WASHINGTON — Lawmakers of both parties, advocates and business and tech industry lobbies all say this session of Congress may be the best chance in years to pass meaningful data privacy legislation — one motivated by California lawmakers' passage last year of a data privacy law, paired with a similar measure enacted by the European Union. And the fall from grace of some of Silicon Valley's biggest firms after scandals including the misuse of social media during the 2016 election has given advocates and lawmakers cover to take on tech giants.

Under California's law, which takes effect next year, Web users can demand that a business tell them what personal information it is collecting about them and whether it is selling or sharing it, and if so to whom. Consumers can also demand that a company delete their information. The law will allow people to sue companies whose negligence leads to breaches of personal data.

While some companies pushed for the bill, others whose business models rely on collecting and selling user data would like to see a federal law scale it back. Many businesses also want to avoid having to deal with a patchwork of state laws as well as the EU's regulations, which include obtaining people's "informed and unambiguous" consent for processing personal data, and requiring data collectors to report breaches.

Privacy advocates, meanwhile, are eager to seize the moment and pass a strong bill at the federal level, setting a minimum nationwide standard that would match or exceed California's.

But even with the desire across the board to come to agreement, a number of sticking points — including how to deal with state laws like California's — threaten to derail any effort. And when it comes to Congress, the safe bet is always on inaction.

Still, lawmakers working on the project as well as lobbyists and advocates see a real opportunity.

Skeptics have reason to be pessimistic, beyond Congress' perpetual difficulty in passing almost any legislation. Several years ago, as breaches of personal data became more common, Congress considered passing a bill requiring consumers and authorities to be notified of such events, as dozens of states were doing independently. In the end the effort failed, and every state passed its own law.

Several state attorneys general at a recent privacy conference in Washington predicted that the same thing could happen in the data privacy arena, with California's new law ultimately serving as a model for other states. 

Some experts, however, see more momentum for privacy legislation in Congress because of the issue's existential nature to many companies. The handling of users' data is essential to the fabric of most companies, from the way their websites are designed to the way a business model works. Complying with different state laws would be virtually impossible for companies that operate online, the industry fears, bringing them to the table for action.

Democrats and privacy advocates, though, want to ensure that the end result isn't weakening states' abilities to enact strong regulations.

Proposals from groups including the U.S. Chamber of Commerce and the Information Technology Industry Council would require companies to be more transparent about how they use data and collect consumers' consent. The groups also argue that some uses of data may not require consent or disclosure, depending on the circumstances.

One of the major sticking points will be how to treat state laws. Republicans and industry representatives are pushing for anything Congress passes to override such measures. Democrats and privacy advocates say that's acceptable only if the federal law is as strong as California's.

"I don't think that weakening a strong law should be the pathway in Congress," U.S. Rep. Anna Eshoo, D-Calif., said at a recent privacy conference.

Her district includes several of the biggest companies in the tech industry. She said California's law should be the model for Congress.

"There's a saying: As California goes, so goes the nation," Eshoo said. "Congress' work should not be to chip away at what California did in its consumer protection law, but rather have it be instructive to us. And I think if we come up with something that's strong, then we can avoid a 50-state patchwork of laws."

Veterans of the California fight say they are not going to wait on Washington. Jim Steyer, founder and CEO of Common Sense Media, an advocacy group that seeks to help families navigate media and technology, called California's privacy law a landmark bill that could be replicated in Congress.

He said that lawmakers working on the issue are serious and that he has advised many of them. But he still doubts that anything can pass these days, much less strong legislation.

"The question is, can Washington overcome its dysfunctionality?" Steyer said. "We are skeptical as to whether or not Congress can get its act together, and our bottom-line position is if there is federal privacy legislation, it has to be stronger than the California privacy law."

If it's not, he said, then advocates will have no trouble focusing on the state level. "The entire tech industry is not going to agree with this, and some of the companies will spend hundreds of millions of dollars trying to water down the legislation, like Facebook and Google, maybe," Steyer said.

San Francisco housing developer Alastair Mactaggart, who spearheaded a ballot effort that spurred the California bill, visited Washington last week to meet with key senators including privacy hawks like Democratic Sens. Ron Wyden of Oregon and Ed Markey of Massachusetts and Trump administration officials. He said repeated missteps by the tech industry — like the recent revelation that Facebook had created an app to collect personal data and was paying people, including teenagers, to use it  couldn't offer "a better wind at my back."

"The model's there: California leads, the others follow," Mactaggart said.

(c)2019 the San Francisco Chronicle. Distributed by Tribune Content Agency, LLC.