A national privacy law is coming, and it may fundamentally alter the way US businesses operate. Kutak Rock can help.

2018 has seen dramatic changes to the privacy and data security legal landscape. On May 25, Europe’s General Data Protection Regulation (“GDPR”) came into effect, causing a flurry of compliance-related activity in Europe, here in the US, and across the globe. On June 28, California hastily enacted its California Consumer Privacy Act (“CCPA”) to avoid an imminent and even more restrictive pending ballot initiative. GDPR and CCPA break sharply from the US market-driven model by imposing specific and prospective requirements on businesses that are located in Europe or California, and on any businesses that interact with any European or Californian consumers. 

These laws, especially CCPA, have not gone unnoticed. Senator Thune (R-SD), who serves as Chair of the Commerce Committee, made a powerful statement in his September 25 op-ed: “The question is no longer whether we need a national law to protect consumers’ privacy. The question is what shape that law should take.” The next day, two apparently coordinated developments occurred. First, the Commerce Committee held a hearing entitled “Examining Safeguards for Consumer Data Privacy” that included testimony from Amazon, Apple, AT&T, Google, and Twitter. Second, the National Telecommunications and Information Administration (“NTIA”) published a request for comment entitled “Developing the Administration’s Approach to Consumer Privacy” (the “RFC”).

The RFC describes a new approach to consumer privacy that focuses on risks and outcomes. This is an intentional departure from other laws that articulate principles and require actors to follow certain practices in order to implement them, such as GDPR and CCPA. The RFC articulates seven desired outcomes: transparency, control, reasonable minimization, security, access & correction, risk management, and accountability. Most of those outcomes mirror principles found in GDPR and CCPA, but the RFC’s descriptions of those shared concepts reveal significant differences between them. After articulating those objectives, the RFC lays out eight high-level goals for federal action: harmonization of US law, legal clarity, comprehensive application, emphasis on risk- and outcome-based approaches, international interoperability, incentivization of privacy research, clear enforcement authority (vested in the FTC), and scalability. The RFC expressly denounces the growing “patchwork of competing and contradictory baseline laws.” This, alongside Sen. Thune’s remarks, seems to be a plain indication of Congressional appetite for preemptive legislation. On the other hand, the new approach is overtly intended to operate as a compliance “floor” that will not interfere with current sector-specific laws like HIPAA or GLBA. The RFC also clarifies that smaller, less sophisticated organizations should receive only proportional enforcement attention.

In sum, the RFC’s risk- and outcome-based approach is far more flexible and tailored than GDPR or CCPA, which may impose higher or lower burdens on businesses depending on how they use or monetarize personal data. Kutak Rock’s Privacy and Data Security Practice Group and the government practice attorneys in its Washington, D.C. office anticipate that a federal statute may be taken up in earnest when Congress reconvenes in January of 2019, and that it will likely attempt to pass that bill before the CCPA takes effect in January of 2020. The RFC solicits comments regarding this new federal approach to data privacy, affording businesses a unique opportunity to weigh in on this significant legislation during its formative stage. Comments must be submitted on or before October 26, 2018. 

Additional Information

The firm has extensive experience in this area, and we encourage our clients to participate in the process and to stay informed. The firm regularly prepares and circulates legislative updates on matters such as this. 

If you are interested in filing a comment with the NTIA in response to the RFC or would like to be included on our data privacy updates, please contact a member of our Privacy and Data Security Practice Group.