It's Not Too Late to Pass a National Privacy Law (OK, It Kind of Is)

Rep. Suzan DelBene, D-Wash., speaks in the House of Representatives at the Capitol in Washington, Wednesday, Dec. 18, 2019.
Rep. Suzan DelBene, D-Wash., speaks in the House of Representatives at the Capitol in Washington, Wednesday, Dec. 18, 2019.
Photo: House Television (AP)

The federal government cares little about what happens to your most sensitive data. Its main focus today is stopping espionage and prosecuting computer criminals who pose a threat to itself or corporations and banks. Little energy is spent holding those same institutions accountable when malpractice and greed produce the same outcomes: millions of people threatened, once again, with identity theft, blackmail, and fraud.

Advertisement

Congress had a chance to take action after Equifax, one of America’s largest holders of personal information, left 147 million people hanging out to dry. Its only response was to legislate free credit freezes for victims of future breaches and drag Equifax executives on TV to shame them. Being grilled before Congress may yet be a form of deterrence for naughty executives—but it is a spectacle that, more often than not, benefits politicians more than the American people. In the face of flagrant incompetence, such inaction remains an embarrassing mark against the U.S. on the global stage. The U.S., in contrast to many of its European allies, seems at best uninterested in the digital rights of its citizens.

Only a handful of federal lawmakers have been consistent in trying to undo that.

This week, the 117th Congress received the latest in a litany of data privacy bills introduced since the Equifax breach, all others having been cast aside so far. Admittedly, “The Information Transparency and Personal Data Control Act,” introduced by Congresswoman Suzan DelBene, offers a more attenuated approach to liability than one proposed by her more hawkish Democratic colleagues. Considerable expectations are placed on the Federal Trade Commission, which the bill would see beefed up, and the motivations of state law enforcement officials. Yet this is also matched by some of the strongest language possible on the individual’s right to privacy online.

The bill, for instance, aims to codify into law certain “rights” of individuals when it comes to the “controllers and processors” of their personal data; to shield them from “unlawful and deceptive acts” by those who profit from its collection, sale, and disclosure. “This is an issue of civil rights and civil liberties and human rights,” DelBene said Wednesday by phone. “And right now we have no U.S. policy to protect our most sensitive personal information.”

Individuals have a right, the bill says, to:

  • exercise control over the personal data companies collect from them and how they use it;
  • easily understandable and accessible information about privacy and security practices;
  • expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data;
  • secure and responsible handling of sensitive personal information;
  • access and correct personal data in usable formats, in a manner that is appropriate to [the] sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate;
  • reasonable limits on the personal data that companies collect and retain.

Importantly, the bill also states that users must provide “affirmative, express consent” before a company collects, sells, shares, or discloses their personal information. This includes, among other commonly listed items, immigration and citizen status; sexual orientation and gender identity; and mental and physical health diagnoses.

Inevitably, DelBene’s bill is lesser in scope compared to another bill introduced with similar purpose by Sen. Ron Wyden in 2019. Like DelBene, Wyden’s “Mind Your Own Business Act” sought to expand the FTC’s ranks and granted state law enforcement the authority to act when the feds would not. But the MYOBA also empowered the FTC to issue violators steep fines without first negotiating consent decrees—an agreement with a company that it will abide by certain practices thereafter or, and only then, face fines—a limitation imposed under Section 5 of the FTC Act. Under MYOB, senior executives who knowingly lie to the agency could face 10- to 20-year prison sentences. Executives, Wyden said of the bill, “need to be held personally responsible when they lie about protecting our personal information.”

Another MYOB provision would have seen the U.S. nationalize the very act of “opting out,” empowering the FTC to run a federal “Do Not Track” system that would facilitate orders from consumers who, among other things, no longer wish for companies to monitor their browsing habits just to feed them targeted ads.

Advertisement

But like many of Wyden’s efforts on privacy and security issues, while earnest—and perhaps even imperative—MYOB merely sets the high bar. The Information Transparency and Personal Data Control Act is itself chock full of otherwise necessary reforms: biennial privacy audits conducted by “qualified, objective, independent” third parties; extending the definition of “sensitive personal information” to include citizenship status, gender identity, and religious beliefs; and bolstering the FTC with a small army of technology experts.

“Right now, Americans are concerned about their data,” DelBene said. “They want more control of how their data is being used. They’re concerned data is being gathered that they have no awareness of on a regular basis. And so consumers want to know what their rights are and want to see policy here.”

Advertisement

Likely to stir debate is DelBene’s move to preempt state authority, meaning that even more stringent policies passed by state legislatures could fall by the wayside. “The thing that people get hung up on is private right of action,” Nick Martin, DelBene’s communications director, said.

Under the California Privacy Rights Act, for example, consumers harmed in a data breach can seek statutory damages ($100 to $750 per consumer per incident or actual damages, whichever is greater) for certain categories of sensitive information, including login credentials thanks to a proposition passed in November. But California is so far the only state to allow such. Virginia’s newly passed Consumer Data Protection Act, for example, includes no right of action.

Advertisement

The absence of a right-of-action provision in DelBene’s bill, Martin says, stems from the lawmaker’s concerns over striking a balance between holding wealthy tech giant accountable, while also not penalizing their smaller competitors out of business. “We think that giving the FTC strong rulemaking authority and beefing up their staffing and capacity, along with allowing state [attorneys general] to play a role if the FTC doesn’t, creates a strong enforcement environment, without also compromising [small businesses],” he said.

Not all privacy violations meet the definition of “data breach” under the patchwork of existing laws that include one. Corporate carelessness manifests in many forms: Bloomberg on Wednesday broke news about a California-based security camera startup that gave more than 100 employees access to private feeds of thousands of its customers, including schools. Since 2019, Motherboard has repeatedly exposed major telecoms selling their own customers’ location data to middlemen who eventually peddled it to bounty hunters and law enforcement officials without a warrant. While the pandemic last year was forcing children into virtual classrooms, Zoom was data-mining its users’ personal information without bothering to ask their permission. And mismanaged servers have allowed Gizmodo in the past year alone to track the whereabouts of Ring doorbell owners and Parler’s social media users.

Advertisement

Without a comprehensive national law protecting sensitive data from daily mismanagement by unscrupulous firms, internet users in the U.S. will continue to take their identities, bank accounts, and futures into their own hands each and every time they log on.

Senior Reporter, Privacy & Security

DISCUSSION