Photo: Zerbor/Shutterstock.com

All signs suggest that Congress may finally enact comprehensive data privacy legislation. And while several bills were introduced in 2018 and are likely to be reintroduced in 2019, the Data Care Act, which was released Dec. 12, has already been endorsed by 16 Democratic senators. With that broad base of support, the Data Care Act will likely serve as a starting point for negotiations, which means it is an important development on the ever-evolving data privacy landscape.

Signs Congress Will Act

Given past failed efforts, it's tempting to dismiss any hope—or concern—that Congress will enact comprehensive data privacy legislation. But that's a mistake.

At both the state and federal level, we see signs that Democrats and Republicans have an appetite for data privacy reform and enforcement. As of March 2018, all 50 states had enacted data breach notice laws. Even more telling, state attorneys general from both parties are vigorously enforcing their state-law data privacy statutes and are often working together—as they did after Facebook's Cambridge Analytica scandal came to light in early 2018.

At the federal level, there is near-unanimous agreement about the need for comprehensive legislation. Sen. John Thune (R-SD) has said the effort to enact data privacy legislation “enjoys strong bipartisan support,” and “the question is no longer whether we need a federal law to protect consumers' privacy” but “what shape it should take.”

Federal agencies are also encouraging Congress to act. In September, the National Telecommunications and Information Administration (NTIA) solicited comments on how to “advance consumer privacy while protecting prosperity and innovation.” In December, Director Kathy Kraninger said data privacy will be a “leading priority” at the Consumer Financial Protection Bureau (CFPB). And in its response to NTIA's proposal, the Federal Trade Commission (FTC) argued that its data privacy efforts are frustrated by gaps in its statutory authority, and restated “its longstanding call that Congress consider enacting legislation that clarifies” its authority.

In other words, Congress may finally enact comprehensive data privacy legislation, with the Data Care Act serving an important role in the negotiations to come.

The Data Care Act

In its current form, the Data Care Act would “establish duties for online service providers” that collect and use “individual identifying data.”

The bill defines “online service providers” broadly to include any entity that “is engaged in interstate commerce over the internet or any other digital network” and “collects individual identifying data about end users.” Most companies with an online presence will probably fall within its scope. For those that do, the bill establishes fiduciary-like duties with end users, including duties of care, loyalty and confidentiality. The duty of care requires online service providers to “reasonably” secure individual identifying data from unauthorized access and “promptly” notify end users after any unauthorized access to “sensitive data.”

The duty of loyalty prohibits online service providers from using individual identifying data for their own benefit if the use will be to the “detriment” of end users and cause them “reasonably foreseeable harm,” or if the use is “unexpected and highly offensive.”

And the duty of confidentiality: (1) prohibits online service providers from selling or disclosing individual identifying data to any person in a manner inconsistent with the duties of care and loyalty; (2) prohibits them from selling or disclosing individual identity information unless the recipient agrees to a contract that imposes duties of care, loyalty and confidentiality; and (3) requires them to take “reasonable steps” to ensure that any third-party with whom they've shared data is complying with the law.

The bill also includes reforms requested by the FTC and state attorneys general. It grants the FTC enforcement authority over nonprofits and common carriers, grants the FTC broad rule-making authority, and grants the FTC authority to issue substantial civil penalties for violations. It also grants state attorneys general broad enforcement powers, while—to the frustration of pro-business groups—it does not preempt related state statutes.

The Focus of Negotiations

While the Data Care Act has wide support among Democratic senators, conservative lawmakers may argue its broad language will stifle innovation.

But we think any pushback will serve only as a negotiating tool. As noted above, there are increasingly strong signals that conservative lawmakers want comprehensive federal legislation. The patchwork of existing state laws frustrates pro-business groups, like the Chamber of Commerce, the Internet Association, and the Business Roundtable, who also hope that potential federal legislation will pre-empt aggressive state laws, like the California Consumer Privacy Act. Moreover, leading tech companies, including Google, Apple and Facebook, have lobbied Congress for data privacy legislation.

Accordingly, we think Congress may finally act and see congressional efforts focusing on a few critical issues. The most important, in our opinion, is whether any legislation will pre-empt related state laws, as pro-business groups will—and should—continue to demand strong pre-emption provisions. The specificity of the duties and responsibilities included in any legislation will also be critical. Pro-business groups will generally favor “risk-based privacy practices,” given their concerns that specific standards will stifle innovation. But consumer groups will generally favor greater specificity, given their concerns that vague standards will be gutted by rule-making. In addition, both pro-business and consumer groups will be concerned about how much control consumers are given over the collection, use, and sharing of their information, as that level of control may well determine the future of some anticipated technologies.

Timothy A. Butler and Chelsea Merritt are attorneys with Troutman Sanders. They represent clients in high-stakes litigation, enforcement and regulatory matters.