Americans' interest in expanded privacy rights is bipartisan, enthusiastic and growing, and the expectation that both states and the federal government will be responsive to this interest is at an all-time high.
"The general election really indicated a huge desire among consumers for greater privacy protections," said Pollyanna Sanderson, policy counsel with the Future of Privacy Forum, one of the many organizations lobbying for stronger protections. In 2020, there was a groundswell of privacy-related policies that passed with overwhelming support in legislatures throughout the country, she said.
These included bills like Michigan's Search Warrant for Electronic Data Amendment, which passed with an 89 percent majority, or a Massachusetts bill that gives consumers new protections for their vehicle data, and which 75 percent of state residents voted in favor of. The recent measure to strengthen the California Consumer Privacy Act via creation of the Privacy Protection Agency, a new compliance-oriented entity, also passed with much support.
Yet despite overwhelming public interest, there has been little federal leadership on the issue. The perpetual failure of a national privacy bill to materialize has left the responsibility of protecting consumer data to the states, which have had their own struggles with meeting that need.
"In the states, we've seen a huge acceleration in understanding and interest in how privacy works in a technical sense and a willingness to do more," said Sanderson. Indeed, in recent years, states like Washington and New York have taken after California in attempting to craft their own state privacy laws — a trend that is growing.
"Nearly half of states introduced privacy bills in the first half of 2020. That was all put on hold because of COVID. But you're likely to see a resurgence of interest in those bills as the vaccine begins to get rolled out and the world returns to business as usual," said Sanderson.
Public concerns surrounding privacy were accelerated by COVID-19, which ushered in a new generation of technologies that collect and store consumer data (remote learning, contact tracing, telework applications, etc.). All of these things "really put the spotlight on the need for comprehensive privacy legislation," which could "increase trust in the adoption of socially beneficial technologies and create clearer rules of the road for companies," said Sanderson.
With the incoming Biden administration, the federal government may be well positioned to finally preside over a robust privacy agenda.
"The Biden team doesn't really have a huge learning curve. Lots of the folks who are involved were also involved in the Obama Consumer Privacy Bill of Rights. And they're coming back into the room and they can pick up where they left off," said Sanderson.
Indeed, for a presidency that was itself rocked by spying scandals, the Obama administration took concrete steps to increase voter confidence in government's respect for personal privacy by establishing a permanent Federal Privacy Council and issuing a Privacy Bill of Rights, designed to create a framework for federal privacy regulation. With Biden's arrival, a similar approach and tone are expected.
Vice President Kamala Harris, too, has some experience with ensuring consumer protections, having pushed for a number of data privacy initiatives during her tenure as California attorney general. Harris was AG at the time of the passage of the California Online Privacy Protection Act, one of the first laws in the country that forced companies to publicly specify if and how they collect personal data from Web users. She also created a Privacy Enforcement and Protection Unit within her office, as the result of a number of high-profile data breaches in California at the time.
If all of this seems daunting to companies, it shouldn't. By now, industry ought to be ready for (and receptive to) a federal privacy bill, as the alternative — a patchwork of state privacy laws — is much less appealing.
"Many of the largest businesses have already had to build technical mechanisms to comply with [existing privacy laws like] the CCPA or the GDPR if they have an international presence or operate in California. If they've already done such a huge lift, then it doesn't seem like it would be so out of range for them to comply with a national standard," Sanderson offered.
The pressure for a clarifying set of regulations isn't just domestic but international as well, said Sanderson. As global data flows between allied countries have continually become ensnarled in legal debates stemming from confusion over American policy, the call for a better system has gotten louder. America's "sectoral" approach, where regulation varies by industry, is quite different from a more typical "omnibus" approach adopted by other countries, where privacy regulations are consistent across the private sector.
"The sectoral approach to privacy is really confusing to a lot of countries abroad because it's just so complex and there are also huge gaps that are emerging, because as technology evolves, some of those sectoral laws are just not covering it," she said. "On the international stage, there is a growing consensus on the need for the U.S. to have a coherent policy on the issue of privacy to demonstrate the U.S.'s values to the world on privacy."
"So many different countries around the world are now enacting comprehensive privacy laws," Sanderson said. "In order for the U.S. to continue to be a leader in this space, I think having a comprehensive privacy law is really valuable."