The Future of US Federal and State Regulation of Data Privacy

During the November 3rd session of Ropes & Gray’s conference, “The Future of Global Data Protection: Conflict or Coherence?” Ropes & Gray partner Chong Park moderated a discussion with Ropes & Gray’s data protection partner Fran Faircloth and Minh Ta, Vice President of Global Governmental Affairs at the Carlyle Group regarding the future of federal and state regulation of data privacy in the United States.

The group all agreed that there should be a comprehensive, US federal data privacy law, but expressed opposing views on the likelihood of such a federal law being implemented in the near future. Minh analogized it to the infrastructure bill debate in the United States, noting that there is bipartisan consensus to address the issue on some level, but the problem lies in the details—i.e., what specifically should be regulated is where people disagree. Fran, on the other hand, expressed a bit more optimism that a federal law on privacy would be passed in the future, but agreed the likelihood of imminent passage is unlikely. She noted that as more states pass their own versions of privacy laws, that eventually as a result a federal law would be passed.

More than 30 states have at least proposed their own version of privacy legislation. Notably, many states have borrowed concepts from the EU’s General Data Protection Law (“GDPR”), but rather than leading with the protection of fundamental rights of individuals the states have focused on consumer protection with a narrower scope around the key elements of whether or not a business is using information in a way that hurts its consumers.

In the United States, the chief regulator of data privacy is the Federal Trade Commission. Section 5 of the FTC Act, which prohibits unfair and deceptive acts or practices “in or affecting commerce” is the FTC’s primary legal authority for regulating companies’ data practices. The FTC has taken the position that an entity can commit an “unfair or deceptive” practice in violation of Section 5 by virtue of its data practices.

Minh noted that Lina Khan, the new Chairperson of the FTC, has taken an aggressive approach to enforcement, as evidenced by a memo sent to FTC staff encouraging them to seek injunctions against companies who have committed privacy harms. From a practical standpoint, Minh and Fran agreed that this means their best advice to companies with data privacy issues is to fix them (and do so quickly), as the FTC does not look kindly on delays in addressing any privacy intrusions. The key, Fran said, is for companies to be proactive by maintaining a clear set of policies pertaining to data privacy and cybersecurity.

The group discussed the “Flo Health” case to demonstrate how the FTC approaches enforcement with respect to privacy harms. In that case, Flo Health, an app designed to help women track their menstrual cycles, made certain representations in their policies pertaining to data which the FTC alleged they did not follow. Specifically, the FTC alleged that the app shared data analytics and did not restrict how third parties could use data collected by the app, in violation of its own policy as well as the EU/US Privacy Shield, which was in place at the time. The important takeaway from that case, particularly for health clients, is that user notice and affirmative consent are critical, and that companies should ensure that they maintain compliance with FTC requirements on consent as well as their own policies, so that consumers are not mislead.

The group agreed that the privacy legislation landscape is one that is rapidly evolving. A US federal privacy law may be introduced in the future, particularly as more states pass laws and as the FTC takes a harder look at companies’ data handling practices.  In the meantime, the key takeaway for all organizations subject to US laws is that they should evaluate where they are operating, who their clients are, and make risk-based decisions about how to best implement compliant and fair privacy practices.