SECURE Data Act offers ‘clear, enforceable’ privacy rules, without the big money lawsuits

WASHINGTON, D.C. — Republicans in Congress are attempting to move forward with a proposed new law that would for the first time create national standards for protecting privacy rights, while at the same time potentially ending an ever growing tsunami of lawsuits aimed at extracting billions of dollars from U.S. companies, often with no proof anyone ever suffered any harm.

But as the legislation begins to move forward, it is also receiving strong pushback from trial lawyers and their allies, including so-called privacy advocates and Democratic attorneys general in states whose courts are infamous for such big-money lawsuits, notably including California and Illinois.

In late April, Republican lawmakers introduced the legislation dubbed by supporters as the SECURE Data Act. The name is an acronym representing the proposed law's full name, "Safeguarding and Enhancing Cybersecurity and Understanding Rights of Every Data Subject Act."

Supporters of the SECURE Data Act say it is needed to address a "patchwork" of state privacy protection laws, which have generated billions of dollars for trial lawyers from thousands of individual and class action lawsuits, while creating uncertainty and risk for American tech companies seeking to advance new technologies and for other companies adopting that tech.

For instance, in Illinois, the state's unique stringent Biometric Information Privacy Act (BIPA) has generated thousands of lawsuits in the past decade. While some of the most prominent litigation filed under the BIPA law have generated hundreds of millions of dollars in payouts from tech giants like Meta and Google, the bulk of the lawsuits have taken aim at smaller employers, who use technology like fingerprint-scanning timeclocks to accurately log employee work hours and reduce fraud.

Class action lawsuits under the BIPA law have been targeted at employers who also use biometric identifying tech to secure cash rooms and drug lockers, or at trucking firms who use face-scanning cameras to monitor drivers.

Illinois courts have also been the origination point for a growing number of lawsuits aimed at businesses under a state law asserting to protect the privacy of people's so-called "genetic information." These lawsuits, for instance, have accused employers and insurers of violating the law by asking job and policy applicants about their medical history.

And in California, that state's privacy laws have been used in the past decade to also launch thousands of lawsuits. The state's courts and laws have been called out by legal reform advocates for enabling a blitz of lawsuits against companies for allegedly violating people's privacy rights by embedding so-called tracking pixels on their websites. Businesses say the tech helps them to learn how people engage with their sites and improve their products and service. Privacy advocates and trial lawyers, however, claim the use of such tech violates people's privacy rights.

And most of those lawsuits, in Illinois, California, and other states, have succeeded at extracting big payouts from companies, despite a lack of evidence indicating anyone was ever actually harmed by the alleged violations of the state privacy laws.

Under the SECURE Data Act, the ability of such lawsuits to be filed in trial lawyer-friendly states, like Illinois and California, would be curtailed, if not eliminated.

The proposal, as it currently exists, would specifically eliminate the so-called right of private action, which enables such lawsuits under state laws, while also preempting existing and new state laws that might seek to go beyond the rules established under the proposed federal law.

Supporters of the legislation, led by U.S. Rep. John Joyce, R-Pennsylvania, and House Energy and Commerce Committee Chairman Brett Guthrie, R-Kentucky, say the legislation is needed to level the playing field and create one national standard on privacy rights.

Under the proposed new law, Americans would have a legal right to know what personal information a company has about them and access that personal data. They can also correct inaccurate information or delete the information.

The legislation would further allow Americans to opt out of targeted advertising, out of the sale of their personal data, and opt out of processes that use profiling or automated systems that make decisions that could affect them.

And the SECURE Data Act would prohibit companies from collecting so-called sensitive data, such as biometric, health, precise geolocation data and financial information, from Americans without their consent.

"This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping," Joyce said at the time the legislation was introduced. "We look forward to working with our colleagues to build support for this bill and advance data privacy protections fit for our 21st century economy.”

The legislation has drawn strong support from the business community, including the U.S. Chamber of Commerce. In an open letter co-signed by other state and local chambers of commerce from throughout the U.S., and submitted June 2 to Guthrie and the House Energy and Commerce Committee, the Chamber "urged" the committee to advance the legislation in the House.

"The SECURE Data Act would establish a single national privacy standard with robust consumer protections that builds upon a strong framework already adopted in 20 states," the Chamber wrote in the June 2 letter. "Those protections include data minimization and sensitive data requirements, as well as access deletion, correction, and opt-out rights.

"Importantly, this legislation will also help small businesses who are disproportionately impacted by the regulatory confusion caused by a patchwork of state privacy laws."

The SECURE Data Act was presented and discussed at a House Committee hearing on June 3.

Opponents of the legislation are urging lawmakers to not take up the bill.

The Electronic Frontier Foundation, an online privacy advocacy group, has pilloried the proposed legislation, specifically for its efforts to restrain lawsuits and hand over enforcement to government regulators, rather than trial lawyers in court.

They called that provision "most troubling" for them, because the EFF believes "strong consumer privacy laws should allow consumers to take companies to court to defend their own rights."

And Democratic attorneys general in California, Illinois, and others states have also called on Congress to allow their state laws to stand and reject attempts to create a federal privacy protection replacement standard.

In a June 2 letter drafted by California Attorney General Rob Bonta, the group of 18 state attorneys general urged federal lawmakers to make clear that states remain free to set different, more stringent privacy standards, including those that enable a range of lawsuit risk for companies that operate across state lines.

They said states should keep the power to "rapidly respond to the evolving data landscape," as they see fit.

"A robust federal data privacy law is one that maximizes protections for consumers by setting a floor, not a ceiling, to allow states to continue to innovate and quickly adapt to the ever-evolving technology industry," the Democratic attorneys general wrote.

"... As the data economy has grown, states across the political spectrum have enacted thoughtful privacy legislation that meets the unique needs of their residents, including heightened protections for minors and sensitive consumer data, limits on how data may be used and retained, and requiring that businesses honor tools such as universal opt-out preference signals to make it easier for consumers to exercise their rights.

"The SECURE Data Act would wipe out these meaningful protections and leave consumers with a privacy regime that makes it harder to exercise their rights, gives businesses more discretion on how to use and retain their data, and significantly limits enforcement remedies."

Attorneys general who signed onto the letter included Bonta, Illinois Attorney General Kwame Raoul, New York Attorney General Letitia James, and the attorneys general of New Jersey, Washington, Virginia, Vermont, New Hampshire, Oregon, Minnesota, Massachusetts, Nevada, Maryland, Maine, Connecticut, Hawaii and Delaware.

Bonta separately has asserted the proposed federal law “would hamper the ability of California to adequately protect the privacy of its citizens” by overriding California’s growing body of laws dedicating to expanding privacy rights, while also expanding the ability of people to sue.

Supporters of the SECURE Data Act have stated the legislation would enable state attorneys general to also enforce privacy rights, alongside federal enforcement organizations. It would only curtail the use of private lawsuits to punish companies for allegedly violating privacy rights.

The ultimate fate of the legislation remains uncertain.

Legislation attempting to establish fewer federal privacy protection standards has failed to gain traction in the past, resulting in the failure of Republicans and business groups to secure reforms.

Further, a political clock is ticking: While Republicans currently control the U.S. House and Senate, midterm elections later this year are expected to result in Democrats gaining control of one or both houses of Congress.

As Democrats have largely made up the bulk of the opposition to the proposed legislation, the bill would almost certainly be discarded under Democratic control.

Should the legislation not make it to President Donald Trump's desk before November, it may be some time before privacy law reform advocates could advance a similar proposal again.