Status of a U.S. Federal Privacy Law

Is a Federal Privacy Law on the Horizon?

Against the backdrop of the 2018 Facebook data collection controversy, calls are getting louder for a unifying U.S. Federal privacy law. And Congress appears to be listening. This year alone, a variety of privacy bills have been introduced in Congress including requiring companies to report data breaches to consumers within a set timeframe, allowing users to opt-out of their data being collected, and preventing companies from denying service to consumers who do not consent to data collection.

Here is a sampling of recent Federal privacy laws introduced in the House and Senate:

  • The Social Media Privacy Protection and Consumer Rights Act— Would require companies to report data breaches to consumers within 72 hours of discovery (introduced 1/17/19)
  • DATA Privacy Act— Would require businesses to offer opt-out consent in all reasonable cases, as well as opt-in consent for sensitive data or data for non-business purposes (introduced 2/27/19)
  • Clean Slate for Kids Online Act— Would allow consumers over the age of 13 (or their parents) to delete personal data collected from their Internet activity prior to turning 13 (introduced 3/13/19)
  • Information Transparency and Personal Data Control Act— Would require businesses to undergo biannual third-party privacy audits and report the results to the FTC (introduced 3/29/19)
  • BROWSER Act– Would require broadband and edge providers to provide clear privacy notices and obtain opt-in consent to collect sensitive data (introduced 4/10/19)

Unlike the European Union’s General Data Protection Regulation (GDPR) which pursues broad consumer privacy protections, the U.S. approach to privacy is more segmented and sector-specific. For instance, federal laws such as the Health Insurance Portability and Accountability Act (HIPAA) (which provides data protection of medical information) and the Genetic Information Nondiscrimination Act (GINA) (which prohibits discrimination based on genetic data) address aspects of privacy within certain industries.

But the U.S. does not have one comprehensive Federal privacy law. This void has led state legislatures to seek solutions of their own. For example, two such laws are the California Consumer Privacy Act, which gives consumers the right to know exactly what personal information is being collected about them, and the Illinois Biometric Information Privacy Act, which prohibits companies from gathering, using or sharing information such as a fingerprint or face print without written consent.

As privacy advocates seek stronger consumer protections and technology innovates the value of data collection, the push to pass a comprehensive federal law that regulates such activity will increase. One federal law could preempt a patchwork of state privacy efforts, provide broader privacy protections, and offer comprehensive guidelines to companies eager to avoid the data mining and data sharing controversies in which Facebook currently finds itself.