COVID-19, User Data, and the Need for a Federal Privacy Law
TLDR: Protecting the collection and use of consumers’ personal information continues to be at the top of mind for lawmakers, with new efforts in Congress looking to address the use of personal information in contact tracing apps amid the coronavirus pandemic, and unnecessarily tying the use of targeted online ads to an unrelated intermediary liability law.
What’s Happening This Week: Policymakers are continuing to disagree over the scope of legislation needed to regulate data collection efforts surrounding the ongoing coronavirus pandemic. Meanwhile, some lawmakers are planning to introduce separate legislation that would purport to address data-related concerns by targeting Internet companies’ liability frameworks.
Last month, Democrats and Republicans introduced competing bills to safeguard consumers’ privacy during the outbreak, but disagreements over whether to preempt existing state laws and to allow for certain privacy-related lawsuits have stymied any legislative progress. A bipartisan group of senators also introduced legislation earlier this month to regulate the use of consumers’ data in the development and implementation of COVID-19 contact tracking and exposure notifications apps. At the same time, Sen. Josh Hawley (R-Mo.) is using broader data privacy concerns to target Internet platforms’ liability frameworks instead of pushing to provide critical consumer privacy protections.
Lawmakers’ focus on data privacy concerns in the context of the coronavirus outbreak should drive renewed progress in long-running conversations about a much-needed federal privacy framework. In lieu of federal action, state-level efforts—such as the California Consumer Protection Act—have effectively become the nation’s de facto privacy standards. That standard is already likely to be revisited later this year, as the authors of the 2018 ballot initiative that led to the passage of CCPA announced last month that they submitted 900,000 signatures for a second ballot initiative to further expand out the state bill’s requirements. Instead of an evolving patchwork of state laws, a clearly defined federal data privacy framework would help alleviate some of the concerns that consumers and entrepreneurs have when it comes to the use, management, and storage of users’ personal information.
Why it Matters to Startups: While the coronavirus pandemic and the ensuing push to regulate personal data used for contact tracing purposes has raised unique privacy concerns, lawmakers’ interest in the issue resurfaces the need for a federal privacy law. Compounding the economic uncertainty that is weighing heavily on the entrepreneurial community, startups—without clear federal guidelines—stand to lose even more in the debate over data privacy standards.
The current privacy conversation has underscored the need for Congress to pass a federal privacy framework that provides startups and Internet companies with clear guidelines when handling users’ personal information. As we have pointed out, the lack of existing federal guidance means that startups are forced to rely on a patchwork of state-by-state laws. This legal landscape can severely limit the ability for early-stage companies to innovate and compete on a national level.
Last year, policymakers released privacy legislation proposals and held several hearings and discussions about the need for a federal data privacy law. Congress, however, has turned its attention away from a national privacy framework, stalling bipartisan progress. As policymakers continue to grapple with the policy issues arising from the ongoing coronavirus pandemic, they should consider how questions about the use of consumer data fit into the broader context of federal data privacy legislation.
Other concerns that policymakers have recently expressed, such as the use of personal data for targeted online advertisements, could also be addressed through a uniform data privacy law. It is concerning that some lawmakers, such as Sen. Josh Hawley (R-Mo.), have expressed a desire to address the use of consumers’ personal data in targeted ads by rolling back critical intermediary liability protections for online firms. As we noted just last week, this liability framework—provided by Section 230 of the Communications Decency Act—allows startups and Internet firms of all sizes to host user-generated content without having to worry about abusive and potentially disastrous lawsuits over content created by their users. Policymakers who want to address these types of data privacy concerns can do so by passing a strong federal privacy law that includes other crucial consumer protections.
Instead of focusing on legislation that fails to comprehensively safeguard all users’ data, Congress must remain focused on providing consumers—and the startups whose services they use—with a uniform privacy framework that protects users and creates much-needed certainty for entrepreneurs and investors.
On the Horizon.
The Information Technology & Innovation Foundation is holding a webinar tomorrow at noon to discuss the Federal Communications Commission’s role in reforming Section 230. The panel will feature FCC Commissioner Geoffrey Starks.
Lincoln Network and the National Security Institute at George Mason University’s Antonin Scalia Law School are holding a webinar tomorrow at noon to discuss responsibility when it comes to tech platforms, harmful content, and illegal activity.
The House Small Business Committee is holding a hearing at 1 p.m. tomorrow on Paycheck Protection Program loans and “the issues borrowers and lenders have faced in applying for and using the loans.”
The House Intelligence Committee is holding a hearing at noon on Thursday to discuss social media, COVID-19, and election security as they relate to “emerging trends in online foreign influence operations.”