The origins of a federal consumer data privacy law
It didn’t get much press in the froth of the Twitter-driven news cycle, but in the wake of huge data breaches in recent years that have compromised the personal information of millions of Americans, the Trump administration announced in July that it had begun working to create consumer data privacy rules. On Tuesday, it released a series of framework proposals to that end.
The Commerce Department started the process by holding meetings with big tech companies like Facebook Inc., Comcast Corp and Alphabet Inc., where they worked to “identify common ground and formulate core, high-level principles on data privacy,” according to David Redl, a senior U.S. Commerce Department official who oversees the National Telecommunications and Information Administration.
The ultimate goal, said White House spokeswoman Lindsay Walters in July, is “to craft a consumer privacy protection policy that is the appropriate balance between privacy and prosperity.” Walters added that the administration is looking forward to working with Congress on a legislative solution consistent with this vision.
The burgeoning data privacy movement
Two noteworthy examples of updated data privacy laws have been implemented in recent years. The most significant (and far-reaching) is the European Union’s General Data Protection Regulation, which applies to any organization operating in the EU. Notable rules require that in the event of a hack, organizations notify the relevant regulatory bodies and affected individuals as soon as possible so that consumers know if their data has been put at risk. Organizations are also required to tell consumers how, exactly, they use their information in a clear and accessible way. Any failure to comply with the new regulations could result in fines as high as 20 million euros or four percent of a organization’s total revenue (in contrast to past fines that only amounted to a few hundred thousand euros).
California passed a similar law earlier this modeled after the EU legislation, requiring companies that store large amounts of personal information to be more transparent about the type of data they collect and to let consumers easily opt out of letting their data be sold. The law, however, does not go into effect until 2020, so the tech industry has a window in which to address any grievances it has with the policy.
The major industry players are in broad agreement on a number of key data privacy issues. Both the U.S. Chamber of Commerce and the Internet Association, a group representing 40 major internet and technology firms including Netflix Inc, Facebook Inc, Amazon.com Inc, and Alphabet Inc, have released recommendations in favor of a national, economy-wide approach to regulation that preempts state laws. Both groups also support national data breach notification rules (similar to yet not as stringent as GDPR) as well as a flexible regulatory framework that applies across industry sectors and is able to adapt with the rapid pace of technological change.
Big tech’s desire for national-level data privacy regulations was underscored Wednesday in a hearing before the Senate Committee on Commerce, Science, and Transportation where representatives from Apple, Amazon, Twitter, Google, Charter Communications and AT&T made remarks in favor of federal laws. They offered few specific proposals or criticisms, just one this one caveat: they don’t want consumer data privacy laws to completely copy California and the EU. In their view, too many restrictions on data collection and usage would make for a worse user experience.
The European law is “overly prescriptive and burdensome,” said Len Cali, senior vice president of global public policy for AT&T. “We’re urging for comprehensive federal law that looks at both these laws and learns from them, but does better than them.”
There’s a simple reason that these big tech companies, some of which have a history of being averse to regulations, are suddenly pushing for federal legislation governing how they do business.
“Facebook and a lot of the telecommunications companies don’t like the idea of being governed by California,” said Franklin Foer, a staff writer for The Atlantic, in an interview on the Federalist Radio Hour. “Once you have one jurisdiction with a standard, the one who has the most aggressive standard becomes the standard that you de facto have to follow, because you’re not going to set up Facebook differently in one state than all the others. And so what they’re racing to do right now is to write their own privacy regulations.”
Players and experts weigh in
At this point, one thing is certain: new laws are coming. As the Senate’s Commerce, Science, and Transportation committee chairman John Thune, R-S.D., remarked in his opening statement Wednesday, “the question is no longer whether we need a federal law to protect consumers’ privacy. The question is what shape that law should take.”
For the broader public, now is the time to weigh in. The National Telecommunications and Information Administration, a branch under the Commerce Department, has issued a month-long public Request for Comments “on ways to advance consumer privacy while protecting prosperity and innovation.” Specifically, the feedback requested by the NTIA is for a list of seven broad policy proposals that focus “on the desired outcomes of organizational practices, rather than dictating what those practices should be.”
The administration’s approach is informed by GDPR but seeks to give companies room to innovate within the rules. Its goals can be divided into those focused on organizations and those focused on users. Organizations should be transparent, reasonably minimize the data they collect, employ security safeguards, take steps to manage risk, and be held accountable for the use of personal data they collect. Users, meanwhile, should be able to control the information they provide and be able to access and correct the information they provide.
“To put it simply, our outcomes share the same goals as the GDPR principles, but our approach is different,” Diane Rinaldo, Deputy Administrator of NTIA, who led the request for comment process, told CBS News. “Given the many different business models across the economy, we are seeking flexibility and a risk-based system.”
Already the lines of debate have been drawn against and in favor of adopting a policy similar to GDPR. Ryan Radian and Ryan Khurana of the Competitive Enterprise Institute, a nonprofit public policy organization, warn of “greater market concentration, as small firms and startups will find it difficult to comply with the increased regulatory cost burden” of GDPR rules. Radian and Khurana identify three unintended consequences of GDPR that they say U.S. lawmakers should take care to avoid when crafting a policy of our own: economic impact (namely, compliance costs), the establishment of mutually contradictory “digital rights” and goals (such as the “right to be forgotten”), and obstruction of innovation.
