Will Congress take legislative action on consumer privacy this year?
Some members of Congress say that it’s time, including Rep. Frank Pallone, Jr. (D-NJ-6), the new chair of the House Energy and Commerce Committee. During an April 2018 committee hearing, Pallone stated that “the current [consumer privacy] system is broken … we need baseline protections.”
The hearing came at a unique time because any strong movement to establish comprehensive consumer privacy rules had been largely absent in Congress until spring 2018. At least seven federal lawmakers (including Sens. Mark Warner (D-VA), Amy Klobuchar (D-MN), John Kennedy (R-LA), Brian Schatz (D-HI), Ron Wyden (D-OR), Marco Rubio (R-FL), and Rep. Suzan DelBene (D-WA-1), among others) have introduced privacy bills or draft frameworks over the past twelve months.
Over a dozen advocacy groups and businesses have also drafted legislative privacy frameworks in this time period, joining this growing pool of lawmakers in the discussion of a comprehensive privacy law. What insights can government relations professionals gain from the conversation?
1) Things can change quickly.
On Capitol Hill, one year can make a big difference — and three major events in 2018 likely contributed to the sudden momentum behind the privacy movement.
First, in March 2018, the public learned that a political consulting firm, Cambridge Analytica, had used Facebook profile data to target political advertisements during the 2016 presidential election. Lawmakers and the public reacted promptly; both Congress and Parliament called on Facebook CEO Mark Zuckerberg to testify, and some groups held protests during Zuckerberg’s testimony on Capitol Hill.
Then, the European Union’s General Data Protection Regulation became effective in May 2018. Although the law was several years in development (it was proposed in 2012 and adopted in 2016), it had two significant effects upon implementation. It forced companies to restructure their privacy policies and created an additional motivation for Congress to establish consumer protections to compete with international standards. In prepared testimony for a July 2018 Energy and Commerce subcommittee hearing, FTC Commissioner Rohit Chopra summarized this second sentiment: “When it comes to privacy, the United States should lead.”
Third, Governor Jerry Brown’s signing of the California Consumer Privacy Act (CCPA) in June 2018 spurred even more calls to action. Some advocacy groups, such as the U.S. Chamber of Commerce, urged Congress to pass a preemptive federal law to prevent a potentially “confusing patchwork” of state laws. Other advocates, such as Jim Steyer of Common Sense Media, applauded the CCPA and called for Congress to establish equal or greater privacy protections for consumers.
A lot can change in one year. It is hard to tell what the legislative landscape will look like in the future, but the power of timing in advocating for a consumer privacy platform should not be discounted.
2) Even when both parties agree on something, it may be difficult to reach a compromise.
Members of Congress on both sides of the aisle have said that federal privacy legislation is necessary.
But like any legislation of this scope, a passable data privacy bill hosts a slew of provisions on which Democrats and Republicans may not agree. These provisions address a wide range of questions, including what types of entities and data to cover, whether to preempt state privacy laws, whether to allow consumers the private right of action to sue for privacy violations, and how new rules could potentially impact competition.
Multiple legislators, including Reps. Jan Schakowsky (D-IL), Bob Latta (R-OH), and Sen. Mark Warner (D-VA), have expressed optimism that Congress will be able to reach a bipartisan compromise, potentially achieving a historically rare victory in a split Congress. However, to accomplish this, legislators and advocates will need to emphasize what parties can agree on, such as the need to improve transparency surrounding data collection practices, and be prepared to identify other provisions worth prioritizing or sacrificing.
3) Lawmakers want answers from technology executives — but that can be a good thing for companies.
Now more than ever, government officials may want to hear directly from chief executives. Although an invitation from Congress to formally testify is often a consequence of criticism or scrutiny, it is better than no invitation to talk at all. Having a seat at the table, so to speak, allows companies to influence privacy conversations and demonstrate their willingness to work with lawmakers. As D.C.-based communications analyst Adam Goldberg said in an interview with Bloomberg News, “If you’re not at the table, you’re on the menu, and Congress looks hungry.”
For example, last September, the Senate Intelligence Committee held a hearing with representatives from Facebook, Twitter, and Google — or rather, Facebook COO Sheryl Sandberg, Twitter CEO Jack Dorsey, and an empty chair with Google’s name on it. The committee had invited Google’s Sundar Pichai or Larry Page to testify, but when the company offered to send its general counsel, the committee instead chose to leave the company’s seat vacant.
Facebook faced a similar experience at a November 2018 hearing in London, when members of the British Parliament left a symbolic empty chair for Mark Zuckerberg and repeatedly referenced the company’s decision to send a vice president to testify.
In doing so, lawmakers in the United States and Europe have indicated that they see privacy as a system-wide priority, one that is not confined to a company’s legal or regulatory department. However, these hearings could be an opportunity — they offer companies a public platform to highlight their progress and future plans for data privacy, as well as provide policy input directly to lawmakers.
4) Like technology, government relations is changing.
Therefore, government relations professionals face a unique challenge: communicating complex technical or legal issues to diverse stakeholders while navigating a rapidly changing political landscape. These messages can be both proactive — such as advocating for policy positions, discussing public-private partnerships, or illustrating corporate social responsibility goals — or reactive, such as following up after a data breach.
Government relations professionals will also need to communicate their progress to their Silicon Valley counterparts, but the privacy movement is challenging to quantify. In this case, the home run goal is a federal law, but a specific timeline and metrics of success are more subjective. While many companies value data-driven goals and results, nobody should underestimate the difficulty— and the importance— of benchmarking specific provisions and milestones in today’s complex legislative field.
To learn more about data privacy, download National Journal’s data privacy primer. This deck includes slides on the following:
- Current laws, including the General Data Protection Regulation, California Consumer Protection Act, and Children’s Online Privacy Protection Act
- Proposed legislation, including the American Data Dissemination Act (S. 142) and Social Media Privacy Protection and Consumer Rights Act (S. 189)
- Relevant Supreme Court cases, including Frank v. Gaos (2019), Carpenter v. United States (2018), and United States v. Microsoft (2018)
Is your organization planning a fly-in? Download National Journal’s introduction to advocacy fly-ins to help members of your organization learn what to expect during their Capitol Hill meetings.