Inside the upcoming fight over a new federal privacy law

Many in the tech community have resigned themselves to new federal privacy regulation, but there’s no guarantee Congress can get it done during the Trump era.

Inside the upcoming fight over a new federal privacy law
[Photos: FEMA/Bill Koplitz; Pixabay/Pexels; Lorenzo Carafo/Pexels]

After all the privacy scandals (starring Facebook, Google, and others) in 2016 and 2017—and after more than a decade in which a sprawling and massively profitable “personal data economy” remained largely hidden from the public—many lawmakers in U.S. Congress are finally ready to impose rules on how tech companies can gather and use our personal data. There may be as many as six major bills circulating in the Senate by mid-2019. And with the new Democratically controlled House, such a bill may have a good chance of passage.


Some key players in the Senate are already sounding optimistic as the new congressional session begins. “I’m not sure that we’re really in very much disagreement with Republicans at this point,” Senator Brian Schatz (D-HI) told Politico. “There’s a bit of a dance going on, but I’m not sensing that Republicans are racing to the defense of the tech companies.”

The privacy bills

One of the strongest ones, the Consumer Data Protection Act, sponsored by Senator Ron Wyden (D-OR), gives a sense of the rules that could be imposed on tech platforms. Wyden’s bill creates a set of minimum cybersecurity and privacy standards, and proposes a national Do Not Track system that allows consumers to stop third-party data companies from tracking them on the web “by sharing data, selling data, or targeting advertisements based on their personal information.” It establishes the right of the consumer to know what personal data is being collected and how it’s being used.

Wyden has circulated a working copy of the bill, and will likely formally introduce it early in 2019.

Schatz, along with 14 other Democratic co-sponsors, introduced another high-profile privacy bill in December, called The Data Care Act of 2018. The bill introduces a “duty to care” approach to regulation, which requires tech companies to provide a “reasonable” level of security around personal data and–like Wyden’s bill–expands the powers of the Federal Trade Commission to enforce privacy rules.

Most of the action will happen in the Senate. The sponsors of the various bills already proposed may work together to form a united front around a single bill. The California privacy bill has much in common with the privacy rules in Europe’s General Data Privacy Regulation, and the Democratic bills circulating in the Senate have much in common with both. One staffer told me that because of this fact, some sort of reconciliation of the various leading Senate bills may be possible. Further into the process, Wyden and Schatz may decide to create a new bill that includes the core principles of both.

And there are other possibilities. Senator Cory Booker’s (D-NJ) work on algorithmic transparency in the context of social justice issues might find its way into a combined bill.


Most of the discussion and politicking will happen in the Senate.

One source told me Democratic leaders in the House are ready to work with Senate Democratic leaders like Wyden and Schatz to write a companion privacy bill that contains the main elements of a Senate bill. That bill would very likely pass in the newly Democratic controlled House. The House version of the bill is likely to emanate from either the House Energy and Commerce committee or the Judiciary Committee, the person said.

Much of the Senate action will take place in and around the Senate Energy and Commerce Committee. The committee held several hearings on the subject during 2018. Its chairman during the last session, John Thune (R-SD), was said to be working on a privacy bill. In August, senators Jerry Moran (R-KS) and Roger Wicker (R-MS) were reportedly working with senators Schatz and Richard Blumenthal (D-CT) on a bipartisan privacy bill.

To preempt or not to preempt

So while some of the foundation laying has already occurred in the Senate, the process is still in its early stages, and lots of talking remains to be done. “The Senate is still very up in the air,” one Senate staffer told me. Republicans are typically not eager to impose new regulations on private companies, tech companies included. Moderate Republicans may find resistance among far-right Republicans to a proposed privacy bill based on that instinct alone. Far-left Democrats could insist on tougher privacy rules than Republicans can support.

It’s also unclear how successful the increasingly powerful tech lobby might be in convincing lawmakers to weaken privacy legislation. What the tech industry wants is a federal privacy law that doesn’t impose onerous or costly privacy requirements, and does not expand government powers to enforce the rules. And most important of all, the industry wants to make sure that a new federal law will supersede–or preempt–privacy laws enacted by the states, such as the tough privacy law passed by California, which is now scheduled to go into effect January 1, 2020. Not only are the California rules too tough for the industry’s liking, but individual state laws create a patchwork of regulatory regimes and an expensive compliance headache.

Tactically, the tech lobby will likely try to first influence Republican leaders of the Senate Commerce Committee to push a weak privacy bill that preempts states. The lobby’s second line of attack will attempt to put pressure on Democratic members of the committee who may be up for re-election in 2020 to sign on to a watered-down bill.


However, Schatz has made it clear that Democrats in the Senate will not agree to a bill that preempts state privacy laws unless it also contains a substantive set of binding privacy rules.

The Trump effect

Even if Democrats and Republicans in the Senate get along swimmingly when negotiating the terms of a privacy bill, the whole matter might get pushed further down the priorities list. Fights over immigration and trade are sure to rage on, and the results of the Mueller investigation may be a ticking time bomb that explodes even the best-laid plans. And the reality-TV nature of the Trump White House has a way of pulling media focus and legislative energy away from important policy initiatives.

So while there will likely be lots of talk–and perhaps some political horse trading–done around privacy in 2019, there’s also a very good chance that the arrival at an agreeable law will not happen by the end of the year. It’s possible the work could be completed in 2020, but that’s an election year–and a big one–so the distractions will grow even worse.

The one thing that won’t change, however, is California’s tough privacy bill. Big tech and telecom rue that day. It may be the one thing that keeps Republican lawmakers coming back to the table until a federal law gets passed.

About the author

Fast Company Senior Writer Mark Sullivan covers emerging technology, politics, artificial intelligence, large tech companies, and misinformation. An award-winning San Francisco-based journalist, Sullivan's work has appeared in Wired, Al Jazeera, CNN, ABC News, CNET, and many others.