By Olivia Bond

In a September panel at the Sanford School of Public Policy, Professor Chris Hoofnagle of UC Berkeley presented an interesting perspective: the United States is not ready for federal privacy legislation. He asserted that, “…as long as the innovators see privacy as a historical accident and just as an impediment to them making money, they’re not going to follow [a law], even if you pass one.” He continued, comparing the current state of federal privacy legislation to “the point where the tobacco company executives come up and say cigarettes aren’t addictive; they’re not harmful.”

In the 15 years between the tobacco executives’ false assertions and the introduction of tobacco regulations, cigarette smoking caused close to 450,000 premature deaths in the US each year.   

The FTC has advocated for the passage of federal privacy legislation for over 20 years. While the stakes are not quite as life and death as with tobacco, the premise is the same: if lawmakers wait until those who profit from the exploitation of Americans’ privacy rights are “ready,” the United States will continue to fall behind other countries in the effort to build a sustainable digital infrastructure, and Americans will continue to have their personal information stolen without hope of restitution.

The issue is not that technology industry executives fail to recognize what a valuable commodity privacy is, but rather the reverse. Leaders of large technology firms understand exactly how much is at stake for them should the value of privacy be taken seriously and, not dissimilar to the analogous 20th century tobacco executives, want to preserve their interests for as long as they can.

I, a non-lawyer, will not pretend to understand the legal intricacies of federal privacy legislation. Yet, it does not seem that a legitimate, respectable argument remains that calls for inaction and zero privacy protections. Following that logic, passing a federal privacy law that affords everyone in the country protection from a ubiquitous threat seems like an obvious next step.

However, the conversation amongst the panelists made clear that passing a federal privacy law is no longer a sufficient recommendation. To protect Americans’ privacy rights, the complexity persists not in what to do, but how. I agree with a suggestion made by FTC Commissioner Christine Wilson: federal privacy legislation should be passed as a baseline to ensure consistency in both consumers’ understanding of the rights afforded to them and businesses’ understanding of the standards they must uphold. States can then fill gaps to meet specific needs of their populace or to enhance certain regulations.

Panelist Stacey Gray, Senior Counsel at the Future of Privacy Forum, highlighted important considerations to take into account prior to passing preemptive federal privacy legislation. Preemption occurs when the power of a higher level of government supersedes that of a lower level of government. If preemptive federal privacy legislation were passed, not only would newer, more well-known omnibus laws be at risk, but hundreds of existing state privacy laws could also be wiped out. If Congress did pass a federal privacy law as a baseline, these laws would need to be addressed through savings clauses, and the federal legislation itself would need to be written so as to allow for continuous evolution to prevent ossification.

If the last 20 years have proven anything about federal privacy legislation, it is that action will likely not be expeditious. In the meantime, privacy advocates should push Congress to grant the FTC supervisory capabilities, which would allow for stronger oversight of tech platforms’ privacy and competition practices. As Commissioner Wilson asserted, the potential exists for the FTC to be a high-quality enforcement agency. With the proper support and resources, the FTC could be well-equipped to take on greater oversight responsibilities. This idea is not an entirely novel or outlandish one. Indeed, President Barack Obama’s Privacy Bill of Rights intended for the FTC to legally enforce codes of conduct based on the outlined protections. Such legislation would potentially serve as a steppingstone on the path to federal privacy legislation.

Regardless of what additional steps become necessary, the bottom line remains: the United States cannot wait to pass federal privacy legislation until those wielding the most power in the technology industry suddenly become amenable to losing their unfettered access to consumer data. Strengthening the FTC’s supervisory capacity could at least signal to skeptics that privacy is, in fact, a value worth protecting, and that the tide shifting towards more widespread privacy protections is inevitable.