How the Upcoming Election Could Change Privacy Law in the U.S.

How the Upcoming Election Could Change Privacy Law in the U.S.

October 27, 2020, Covington Alert

The November 3, 2020 election is likely to be a watershed event in the development of privacy law in the U.S. This client alert provides a high-level overview of the areas in which change is likely to occur, depending on how the election turns out.

1. Federal Legislation

Unlike most countries of its size, the U.S. does not yet have a broadly applicable data privacy law for consumers. In the two-year congressional session that will end in December 2020, an unprecedented number of legislative proposals for new federal privacy laws were introduced by both Democrats and Republicans in the Senate and House, but it is unlikely that any will be enacted. In the new session beginning in January 2021, however, prospects are likely to be better for passage of federal privacy legislation.

There are certain similarities across these proposals, particularly when it comes to providing rights of access, correction and deletion to consumers; requiring consent or other legal means for processing data; and protecting sensitive categories of data. However, there also are key differences. While both parties are motivated to enact data privacy legislation, these key differences have prevented this from happening — which is why the fate of future privacy legislation is likely to differ depending on the election outcome.

• If Biden Wins and Democrats Take Control of the Senate: Legislation is likely to pass, although passage is more likely in the latter part of the two-year congressional session in 2022. Key features for legislation in a Democratic-controlled Congress likely would include (1) no preemption of state laws, so companies would continue to be subject to both federal and state requirements; (2) private rights of action, so class action lawsuits would become a risk in addition to Federal Trade Commission (FTC) and state attorney general enforcement; and (3) FTC rulemaking authority to set more prescriptive and specific rules governing privacy.
• If Trump is Re-elected and Republicans Retain Control of the Senate: Legislation is likely to pass, again in the latter part of the two-year congressional session that launches in January 2021. Key features for legislation in this scenario likely would include (1) preemption of state laws, including recently-enacted state laws such as the California Consumer Protection Act (CCPA); (2) limitations on private rights of action, so the legislation likely would be enforceable only by the FTC and perhaps state attorneys general; and (3) the FTC would not be given rulemaking authority.
• If the White House and Senate are Controlled by Different Parties: Legislation is still likely to pass, but may be delayed even further to the beginning in 2023 due to a more partisan environment. Also, key provisions would be calibrated and negotiated. For example, (1) federal preemption might apply only to some parts of the legislation; (2) private rights of action may be permitted only in certain scenarios; and (3) FTC rulemaking authority might be granted only in specific areas, similar to the approach taken by the Children’s Online Privacy Protection Act.

2.  State Legislation

• California. On election day, California voters will consider whether to enact Proposition 24, also known as the California Privacy Rights Act (CPRA). The CPRA would give California residents new rights to correct their personal information, opt out of sharing their personal information for cross-context behavioral advertising, and limit the use and disclosure of their sensitive personal information. The CPRA also would require companies to adopt data minimization and retention practices, and to include certain provisions in their contracts. It would establish a new agency, the California Privacy Protection Agency, to enforce the law. These provisions would take effect on January 1, 2023, and they would supplement the existing California Consumer Privacy Act, which took effect only last year. You can find additional information about California-specific issues in our blog posts on the Covington InsidePrivacy Blog here.
• Michigan. Voters in Michigan will vote on an amendment to the state constitution to prohibit law enforcement searches of electronic data without a warrant.
• Maine. Voters in Portland will consider a city referendum to ban the use of facial recognition software by law enforcement, similar to the bans passed earlier this year in Washington State and San Francisco and the broader version passed in Portland, Oregon.
• General State Privacy Legislation. Before the COVID-19 pandemic, multiple states were expected to enact privacy legislation in 2020. The pandemic slowed these efforts, but the pace is likely to pick up in 2021 if state legislatures return to a more normal legislative calendar. To some extent, the more slowly the federal government moves on its own privacy legislation, the more likely state action will be.

3. Other Privacy-Related Legislative Efforts

General privacy legislation is not the only way in which the use, access and storage of data could be regulated. We anticipate that several of the following areas also will be ripe for legislative activity in the next congressional session:

• Section 230. Section 230 of the Communications Act provides websites and digital platforms with immunity for content posted by users, and permits wide authority for websites and digital platforms to moderate content. This grant of immunity has become controversial as platforms have exercised their authority under Section 230 to flag or remove content associated with political races. If President Trump is re-elected and the Republican party controls one or both houses of Congress, we anticipate a wide-ranging effort to repeal or substantially amend Section 230. If Vice President Biden is elected and the Democratic party controls one or both houses of Congress, we anticipate that full repeal is less likely, but that targeted legislative efforts concerning specific issues (such as deepfakes or civil rights issues) may be made.
• The Foreign Intelligence Surveillance Act (FISA). On July 16, 2020, the European Court of Justice held that the EU-US Privacy Shield did not sufficiently protect European data subjects from the effect of U.S.-based surveillance under FISA. As the Department of Commerce pointed out in the wake of that case, most U.S. businesses are not subject to FISA process. When the Court last struck down a data-transfer mechanism, the U.S. Congress responded by narrowing FISA in the USA Freedom Act. It is possible that Congress may consider a similar approach in the upcoming session, but it should be noted that the FISA reform process in the session now ending was difficult.
• Cybersecurity. If Vice President Biden is elected on November 3, we anticipate that a significant legislative effort will be launched to improve cybersecurity standards for elections.
• The Electronic Communications Privacy Act (ECPA). ECPA governs access by the federal government and litigants to stored data. It was passed in 1986 and is significantly outdated. A divided Congress has stymied efforts to update ECPA in the past. A single-party Congress, whether Republican or Democrat, may expedite legislative efforts to update ECPA.

If you have any questions concerning the material discussed in this client alert, please contact the following members of our Data Privacy and Cybersecurity practice.