On September 10, 2019, leaders of the high tech and business world, through the Business Roundtable, sent a letter to political leaders urging them to pass a comprehensive federal consumer data privacy law. The letter, signed by individuals like Amazon’s Jeff Bezos and Michael Dell, and other business leaders noted that “There is now widespread agreement among companies across all sectors of the economy, policymakers and consumer groups about the need for a comprehensive federal consumer data privacy law that provides strong, consistent protections for American consumers. A federal consumer privacy law should also ensure that American companies continue to lead a globally competitive market.” Business leaders calling for MORE regulation? Inconceivable! Of course, whether or not this is a good idea is in the details.
Patchwork Quilt
Unlike Europe and some other nations, the United States does not have comprehensive data privacy laws. Rather, we have a patchwork quilt of specific sector-by-sector or even data-by-data laws that relate to data collection, storage, dissemination, use, and accuracy. Indeed, the most comprehensive “data privacy” law in the United States was signed into law in 1914 by President Woodrow Wilson, and had nothing whatsoever to do with data privacy, but rather dealt with “unfair” or “deceptive” trade practices. The basic model or framework for U.S. privacy laws dates to the Nixon administration and laws relating to the collection, dissemination, use and accuracy of credit reporting data. This is because Congress and state legislatures react to specific problems by passing specific legislation. When, during the Robert Bork failed confirmation hearings, evidence was presented about the judge’s video rental records (from Errol’s video store) Congress passed a law enhancing the privacy of such rental records and mandating that rental records be destroyed after a period of time. In 1984, they extended such privacy to videos watched on Cable TV. Health information got its own privacy protection in 1996. Credit card data breaches were first addressed by California in 2002. It’s like a wall with individual bricks, none of which mesh together.
For individuals, this means that the question of whether or not the privacy of your data is protected depends on the nature of the data, who it is collected by, where it is collected, and how it is used. If you rent a video from Blockbuster (there may be one or two left in Alaska), you are entitled to one level of privacy, if you rent the same video from “cable,” another, through FIOS, a different one, through a streaming service like Amazon, Roku or Sling, another, and from pirate or peer to peer, yet another. Same video, different privacy rights and laws.
For companies, the problem is exacerbated by the fact that state legislatures and regulators have stepped into the void created by the lack of a single comprehensive data privacy law in the United States. This means that a regulated entity must comply with the data privacy, data security, and data breach notification laws and regulations not only for each country, but for each state and locality. As a security/privacy professional, you have probably experienced this yourself. When you first approach a client or customer to determine their “security” needs, one of the first things you do is find out what the client’s regulatory environment looks like. Are you collecting health data (HIPAA)? Do you process credit cards (PCI)? Do you access or use financial data (GLBA)? Are you in the energy sector (FERC/NERC)? Educational records (FERPA)?
The National Conference of Uniform State Laws maintains a partial list of data privacy/security laws, but this does not include the thousands of individual regulations promulgated by state agencies or local governments. From a compliance standpoint, it’s a nightmare. So companies are left to map out — based on things like the type of data collected, its sensitivity, the location of the company, the location of the data, the location (residence or citizenship sometimes) of the data subject, and other factors, precisely what they are required to do in terms of data collection, notice (opt in, opt out), consent, sharing, contract language, time to live, data retention, data deletion, data security, data breach notification, and other factors.
One Ring to Rule them All
The stated goal of the Business Roundtable is to create “a national consumer privacy law [which] should apply a consistent, uniform framework to the collection, use, and sharing of personal data across industry sectors.” Broadly speaking, they have called for adherence to certain privacy principles such as transparency (consumers should know what is being collected, by whom, and for what purposes), control (consumers should have the ability to opt in or opt out of data collection and sharing, and control what is done with their data), access and correction (consumers should be able to see what has been collected and correct errors), and deletion (some right to be forgotten).
All good in theory. But not so great in practice.