On a different note, the Electronic Frontier Foundation in a statement last April stressed the urgency for reforms in the wake of failures by Facebook, Grindr, and Under Armour to protect user privacy, stating that any “responsible social media company must ensure users’ privacy rights on its platform and make those rights enforceable.” These principles include upholding the right to informed decision-making, the right to control, the right to leave, the right to notice, and the right of redress. EFF suggests that we should start to enforce these rights with the tools our regulatory system already has, such as the Federal Trade Commission’s recent moves to challenge sloppy or fraudulent data practices among U.S. companies.
Nathan White, Senior Legislative Manager at digital rights organization Access Now, sounded a similar note after Wednesday’s Senate hearing.
“Congress should start with an examination of human rights and how to protect them,” he said in a statement, urging lawmakers to “examine the problem from the perspective of those who are at risk of harm: the users.”
Foer is wary of letting big tech companies essentially write the laws that will regulate them not only because of the implications for data privacy, but because of what it could mean for competitors in the digital space in which those companies dominate.
“If Facebook writes (national data privacy laws), it could very easily script them in a way that is burdensome to potential challengers,” Foer said.
As the debate takes shape in Congress, Thune promised additional hearings on the subject for input from consumer advocacy groups and academics who have studied the issue.
The road to passage no matter what the Trump administration comes up with in terms of specific policy proposals, the path to passing a package of national regulations will be fraught with difficulty, especially if one or both chambers of Congress shift party control in the coming midterm elections.
“Privacy legislation has been arduous to enact at the federal level and preemption of state laws has been a particularly contentious issue for lawmakers on both sides of the aisle,” said James Shreve, privacy counsel at Buckley Sandler in Chicago, in an email to Bloomberg Law. Both CEI and EFF acknowledge the danger of unintended effects of speech and innovation should polices prove too stifling or poorly targeted.
In Congress, the stage is set for a battle. On the left, Democrats in the Senate are ready to push for a more aggressive bill that doesn’t pull any punches from California’s progressive privacy law, while Republicans have expressed concerns about a such a drastic regulatory overhaul harming “innovative and entrepreneurial businesses.” With 60 votes required for any sort of bill to pass in the Senate, both sides will likely have to make certain concessions.
“Developing regulatory policy is necessarily an exercise in balancing values that are difficult to compare, and no regulatory scheme can be all things to all people,” said Alan Raul and Christopher Fonzone in an analysis of the Trump administration’s proposals in Law360. They see a big opportunity in what such data privacy laws might achieve.
“Successfully implemented, the administration’s approach could reverse the trend toward ‘prescriptive’ privacy regulation embodied in (GDPR and the California Consumer Privacy Act of 2018)… and potentially spur greater domestic and even global regulatory harmony around a flexible and risk-based approach,” Raul and Fonzone said.
As lawmakers and advocates weigh the political stakes at play with this issue, it’s worth asking what consumers themselves actually want in terms of data privacy. Even though consumers were bombarded with privacy notifications with the implementation of GDPR last June, a poll from the Advertising Research Foundation (ARF) around that time found that they are mostly willing to share general pieces of personal information like gender (95 percent), race or ethnicity (91 percent) and even sexual orientation (82 percent). Consumers are much less willing, however, to share more specific personal information like home addresses (43 percent) and work addresses (33 percent), any form of phone number (34 percent will share home landline and 35 percent will share mobile number), financial information (22 percent), or medical information (29 percent). Clearly, there seems to be at least a general desire from most people to protect their personal information.
What’s isn’t clear is most consumers’ understanding of how their personal data is collected and used — even with help from GDPR’s mandated notifications. Many of the key terms used in privacy statements like “first and third-party data,” “pixel tags,” “application data caches,” and “server logs” are not well understood, according to the ARF poll. Moreover, the survey found that most consumers don’t even read privacy disclosures, because they get in the way of actually using the website, service, or app in question. In other words, people care about what organizations have their personal data and how it is used, but there is still a big communication and knowledge gap between them and the tech companies that collect and use their information.
“The survey underscores the need to take a step back and understand and care about how consumers feel about the retention and use of their personal and behavioral data,” wrote Scott MacDonald in a summary of the ARF poll. “We need to begin by addressing people in the U.S., not just as ‘consumers,’ but as individuals whose data is a privilege for us to access, not a right.”
With Americans spending increasingly more time online and on more devices, the stakes are high. In addressing data privacy, the administration has an opportunity to dramatically shape how the right to privacy is understood in the digital age — not just in the U.S., but around the globe.
Andrew Collins cut his teeth in politics as a congressional campaign staffer during the 2012 election. Since then he has worked in Washington, D.C. as the digital media manager and as a staff writer at the Franklin Center for Government & Public Integrity, and is a recent graduate of the Trinity Fellows Academy (class of ’17). His work has appeared in Politico, US News & World Report, The Chicago Tribune, The Daily Caller, and The Hill. He lives in Seattle, WA.