The Washington PostDemocracy Dies in Darkness

Congress has another chance at privacy legislation. It can’t afford to fail again.

An Internet surfer views the Google home page at a cafe in London in this 2004 file photo.
An Internet surfer views the Google home page at a cafe in London in this 2004 file photo. (Stephen Hird/Reuters)

CONGRESS RAN out of excuses for its inability to pass a privacy law years ago. Now, some of its members are promising they’ll finally do their jobs — just give them another year and a half.

The quest for federal rules to govern companies that deal in citizens’ personal information has delivered nothing but disappointments. Nonetheless, a commitment last week by key legislators to get comprehensive regulations on the books by the end of 2022, even if doing so requires some compromise, is promising. Reps. Jan Schakowsky (D-Ill.) and Gus M. Bilirakis (R-Fla.) and Sen. Richard Blumenthal (D-Conn.), all chairs or ranking members of relevant subcommittees in their chambers, agreed in a public event on Wednesday that it’s past time to overcome the pesky points of impasse that have doomed past proposals. Key industry and consumer groups made the same pledge.

The pressure is on. California approved a new privacy law in November; Virginia passed its own in March. The Federal Trade Commission has gotten antsy, with a bipartisan duo of commissioners in particular agitating to exercise a little-used authority to make rules. The process would be arduous, and far from ideal — which is all the more reason for Congress to act so that others stop acting for it. Another reality that makes this move a no-brainer: the surprising degree of consensus around not only the general necessity of nationwide data protections but also the particulars.

Indeed, from rights for consumers to access, correct and delete data to obligations for companies to exercise some duty of care or loyalty with the data they collect, members of Congress have shown that they share similar aims. Hammering out how to enshrine those rights and impose those obligations will require care, but it shouldn’t cause gridlock.

More contentious all along have been the topics of preemption and a private right of action. Mr. Blumenthal on Wednesday signaled a possible breakthrough on the first: A strong federal standard, he said, would be preferable to a patchwork of state standards — but a patchwork of state standards would be preferable to a weak federal standard. The best solution is probably a form of preemption that overrides only state laws inconsistent with the federal rules, and allows others to stand. The problem of the private right of action is trickier to resolve but resolvable nonetheless. A Brookings report last year mentioned a possible route that involves limiting liability to especially egregious violations, as well as setting a higher bar for violations.

Congress’s aim to do by the end of 2022 what it should have done as long ago as 2012 may be described as unambitious; more generously, it could be described as realistic. Another failure to deliver, however, would surely be embarrassing.

Read more:

The Post’s View: Dear Congress: Stop promising a federal privacy law. Pass one instead.

Michael Kleinman: Why are we trusting a company with ties to ICE and intelligence agencies to collect our health information?

The Post’s View: California’s privacy law was supposed to spur Congress to act. It flubbed instead.

Harvey Rosenfield and Laura Antonini: Data isn’t just being collected from your phone. It’s being used to score you.

Mark Zuckerberg: The Internet needs new rules. Let’s start in these four areas.