Opinion Enough failures. We need a federal privacy law.

The Capitol dome at sunrise in Washington in March 2021. (Carolyn Kaster/AP)

If at first you don’t succeed, try, try, try, try — well, you get the idea. After repeated failures, Congress is reportedly attempting again to forge a federal privacy law. Legislators have no excuse not to succeed at last.

The Wall Street Journal reported recently that Rep. Frank Pallone Jr. (D-N.J.) had organized a meeting as early as this week for aides to senior members of both chambers’ commerce committees. The aim is to craft a single, comprehensive bill out of the multiple proposals that have raised onlookers’ hopes over the past several years, only to let them down. All this time hasn’t been entirely wasted: The parties might not have agreed on the nitty-gritty details of what types of data on the Internet companies ought to be able to collect, process and share under what circumstances, but their ideas have a lot in common. The obstacles that remain require careful negotiation; they don’t, however, require years or even months of study. This is, in short, something Congress should be able to accomplish.

Follow Editorial Board's opinionsFollow

The last best hope for federal privacy legislation arrived with the introduction of dueling bills by Sen. Maria Cantwell (D-Wash.) and Sen. Roger Wicker (R-Miss.) toward the end of 2019, coupled with a bipartisan draft discussion bill in the House of Representatives. These initiatives all took more or less the same line on individuals’ rights to access and control their data. More surprising, and more encouraging, they opened the door to obligations for businesses not to abuse consumers’ information — rather than merely to ask before doing so. Ideally, lawmakers would reformulate these obligations as what advocates and academics have dubbed a duty of loyalty and a duty of care that, in turn, require reasonable policies and practices and prohibit harmful ones.

The fact that legislators have drawn so close together on so many aspects of privacy regulation proves they’ve done their homework navigating a mind-boggling surveillance economy. Two issues, however, still prove vexing: preemption, or whether federal rules should override state ones, and a potential private right of action by individuals who allege they have been harmed. There are ways to split the difference in each of these areas. The whole point of federal legislation is to avoid an unworkable patchwork of conflicting mandates; as long as a nationwide law is sufficiently robust, it should preempt state laws that are inconsistent, while still allowing local strictures that fill gaps to stand. As for the right to sue, individuals should be empowered to seek redress — but only under certain circumstances, including financial loss or a defined set of egregious violations of privacy.

Congress has already demonstrated impressive progress on drafting a federal privacy law. Admirable as that is, it would make failure this time around only more disappointing.