Export Compliance Daily is a Warren News publication.
‘Do the Right Thing’

NAAG Rep Wants Federal Privacy Bill as Strong as States

A federal privacy law shouldn’t be “less strict” than any existing state law, a National Association of Attorneys General official said Tuesday. Based on Congress’ progress, it doesn’t seem there will be a federal law in effect by January, when the California Consumer Privacy Act takes effect, said NAG Training and Research Institute Center for Consumer Protection program counsel Blake Bee. So industry will need to comply with a patchwork of laws, he told a New America event.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

What’s missing is an actual federal privacy bill to be the basis for congressional debate, said Internet Association Vice President-Associate General Counsel Elizabeth Banker. She argued against including a private right of action, allowing consumers to sue violating companies individually, saying it mightn't be realistic. In a “perfect world,” if a company followed the law, it wouldn’t be sued, but that’s not “the world we live in,” she said. Privacy enforcement should raise the level of compliance, and it’s not clear that private litigation would do that, she said.

A private right of action forces companies to “do the right thing,” said privacy and information policy consultant Bob Gellman. Though he supports its inclusion, he said the item is too divisive and won’t pass. He encouraged lawmakers to find “middle ground” and agreeable limits, perhaps privacy damage caps.

The FTC should be replaced with a new privacy regulator, said ex-FTC Associate Director-Financial Practices David Medine. Commissioners “have a lot on their plates,” he said, citing competition and unfair and deceptive practices. A new agency would be able to refocus on the issue and develop the proper expertise to police privacy, said Medine, now Consultative Group to Assist the Poor senior financial sector specialist. Privacy has grown from a small piece of the agency into an enforcement area ready to graduate into its own agency, he said. Many foreign partners carry their own, independent privacy regulators, so it might make it easier to collaborate internationally, he said. The Consumer Financial Protection Bureau is a good example of pulling authorities from different agencies and moving them under one roof, he said.

A new agency is needed, said Common Cause Program Director-Media and Democracy Yosef Getachew. Privacy is too big for one entity to handle on its own, he said, citing various aspects of privacy regulation including the FCC, the Health Insurance Portability and Accountability Act and Family Educational Rights and Privacy Act.

A strong regulator is the best option, and the FTC is well-placed to do that, said Banker. The things that help protect consumers are clarity about rules, an agency consistent in enforcement, and an agency that diligently advises industry and consumers about obligations and rights, she said. The amount of time it would take to get a new agency operating is a problem, said Banker.

Gellman noted the telecom industry once attempted to push for privacy enforcement to be moved from the FCC to the FTC. “Have you ever heard of an industry truly wanting a stronger privacy regulator?” he asked. Gellman argued the FTC never recovered from the Magnuson-Moss Warranty Act, which stripped the agency’s rulemaking authority.

Under new privacy legislation, lawmakers should discuss what additional powers, expertise and resources the FTC deserves, said Banker. She noted privacy staffs for foreign regulators in the EU and U.K. dwarf the estimated 40 FTC privacy employees.