WASHINGTON — A rare thing emerged in Washington early this year: agreement. Republicans and Democrats in Congress, as well as the Trump White House, all said they wanted a new federal law to protect people’s online privacy. Numerous tech companies urged them on.
And they had a deadline. With a broad California privacy law set to go into effect early next year, many federal lawmakers and the tech companies wanted to get ahead of it and avoid having state-by-state rules.
But after months of talks, a national privacy law is nowhere in sight.
The window to pass a law this year is now quickly closing. Lawmakers continue to disagree on parts of the bill, including how best to enforce a new law and how much freedom states should have to pass their own rules. And some California lawmakers have balked at efforts to override their state’s new law.
Several lawmakers and their aides insist that they are making headway, meeting regularly to sort out the remaining roadblocks.
“We’re talking a lot, we’re meeting a lot, member-to-member, staff-to-staff, and we’re making good progress,” said Senator Roger Wicker, the Republican from Mississippi who chairs the Senate Commerce Committee, which includes several lawmakers shepherding the effort.
Yet they have nothing public to show for it. And they are now also contending with a Capitol gripped by the House’s impeachment inquiry into President Trump.
The struggle to regulate consumer data shows how lawmakers have largely been unable to turn rage at Silicon Valley’s practices into concrete action. Revelations that the political consulting firm Cambridge Analytica had obtained reams of Facebook user data set off the Washington reckoning over online privacy last year. The social network has since agreed to pay a record $5 billion fine with regulators for mishandling user information, while Congress has grilled major tech executives over their data practices.
But the fervor to crack down on Silicon Valley has produced only a single new law, a bill to prevent sex trafficking online.
“With a Congress that tends to be a do-nothing Congress, they tend to not do a whole heck of a lot unless the phones are ringing off the hook,” said Gigi Sohn, a former Federal Communications Commission official. “That may be the missing piece.”
The United States has some laws that protect consumers’ privacy, like medical information collected by a doctor. But Congress has never set an overarching national standard for how most companies gather and use data. Regulators in Europe, in contrast, put strict new privacy rules into effect last year.
Many tech companies built lucrative businesses off their users’ personal information, often by offering a “free” product in return. Facebook, Google and Twitter, for example, let advertisers precisely target messages based on people’s habits. Other industries — from health care to retail to banking — have also looked at ways to take advantage of customer data.
Last year, California lawmakers passed privacy legislation in the face of public backlash against those companies. Called the California Consumer Privacy Act, the state law gives people the right to see what personal information companies have compiled on them and the right to delete that data and stop companies from selling it. The law takes effect on New Year’s Day 2020; enforcement of it begins in July.
Lobbyists representing the tech giants have spent much of this year trying to modify California’s strict rules before they are enforced. The Internet Association, a group whose members include Google, Facebook and Amazon, supported a bill exempting advertising services from being covered by some of the law’s restrictions, along with several others tweaking the legislation.
At the same time, industry groups flooded Washington with a clear message meant to neutralize California’s rules entirely. Congress should pass a national privacy law, they said, and include a provision superseding any state legislation on the issue.
Joseph Simons, the chairman of the Federal Trade Commission, the top privacy regulator in the country, has also weighed in, urging Congress to pass a national law.
That pressure is likely to increase given that the tech industry’s lobbying efforts in California have had mixed success. The advertising exemption did not make it into the state law, for example. Last month, privacy advocates introduced a new ballot campaign to give the law more teeth.
A group of chief executives who are part of the group Business Roundtable also sent congressional leaders a letter last month calling for them to pass a national privacy law “as soon as possible.”
The Internet Association released a digital and radio advertising campaign warning that American consumers could have to contend with 50 individual state privacy laws. And Business Roundtable has run ads on Facebook linked to its privacy positions. In one, a video shows a map of the United States that breaks into five pieces, according to Facebook’s library of political and issue advertisements.
“Our nation’s privacy laws are FRAGMENTED,” it said.
Tech industry representatives argue that a national law is the best substantive solution in an era of growing privacy concerns. But they also said that their losses in California factor into their strategy.
“California certainly makes things more complicated for people, but this is not just a reaction to California,” said Michael Beckerman, the chief executive of the Internet Association.
Senator Brian Schatz, Democrat of Hawaii, who has been involved in the privacy talks, said Congress remains in negotiations over a national privacy law. He said there were “some remaining thorny issues” but estimated that lawmakers had “probably done 70 percent of the work.”
Senator Jerry Moran, Republican from Kansas, and Richard Blumenthal, Democrat from Connecticut, are nearing a complete version of a privacy bill, according to one person briefed on the talks. In the House, Democrats have been negotiating with their Republican counterparts but are also considering producing a unilateral measure should bipartisan discussions fail, said a different person familiar with the deliberations. They both spoke on the condition of anonymity because information on the talks was shared confidentially.
“We’re not amending a statute, we’re creating one,” said Mr. Schatz. “This is an area where there is no privacy framework in the federal law so we had to construct it from whole cloth — and that takes time to do right.”
One particularly divisive question is whether consumers themselves should be able to directly sue companies that violate the new federal law. Privacy advocates said that a so-called private right of action would give consumers recourse if regulatory agencies failed to take action in response to a troublesome practice. But Republicans remain skeptical.
“It would really create problems,” Mr. Wicker said.
Lawmakers have also publicly disagreed over whether they should give the F.T.C. more authority to make rules on privacy than it currently has — and how far they must go to pre-empt the state laws.
As they haggle over the details of any possible legislation, lawmakers have fended off most of the questions about their plans from reporters who stalk them through Capitol Hill hallways and stake out their negotiations.
Asked last week about the status of the talks, Mr. Wicker, who once mused that a privacy proposal would be public by early September, deadpanned.
“We’ll have an announcement this afternoon,” he said.