Skip to content

Congress Takes First Steps Towards Federal Data Privacy Law

Everyone knows by now that the European Union passed a sweeping privacy law that was implemented in May of 2018 regulating how businesses may use personal data. California passed a similar law — the California Consumer Privacy Act (CCPA) — that will take effect on January 1, 2020. What may be less well known is that Congress is considering passing a privacy law of its own. The House Consumer Protection and Commerce Subcommittee and the Senate Committee on Commerce, Science, & Transportation held consecutive hearings last week to consider just that. While both sides of the aisle generally agree that a federal privacy law seems necessary, key issues remain to be worked out, including one very important one, which is whether such a federal privacy law would preempt state privacy laws.

Industry participants argued that a single federal privacy law was necessary to protect both businesses and consumers. According to Jon Leibowitz, Co-Chair of the 21st Century Privacy Coalition, which counts AT&T, Comcast, and Verizon among its members, “the proliferation of state and local consumer privacy laws in place of a national framework creates significant compliance and operational challenges for businesses of all sizes.”1 It would also result in a patchwork of laws that provide varying degrees of privacy protections for consumers depending simply on where they shop, live, work, or travel.2

Michael Beckerman, President and CEO of the Internet Association, echoed Mr. Leibowitz’s concern that a multitude of state privacy laws would hinder rather than enhance consumer welfare. “People should not be expected to know which rules apply depending on where they are and who they are dealing with,” he stated.3 He added that a federal standard would enhance trust in data uses as everyone would be living with a consistent set of expectations.4 The more state privacy laws that come into play, the more complicated the landscape becomes for consumers.

Congress is being urged not to use the GDPR or the CCPA as a basis for federal privacy regulation, in part because of the compliance burdens imposed by those laws. According to Roslyn Layton of the American Enterprise Institute, the efficacy of the obligations imposed under the GDPR and the CCPA has not been tested and the GDPR in particular failed to properly balance protecting consumer’s privacy with preserving innovation.5 Dave Grimaldi, Executive Vice President for Public Policy at the Interactive Advertising Bureau, joined Ms. Layton in expressing concern that overly restrictive privacy laws benefit tech giants such as Google and Facebook at the expense of small and medium-sized businesses that do not have the resources to manage a complex and burdensome legal framework, which is harmful to competition and consumers.6

Businesses that will be subject to both the CCPA and the GDPR are likely to face challenges in developing a single compliance regime that satisfies both laws. For example, while the CCPA generally will not regulate the use of personal information collected from publicly available government records, the GDPR does regulate such information.7 Additionally, the CCPA will provide consumers with an absolute right to opt out of the selling or disclosing of their personal data, but not to other uses of it. The GDPR, on the other hand, provides a broader right to object to any use of the consumer’s data, but that right is not absolute — a business may process data over a consumer’s objection if it demonstrates there are compelling legitimate grounds to do so.9

A single federal privacy law won’t eliminate the complexities of complying with multiple privacy laws, including the GDPR, but it could provide a more manageable solution for businesses and consumers than a patchwork of 50 different state privacy laws.

The hearings were a first step towards a federal data privacy framework that many hope will be enacted before the end of the year (and before the CCPA goes into effect). But as Sen. Cantwell explained, “I don’t think anyone should be under the illusion, though, that this is an easy task. . . . The many challenges that we will face as new ways that information is shared cannot just simply be decided today.”10 In the meantime, companies doing business in the United States must prepare for implementation of the CCPA, which covers consumers in the world’s fifth largest economy.

Visit our website to learn more about V&E’s Cybersecurity & Data Privacy practices. For more information, please contact Vinson & Elkins lawyer Jessica Heim.

1 Testimony of Jon Leibowitz, Co-Chair, 21st Century Privacy Coalition (Feb. 27, 2019), available at

2 Id.

3 Testimony of Michael Beckerman, President and CEO of the Internet Association (Feb. 27, 2019), available at


5 Hearing on “Protecting Consumer Privacy in the Era of Big Data” (Feb. 26, 2019), available at

6 Id.

7 CCPA ⸹⸹ 1798(b), (o); GDPR Articles 4(1) & 9, Recitals 26-30.

8 CCPA ⸹⸹ 1798.120, 1798.135.

9 GDPR Articles 12 & 21, Recital 70.

10 Ranking Member Maria Cantwell Opening Statement, Policy Principles for a Federal Data Privacy Framework in the United States (Feb. 27, 2019), available at

This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.