A Look at the Draft U.S. Data Privacy Law and Its Implications
June 15, 2022

A Look at the Draft U.S. Data Privacy Law and Its Implications
This week, we have a guest post from our senior reporter at the Cybersecurity Law Report on a new draft of a long-awaited federal data privacy law. Let us know about the compliance challenges data privacy laws are presenting in your practice.

Rebecca Hughes Parker
Global Editor-in-Chief

***
June began with Congressional compromise, unveiling a bipartisan draft bill which offers (at last) a possible broad national privacy law. On one stalemated issue, pre-emption, the proposed law wipes out most existing state laws, but lets the Biometric Information Privacy Act in Illinois stand. On the other thorny issue, the law lets consumers sue, but gives companies 45 days to cure alleged violations. In the end, legislators concocted a U.S. law that adapts neither the GDPR nor any of the state laws, like Utah’s or Connecticut’s. 

Although a national privacy law may not cross the finish line in 2022 because of multiple summer recesses, key Senatorial holdouts or more galvanizing issues as midterms approach, the bipartisan headway on privacy significantly tees up a law to go next year. “This is a discussion draft, but it shows just how far the Republicans have come on these issues,” Verizon associate general counsel Yael Weinman said at an Interactive Advertising Bureau policy summit last week. 

The bipartisan bill earned ample praise for balancing business and consumer interests. This breakthrough also boosts enforcers already scrutinizing digital data collection’s privacy and anti-competitive effects. “I don’t see the FTC standing down on anything because of this activity,” Weinman added. 

Nor will state regulators sit idly by while they still have the proverbial ball, so companies will want to “look at their own practices through the eyes of an enforcer. Go try to find problems,” said Venable partner Julia Tama. Classic skeletons-in-the-closet compliance headaches are exacerbated by increased volumes of data that companies collect. “I have seen so many investigations start because of old code that wasn’t being used any more, or a policy that existed with the best intentions that was not being followed as intended, or data that was not being used, not needed anymore, and that is not benefitting the business,” she said. 

The FTC has a right to pull on such a thread, but “it is a shame to see a good brand brought down by something like that,” Tama added. She urged compliance teams to dig in to find hidden data. Before or after a federal privacy law emerges with its mechanism to ward off lawsuits, Tama noted, the old advice remains useful: “an ounce of prevention is worth a pound of cure.” 

The ACR has advice on handling the current patchwork of laws from Akin Gump here

Matt Fleischer-Black
Senior Reporter, Cybersecurity Law Report

 
Learn More About Our Sister Products