A New Federal Privacy Law Could Come from an Unexpected Place

As we continue to watch the slow motion, often circular efforts in Congress to develop and enact comprehensive privacy legislation, federal action on privacy could end up coming from some surprising places.

By this, we mean it might not come from Senators Cantwell or Wicker, who have championed the leading, competing privacy bills in the Senate Commerce Committee over the past few years. Nor from Senator Wyden, who just re-introduced his bill to create algorithmic accountability – or from the House and Senate members who just proposed to ban most third-party targeted advertising. And it might not even come from Senators Markey and Cassidy, who support stronger privacy protections for kids and teens, an area of relative consensus among the parties.

Instead, while privacy watchers have their eyes on all of the expected places, the action might come from somewhere else.

Antitrust Bills

Notably, two bipartisan Senate antitrust bills – both already marked up in committee – contain privacy provisions applicable to the tech platforms and virtually the entire app marketplace.

The first bill (The American Innovation and Online Choice Act, S. 2992) is designed to prevent dominant tech platforms from giving preference to their own products and services. The bill, sponsored by Senators Klobuchar and Grassley, would accomplish this chiefly by giving other companies interoperability and access to the platforms so they can reach the platforms’ users and have an opportunity to compete.

The original version of the bill addressed privacy in a limited way – allowing the platforms to assert, as an affirmative defense to law enforcement, that any actions they took in apparent violation of the law were narrowly tailored, non-pretextual steps necessary to protect safety, user privacy, and the security of the platform or nonpublic data. But after critics of the bill argued that more privacy protections were needed, the committee approved an amendment clarifying that the bill:

• Does not require the platforms to interoperate or share data with anyone on a federal government list (1) prohibiting them from engaging in U.S. economic transactions or (2) identifying them as a risk to national security, intelligence, or law enforcement risks;
• Does not prohibit the platforms from obtaining users’ consent before sharing non-public personally identifiable data with other entities; and
• Does not prevent the platforms from offering full end-to-end encryption for products that allow communication between users.

The proposed law would be enforced by the FTC, DOJ, and the State Attorneys General.

The second bill (The Open Markets Act, S. 2710) is designed to increase competition by requiring the largest app stores (Apple and Google) to provide greater access to other app stores and third party apps, and to reduce the controls (and fees) Apple and Google impose on these entities. As before, the original version of the bill contained minimal privacy protections, so the sponsors here (Senators Blumenthal, Blackburn, and Klobuchar) offered a privacy amendment during the markup.

The amendment makes clear that the bill would not prevent platforms from imposing narrowly-tailored and non-pretextual actions ​“necessary to achieve user privacy, security, or digital safety,” which are defined to include:

• Allowing a user to opt-in, and providing information about risks, prior to enabling installation of third party apps or app stores;
• Removing malicious or fraudulent apps or apps stores from users’ devices;
• Providing an end user with the technical means to verify the authenticity and origin of third party apps or app stores; and
• Providing an end user with the option to limit the collection and sharing of data with third party apps or app stores.

The FTC, DOJ, the State AGs, and app developers can all sue under the law.

Whether these bills will be enacted, and in what form, remains uncertain – particularly given some concerns that have been expressed by more tech-friendly Democrats. However, it seems clear that privacy issues are now in play as policymakers consider antitrust legislation. Further, it’s notable that two antitrust bills (with privacy provisions in them) have made it through committee markup with strong bipartisan support, while copious privacy bills are…well… still being discussed.

In short, the next action Congress takes on privacy could very well occur within the context of antitrust legislation.

Republican Privacy Action Post Midterms?

Another possibility is that the Republicans (if they win the Senate, House, or both in the midterms) could take control of the privacy debate and pass legislation.

Until a few years ago, Democrats have generally been the drivers on federal privacy legislation, with Republicans arguing that it would stifle innovation and hurt the U.S. economy. However, the States’ enactment of privacy laws, as well as pressure from the EU and the GDPR, have changed the dynamic considerably.

Republicans and their constituencies now badly want a federal privacy law to create a national standard (with some level of state preemption), prevent or strictly limit private rights of action, shore up our position internationally, and protect our critical infrastructure. A recent letter from Senate and House Republican committee leaders to President Biden makes this perfectly clear. So does the widespread and growing support for federal privacy legislation among industry members.

So as we proceed through 2022 towards Congressional elections, stakeholders on all sides of the debate should keep in mind that if the current Democratic majority doesn’t pass a federal privacy law, a potential Republican majority just might, potentially drawing support from moderate Democrats seeking a solution on this critically important but unresolved issue. Perhaps the Wicker bill – with broad preemption and no private right of action – could emerge triumphant after all. For those that support middle-grounds on these issues, maybe now is the time to get serious about finding compromise.

We will continue to monitor developments in this space and post updates as they occur.