Could the Facebook Papers Close the Deal on Privacy Legislation?

The disclosures from the Facebook Papers have led to a flurry of legislative proposals on Capitol Hill to address data use, kids’ online safety and malicious content. The single most effective step Congress can take is to enact comprehensive privacy legislation to address the explosion of digital information that is presently not covered by existing, narrower privacy laws.

Congress should not let this latest “Facebook moment” pass without meaningful action. Every day that passes without a baseline privacy protection law in effect is another day that businesses collect and use data generated from billions of devices. IBM estimates that the world generates 2.5 quintillion bytes of data per day — that’s 2.5 followed by 18 zeroes.

That number will soon explode even further as data-intensive technologies power augmented and virtual reality environments (the “metaverse” to which Facebook’s new corporate name refers), while autonomous vehicles in the streets communicate with sensors that monitor traffic and pedestrian safety.

It is past time for the United States to require businesses to use data responsibly and give individuals rights to their personal data, safeguards that have been absent and that would protect everyone in America. Virtually every major democracy in the world has passed legislation to set boundaries on business data collection — and this month a new commercial privacy law took effect in China.

After the Cambridge Analytica stories in 2018, several congressional committees hauled in Facebook CEO Mark Zuckerberg for back-to-back hearings carried live on cable news. Since then, Facebook has been a subject of many hearings on privacy, competition, content moderation, misinformation, security, and diversity and inclusion.

Galvanized by Facebook’s sharing of data with Cambridge Analytica, Congress made a promising start on comprehensive privacy legislation. Leading members called for legislation, several introduced bills and multiple committees and working groups got to work toward bipartisan legislation.

When it came to the hard bargaining, however, the early promise waned. Even though flagship bills from the leaders of the Senate Commerce Committee had encouraging areas of overlap, bipartisan agreement stalled. Ideological red lines that have frozen progress include whether a federal law should pre-empt state privacy laws in part or altogether and whether to allow lawsuits by individuals for violations of privacy rights.

There is ample room for compromise on these issues, but little sense of urgency to do so. As privacy work slowed, Congress’ attention has turned to the many other concerns about Facebook and tech platforms, including their impact on children, free speech and disinformation, competition and jobs.

Now the Facebook files have rekindled the privacy debate. The Senate Commerce Committee held its first privacy hearing this year in September. Committee Chair Maria Cantwell (D-Wash.) and ranking member Roger Wicker (R-Miss.) both affirmed their interest in working together on comprehensive legislation. At this hearing, senators and business witnesses publicly softened their differences on the fractious issue of private lawsuits.

The two of us have been deeply involved in the public discussion of privacy legislation for more than a decade. We speak often with congressional staffers and members as well as advocates for industry, consumers, privacy and civil rights. We have never seen passage of a broad privacy law as close as it is now, and no other issue targeting the major tech platforms is anywhere near as ripe for action.

The work already done in Congress and through laws passed in CaliforniaColorado and Virginia have laid a foundation for passage of federal legislation. Both industry stakeholders and advocates for privacy, consumer protection and civil rights are ready to compromise on key issues when and if Congress moves toward passage of a privacy bill.

It will take more than privacy legislation to solve the wide-ranging challenges that social media has created and amplified. But protecting people’s personal information is the place to start. Congress should finish the job of enacting a privacy law that began with its Facebook hearings in 2018.


Cameron Kerry is the Ann R. & Andrew H. Tisch Distinguished Visiting Fellow at the Brookings Institution and former general counsel and acting secretary at the U.S. Department of Commerce, where he led the Obama administration’s data privacy initiatives. Jules Polonetsky is chief executive officer of the Future of Privacy Forum and a former New York state assemblyman and consumer affairs commissioner of New York City.  While Facebook is among donors to Brookings and FPF, the opinions in this op-ed are not influenced by any donation.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult