Legislative Findings Will Be Important to Federal Privacy Legislation

Editor’s Note: This article is adapted from a December 2020 Brookings Institution report, “Framing a Privacy Right: Legislative Findings for Federal Privacy Legislation.” Cameron F. Kerry and John B. Morris Jr. lead The Privacy Debate initiative at the Brookings Institution, which brings together stakeholders in civil society, industry, government and academia to discuss federal privacy legislation.

The debate in Congress about privacy legislation has now been in full swing for two years, and members of Congress have released more than 20 comprehensive information privacy bills or drafts. But most of these bills do not include proposed legislative findings or statements of policy that explain the overarching foundations of the legislation. Even though legislative findings and policy statements are primarily rhetorical rather than operational, they serve important functions. To fill these gaps in federal privacy bills as the House and Senate and a new presidential administration prepare for the 117th Congress, we released a new Brookings report to propose a set of legislative findings for federal privacy legislation as a template for the coming debate.

A handful of bills, such as Sen. Kirsten Gillibrand’s Data Protection Act and Sen. Sherrod Brown’s Data Accountability and Transparency Act, include statements of legislative findings or policy—but the majority do not. Most notably, legislative findings are absent from the bills that are the most likely starting points for legislation in 2021: Sen. Maria Cantwell’s Consumer Online Privacy Rights Act, Sen. Roger Wicker’s SAFE DATA Act, and the House Energy and Commerce “bipartisan staff draft” (although the latter does include a bracketed placeholder).

These omissions are understandable. The core provisions of privacy legislation present plenty of challenging and contested issues that we explored in our report “Bridging the Gaps: A Path Forward to Federal Privacy Legislation” in June. 

Yet legislative findings present an argument for a bill that can help build congressional and public support. More significantly, they build a record of congressional intent that can guide interpretation by courts, administrative agencies and affected parties—and they can spell out grounds for courts to uphold legislation against constitutional challenges. Such a record will be significant for the inevitable challenges to privacy legislation, especially on First Amendment commercial speech protections or Article III standing questions. As debate on privacy legislation continues into 2021, legislative findings will provide Congress an opportunity to make a statement about the significance of privacy—one that not only can inform judges, regulators and lawyers applying a privacy law but also can declare American values to the world.

What Do Legislative Findings Accomplish?

Legislative findings, though underutilized, can play an important role in clarifying the scope of legislation. Writing for the University of Chicago Law Review, Brigham Young University law professor Jarrod Shobe conducts a rare and thorough study of the use and legal significance of legislative findings and purposes in enacted statutes. Shobe reviews 30 years of legislation appearing in the Statutes at Large, the chronological collection of laws passed by Congress, and finds that the majority of “significant bills” included findings. Nevertheless, he points out, courts and legal academics have given them little attention. This judicial omission is wrong, he argues, because “[e]nacted findings and purposes are law just like any other law, and there is no reason why they should not be given the full weight of the law.”

Shobe points to institutional reasons for the underestimation of legislative findings: They are often published only in the Statutes at Large, stripped out when legislation is codified in the U.S. Code, and discouraged by the House and Senate Offices of Legislative Counsel. In short, courts’ tendency to overlook legislative findings does not indicate a lack of legal import but, rather, a lack of visibility due to practices by the Office of Law Revision Counsel, a nonpartisan congressional office charged by statute with “[c]lassifying newly enacted provisions of law to their proper positions in the Code.” If Congress wants its text to matter, perhaps it should change this practice of relegating enacted findings and purpose statements to either hard-to-find statutory notes or the Statutes at Large and, instead, place findings and policy statements alongside the operative text (as has been done in some cases, such as 47 U.S.C. § 230).

Shobe’s groundbreaking argument makes sense. The late Supreme Court Justice Antonin Scalia’s most accepted contribution to American law has been the significance of textualism in statutory interpretation (not to be confused with a second and more debated Scalia contribution, originalism in constitutional interpretation). From his first term on the Supreme Court, Scalia waged a battle against use of legislative history to interpret statutes, dismissing statements of sponsors and even committee reports as irrelevant to the meaning of the text and a dubious reflection of the intent of Congress as a whole. As a result, as Jonathan Siegel puts it, “[w]e are all textualists now compared with the 1960s and 1970s.” As Shobe points out, legislative findings are a different order of congressional statement. “The text is the law,” Scalia argued—and legislative findings adopted by Congress are an integral part of that text, enacted by the full Congress the same as the other parts of a bill. 