Whack-a-Mole
The problem with “consumer choice” and “transparency” is that it is, to a great extent, an illusion. Try this at home. When you visit some new website, take a look in the bottom left corner of your browser. Especially if you allow cookies and pop-ups. You will see the names of dozens of URL’s stream across the screen — URL’s of companies you have never heard of. This means that your data — at least some of it — is being passed on to or through each of these companies. Do you want it to be? No clue. Can or should you prevent it? Again, no clue. Once on my iPhone I wanted to read an article from the New York Daily News. My phone noted “this site wants to use your location; accept or deny…” Hmmm.. I thought. If I allow it to use my locations, I will get ads from Washington, D.C. instead of Manhattan — possibly useful, or at least not unreasonable. But what does it MEAN that the Daily News wants to get my location? Just this once or for all eternity? And with whom will the share my location? And for what purposes? Does this mean that the FBI and NYPD will now have my location? What about the GRU? It’s too complicated, Shrevie. I just want to listen to the music.
A better approach — or at least a different one which MIGHT be better — is to have actual rules on what can and cannot be collected, how it can be used, and with whom it can be shared irrespective of notice and consent. And to give the consumer actual control over their data.
After a brief hospital stay, I got a letter from the HHS Center for Medicare and Medicaid (HHS CMS) saying that they had been informed that I was a patient, and asking me to participate in a survey. In fact, it wasn’t from HHS at all — it was from a private company in Ann Arbor, Michigan, presumably hired by HHS to conduct customer satisfaction surveys. But why was the hospital sharing patient records with CMS (who then shared it with this company) especially when the company said that my answers would not be shared with the hospital. If it’s not being shared with the hospital, then what’s the point? What we need are comprehensive information collection and sharing rules – with the default being that NO information is shared EXCEPT as necessary to deliver the products or services requested. No marketing, no sales, no data analytics, no AI. I order batteries from Radio Shack, and I get batteries. Not a relationship.
Comprehensive Strong, Comprehensive Weak
One of the reasons that the members of the Business Roundtable want a single federal law is to make compliance simpler and easier. But another reason is to make it cheaper. In enacting laws, or regulations pursuant to those laws, the federal government has certain options. It can make a single, comprehensive federal standard that both supersedes and “preempts” state or local laws or regulations. In legal parlance, this means the feds “occupy the field.” So, for example, by passing federal laws regulating airline fares and terms of transportation, Courts have held that state privacy and data security laws which apply to anyone who collects data don’t apply to airlines, since the cost of compliance with these laws would impact fares and terms of transportation. The feds “occupied the field” of airline regulation.
Alternatively, Congress could explicitly say that they are setting a floor for privacy regulation, not a ceiling, and that states and localities are free to set higher or more restrictive privacy laws or regulations — but not less restrictive one. Finally, Congress could say that the federal law only applies to certain types of data (e.g., like HIPAA does), or certain size companies or industries, or some other factor relating to interstate or foreign commerce, but that those outside the scope of federal law can be regulated in any way by others.
An example in the Business Roundtable proposal is that they suggest that any privacy laws should be enforced either by the US FTC, or State Attorney’s General, but that “enforcement actions and fines should be informed by the harm directly caused by, and severity of, an organization’s conduct as well as any actions taken by the organization to avoid and mitigate the harm, the degree of intentionality or negligence involved, degree of cooperation, and the organization’s previous conduct involving personal data privacy and security.” We saw how well that worked in the Facebook and Equifax settlements, right? Finally, the BRC proposal explicitly stated that “[a] national consumer privacy law should not provide for a private right of action.” The language there is ambiguous. Does this mean that any new federal privacy law should not include the ability of those harmed by the loss of privacy to sue, or more broadly, that a comprehensive federal law should supercede federal, state and local data privacy, negligence, consumer protection and contract laws, and state that nobody has the right to sue for a loss of privacy? Devil. Details. Whether a comprehensive federal privacy law is good or bad depends on whether or not it makes things better or worse for everyone. And that should include data subjects as well.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.