans like Facebook and Google are none too pleased with the Act’s potential infringement upon their access to Americans’ data. Since 2018, affected companies have lobbied Washington, D.C. for expansive and modernized federal data privacy laws. One common, though less publicized, element in these proposals is an explicit federal preemption provision, which would nullify the CCPA and other state privacy policies. While nothing has yet emerged, this issue isn’t going anywhere soon.