Before COVID-19 became our collective nemesis, 2020 seemed like it would again be the year Congress would finally put together a bipartisan effort to enact long needed baseline federal privacy legislation.
Once the world turns right side up, disparate points of view should come together to reduce the economic burdens of business and increase individual rights. While individual and commercial interests diverge in many ways, most, if not all stakeholders collectively agree that it is critical to achieve a national resolution to the inadequacy and inconsistency of our data privacy and security laws. However, with many (11 at last count) dueling proposed data privacy laws making the rounds in Washington – it is hard to predict whether a consensus can be achieved and ultimately what would accomplish a reasonably fair result.
The need for a level data privacy playing field predates the Internet. Despite universal recognition that individuals should have some right to understand and control the use of their personal information, this has simply not been the case in the US. Constitutional scholars might start the clock on data protection with the 14th Amendment, maintain that the “right of privacy” mandates this type of individual protection. Nevertheless, it was not until 1974 that federal legislation expressly provided citizens with data privacy rights. The U.S. Privacy Act granted a variety of rights with respect to accessing and correcting personal data consistent with global fair information collection principles, but applied only with respect to information collected by government agencies–not business.
The dawn of the Internet age wreaked enforcement and then legislative activity in applying data privacy and security principles to businesses. The Federal Trade Commission (FTC) was the first mover in the space, exerting its authority to prevent deception by enforcing against privacy policies and data security practices it found inaccurate or inadequate. This was a surprise to some businesses. I can specifically recall the CEO of a company stating that the company could always do whatever it wanted with the customer mailing list it “owned,” and was the FTC now saying otherwise? “Yes,” was the unequivocal answer, then, but the POV of many companies that hold consumer data continues to be that customer data is the asset of the business and not the customer.
FTC enforcement proved to be a harbinger of three key pieces of privacy legislation and the start of a flurry of privacy acronyms some of which, sometimes mis-spelled have become part of our lexicon – the Children’s Online Privacy Protection Act (COPPA) – intended to protect against the collection and use of the personal information of children under the age of 13 without parental consent, privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) designed to protect health information collected by health care providers and health care plans and the privacy provisions of the Gramm-Leach-Bliley Act (GLBA) focusing on information collected by financial institutions. These laws all required detailed privacy policies and practices, but only with respect to the specific situations and data involved.
Despite the dramatically increased economic value of personal information, the last two decades have not resulted in any major federal data privacy laws. Many jurisdictions, including the European Community and Canada, have codified fair information principles designed to protect personal data rights. Most recently, the European General Data Protection Regulation (GDPR) has had a substantial impact on global privacy practices in advancing individual rights to consent or object to the use of personal information–something akin to a property right. While GDPR has been the subject of criticism for burdening business without a benefit to individuals, hopefully the U.S. can find a better balance.
Back in “the states,” it has been the states that have filled our gap in providing some level of data privacy and security rights to individuals. California has tended to play the lead role in terms of privacy legislation, with this years’ model being the California Consumer Privacy Act – the first of what is likely to be many state laws that try to impose a GDPR-like standard for privacy protection for the benefit of residents of a particular state.
On the data security front, all states now have enacted legislation requiring private or governmental entities to notify individuals of security breaches of personally identifiable information. But the requirements of many of these laws vary, causing confusion and unnecessary expenditure of resources. In 2007, Massachusetts enacted legislation to set reasonably strong security standards for companies that handle personal information (either in electronic or paper form), and recently many other states have enacted or are considering enacting laws which impose reasonable security measures on personal information.
State laws tend to forge a “de facto” national standard which many companies decide to map their practices to. But the lack of uniformity, with differing and changing state laws provides increased costs to business without a commensurate benefit to the individuals the laws are designed to protect.
Current events remind us that our economy has become increasingly global, but Alexander Hamilton noted in the Federalist Papers that “if the laws be so voluminous that they cannot be read or so incoherent that they cannot be understood” they “will be of little avail.” Because of data privacy and security laws which are voluminous, differing and difficult to interpret and harmonize, businesses are in a quandary. Each one must decide, among other things, whether to apply a uniform standard to its data protection policies, because of differences in state laws, or treat consumers of different states differently. This, of course, applies globally as well, but from a U.S. legislative perspective, we need to recognize that our data as with our economy knows no real geographic borders. It simply does not make practical sense to give a California resident data privacy rights that a New York resident does not have – it does not help businesses or adequately protect individuals.
Business reality militates for federal privacy legislation that gives all U.S. citizens those certain inalienable privacy rights our founders understood event before there was an Internet. Similarly, there is a benefit to bring the U.S. more in line with global privacy principles and limit unnecessary burdens on business associated with differing definitions and standards with respect to the collection, use and security of personal information. Which brings me to the five requirements I trust will resonate and even generate bi-partisan support within and outside Congress.
1. Strong pre-emption language
Yes, states and state governments have their own rights. We are debating aspects of the Covid response over this very issue. However, eliminating the disparities of state laws in terms of defining terms and responsibilities will go a long way towards and a better privacy playing field.
2. Adopt standard definitions and principles more in line with global practice
Adopting standard terms (why use “personal data,” “personal information,” “personally identifying information” and/or other terms designed to cover the same things) to cover uniform items will simplify compliance and enforcement in the US. Also, fundamentally, privacy law is derived from certain principles adopted by the Organization for Economic and Commercial Development. There may be some areas where the U.S. should still be different from other areas of the globe. For example, business contact information is considered personal information in the EU and under the CCPA. However, business contact information should really not be afforded the same level of protection as personal information.
3. Standardization and simplification of privacy policies
Not too many people read privacy policies, and those that do, have a hard time figuring out what they actually mean. By simplifying and standardizing the format and content to eliminate boilerplate and make them clear and concise might mean that consumers could be willing to read and actually understand them. A food label-like short privacy disclosure or setting out in a law certain “minimum expectations” that need not be disclosed unless the company is deviating in a material way from the norm–are two ideas that could make privacy policies relevant.
4. Limitations on class actions
Plaintiff’s class action attorneys love consumer focused privacy and security laws that allow for class actions. Class action settlements in security breach cases have typically contained substantial attorney’s fees provisions while consumers have obtained such things as discount coupons, gift certificates or reimbursements from a settlement fund. While, potentially, the threat of a substantial class action incentivizes companies to protect information, it is not clear whether consumers ultimately benefit in a meaningful way, and additional regulatory enforcement (see below) can realize the same goal. Similarly, individual damages relating to a particular security breach are often hard to quantify – especially if no identity theft resulted from the breach. Reasonable limits to class actions would serve as one trade-off for the additional financial investment businesses will need to make for enhanced data security measures.
5. Increased education and enforcement
It is time for the U.S. to have a Data Protection Authority and encourage each state to do the same. While the FTC has done a reasonably job in terms of educating business, consumers and enforcing existing laws, it has a very broad mandate and a more focused agency with dedicated resources may be necessary to create a uniform voice in handling global and certain nationwide data privacy and security matters. The power that states yield in terms of legislative authority can be returned through federal encouragement that each state takes a stronger role in education and enforcement. Rules regarding data collection and processing would be harmonized, but states would maintain their ability to protect their residents through the ability to educate businesses and conduct or coordinate enforcement actions based on geographic relevance and materiality.
A federal law with these key ingredients will allow the US to get its own house in order, help the economy, protect individual rights and lay the foundation that will permit the US, if its government chooses, to play a larger role in global data privacy and security matters.