US Chamber of Commerce calls on feds to preempt CA privacy law

The US Chamber of Commerce, on Thursday, asked Congress to come up with new federal data privacy legislation that would preempt the recent California Consumer Privacy Act (CCPA), as well as any other state laws seeking to regulate data privacy and security. Big technology companies are seeking similar action to have privacy law addressed at the federal rather than state level.

The objective in both cases is to avoid a disparate patchwork of data privacy rules across the US and make any new rules more business-friendly. Federal preemption of state laws typically occurs under the Commerce Clause of Article I of the US Constitution.

Absent preemption, as a practical matter, companies doing business across state lines would probably be compelled to conform to the strictest of the state laws, which right now is California’s. However, it won’t go into effect until January 2020, giving the various stakeholders time to come up with a new federal standard.

In addition to appealing to Congress, US Chamber also released a set of “privacy principles” that it says should be part of any federal legislation:

• A Nationwide Privacy Framework.
• Privacy Protections Should be Risk-Focused and Contextual.
• Transparency.
• Industry Neutrality.
• Flexibility.
• Harm-Focused Enforcement.
• Enforcement Should Promote Efficient and Collaborative Compliance.
• International Leadership.
• Encouraging Privacy Innovation.
• Data Security and Breach Notification.

In terms of enforcement, the Chamber is seeking business-friendly rules. It argues that enforcement “should only apply where there is concrete harm to individuals,” and that “a federal privacy framework should not create a private right of action for privacy enforcement.”

This would likely preclude class actions — as would fine print in corporate terms and conditions, compelling arbitration — and equally make it challenging for individuals to sue companies that mishandle personal data or take a lax approach to privacy and security.

CCPA, by contrast, provides statutory damages (which don’t need to be concretely proven) of $100 to $750 “per consumer per incident,” as well as any “actual damages” shown. This could result in millions of dollars of liability for companies found in violation of the rules.

While the US Commerce Department has begun work on data privacy, it’s unlikely that any new federal privacy legislation will pass (or even be introduced) before the November mid-term elections. And it’s a safe bet that if the House of Representatives or Senate is captured by Democrats, federal privacy rules would likely look different than if Republicans maintain control.