The Need for Legislative Findings in Privacy Legislation

Legislative findings will matter in privacy legislation. Privacy legislation addresses the use of personal information, and any legislation that regulates information may implicate the First Amendment. The Supreme Court has extended First Amendment protection to encompass commercial speech, in particular, advertising and marketing, albeit under a more lenient standard than for noncommercial speech. Under this standard, any government restrictions on commercial speech must “directly advance” a “substantial” government interest, whereas restrictions on other speech must be “narrowly tailored” to interests that are “compelling.” Commercial speech cases raise questions for how privacy legislation may limit businesses that share personal information with third parties, track and profile online users for advertising and marketing, serve ads based on personal information, and collect and disseminate information that may be considered public. Inevitably, some of these issues will become judicial questions.

The Supreme Court’s decision in Sorrell v. IMS Health (2011) raises such questions for privacy legislation and may increase the likelihood that limitations on advertising and marketing resulting from such legislation will be challenged on First Amendment grounds. The Sorrell decision resulted from a Vermont law that prohibited pharmacies from disclosing information that links doctors with drug prescriptions to “data miners” who analyze the doctors’ prescription patterns and sell the results to pharmaceutical manufacturers. The law also barred pharmaceutical manufacturers from using such information to contact doctors for marketing purposes. The court saw the statute as discriminating against these pharmaceutical manufacturers and marketers because other companies were allowed to use the same prescription information for nonmarketing purposes. It therefore struck down the statute under the stricter standard that applies to discrimination in expression but noted that the same result would apply even under the more lenient commercial speech standard. 

But it’s not clear how far the court’s narrow ruling in Sorrell would apply in other cases. Notably, the court contrasted Vermont’s narrowly targeted law with the broader protection of the Health Insurance Portability and Accountability Act (HIPAA) and suggested that a HIPAA-like statute “would present quite a different case than the one presented here.” Even so, the potential impact of privacy legislation on commercial speech has been raised in the privacy debate, and challengers would likely cite Sorrell as support for their claims. Indeed, a Maine law establishing privacy requirements specifically for broadband providers is being challenged on the theory that it discriminates among First Amendment speakers. And facial recognition systems provider Clearview AI is defending a suit under Illinois’s Biometric Information Protection Act on similar grounds. Here’s where legislative findings could make an important difference. Adding these findings onto a federal privacy law will help to meet the Supreme Court’s guidance in Sorrell—that Congress should explain the broad societal goals that baseline privacy legislation seeks to address. This could help insulate the law from legal challenges.

Privacy legislation also needs to address the Supreme Court’s Spokeo v. Robins (2016) decision on standing. This class action case was brought under the first federal privacy statute—the Fair Credit Reporting Act (FCRA) of 1970—by a plaintiff who sought damages because a “people search engine” used to assess individual credit allegedly contained inaccuracies. The court sent the case back to the lower courts to determine whether allegations of intangible harm were “particularized” and “concrete” enough to meet the requirement for a plaintiff to have standing to sue in federal court under Article III of the Constitution. In discussing these requirements, the court noted that injury to rights such as free speech and free exercise of religion can be concrete for these purposes even though they are abstract. Although the court ruled that not every inaccuracy or procedural violation under the FCRA amounts to concrete harm, it acknowledged that when considering “whether an intangible harm constitutes an injury in fact, both history and the judgment of Congress are instructive.” The Spokeo decision specifically recognized that “Congress is well positioned to identify intangible harms that meet minimum Article III requirements[.]” This directly invites Congress to identify and articulate privacy harms.

In the context of issues like these, legislative findings in privacy legislation will effectively amount to a congressional brief to the Supreme Court that can articulate “substantial” or “compelling” interests—as well as how the statute directly advances these interests and limits harms that privacy violations can cause to individuals. With the force of law, such a brief would be far more persuasive than any “appellate counsel’s post-hoc rationalizations for agency action.” Thus, we present proposed legislative findings and policy statements in our report. In doing so, we hope to motivate further discussion about the foundational principles and aims of privacy legislation.