Is it Time for New U.S. Data Privacy Laws?
“If you’re not paying for the product, you are the product.” While this phrase actually pre-dates the internet, it has taken on a new significance in the age of Facebook. In the wake of massive data breaches and scandals, consumers are discovering that the online platforms that they use have amassed a tremendous amount of data on them, and are wondering if new data privacy laws are needed.
Most consumers have learned to accept the hyper-personalized ads that are ubiquitous on social media. The data used to serve you those ads, though, can also be used for more nefarious purposes. In many cases, consumers do not know who is accessing their data until months or years later.
An increasing number of policymakers across the U.S. have concluded that the status quo is unsustainable – and more surprisingly, so have many technology executives such as Facebook’s Mark Zuckerberg. There is not yet a consensus, though, about what a new data privacy regime should look like.
This article will explain the various legislative proposals that have been made on the federal level, as well as several recent state laws that may (or may not) serve as models. We will also look at the European model of data regulation as enacted in last year’s General Data Protection Regulation (“GDPR”), and analyze the likelihood of the U.S. ever adopting this approach. Finally, we will discuss practical steps you can take right now to protect your own data.
Recent Data Breaches and Privacy Concerns
When you use online services like Facebook, Google, and Netflix, their Terms of Service give the companies the authority to collect data on you – with “data” including both your personal information as well as your activities on (and sometimes off) the platform. Of course, few if any consumers bother to read the lengthy Terms of Service agreements. Frankly, it wouldn’t make much of a difference if you did, since they are contracts of adhesion – if you want to use the online platform, you have no option but to agree to the Terms of Service. As one senator told Mark Zuckerberg during a congressional hearing last year: “Your user agreement sucks. The purpose of that user agreement is to cover Facebook’s rear end. It’s not to inform your users of their rights.”
So what’s wrong with these companies collecting data on you? Undeniably, there are some positives to this mass data collection. Most consumers have no problem with Netflix making recommendations to them based on their viewing history. The problem, though, is that this data often does not stay in the hands of the companies. News stories about data privacy breaches have become commonplace, from the Equifax breach in 2017 to the Facebook security breach last September. In some cases, these attacks are perpetrated by cybercriminals who are simply seeking to cash in; while others may be done by hostile nation-states for spying purposes.
The overarching problem, however, is not these individual data breaches (which are already criminal acts), but what the online platforms already have full permission to do with your data. Nothing illustrates this better than the Facebook Cambridge Analytica data scandal. The scandal, which broke slightly over a year ago, has changed the way Americans think about data security.
To briefly summarize, Cambridge Analytica was a political consulting firm that was hired to work on the Donald Trump presidential campaign in 2016. In 2014, the firm created a personality survey, ostensibly for academic use, that several hundred thousand Facebook users completed. The survey also required the users to download a Facebook app called “This is Your Digital Life.” Unbeknownst to the users, the app allowed Cambridge Analytica to collect the personal information of not only the survey-takers, but all of their Facebook friends. Through this method, Cambridge Analytica was able to harvest personal data on over 50 million Facebook users, which it allegedly used to create “psychographic profiles” of voters in advance of the 2016 election. By Facebook’s own admission, it learned of the data breach in 2015, but never bothered to alert users until news outlets first reported on it in March 2018.
Many Americans were troubled by a pro-Trump political firm collecting data on them without their consent, but the issue goes deeper than partisan politics. At the time, Facebook allowed applications to scrape data from the profiles of users’ Facebook friends without those friends’ knowledge (it has since banned this practice). Of course, few if any users were aware that this was allowed, since nobody bothers to read the Terms of Service. Since the reports of this scandal, consumers have been left wondering what else Facebook – and other tech companies – have permission to do with their data.
Proposals for a Federal Data Privacy Law
It may surprise consumers to know that there is currently no comprehensive internet privacy law on the federal level. The tech industry in the U.S. has historically been lightly regulated. While its advocates argue that this lack of regulation has enabled the American technology sector to become the world’s largest, a consensus appears to be forming that a new digital privacy framework is needed. Even Facebook’s Mark Zuckerberg called for “a more active role for governments and regulators” in a Washington Post op-ed several weeks ago. Apple and Google have issued similar calls for overarching data privacy legislation in recent months. A cynic might point out that those corporate behemoths are in a much better position to deal with new data privacy regulations than small startups and potential competitors, but if nothing else, this shows which way the wind is blowing.
Indeed, support for new personal data safeguards might be the only bipartisan issue in Washington in 2019. Several potential pieces of legislation are pending in Congress. In January, Senators Amy Klobuchar and John Kennedy introduced a Social Media Privacy and Consumer Rights Act. The bill would require online platforms to inform users how their data is being used, and would allow users to specify privacy preferences and opt out of certain types of data tracking. Sen. Marco Rubio has introduced his own online privacy legislation, the American Data Dissemination Act, which would require the Federal Trade Commission to provide Congress with recommendations for new privacy regulations. The regulations would automatically go into effect after two years unless Congress passes its own privacy legislation within that time.
While there is genuine concern in Washington about the data privacy of Americans, it would be inaccurate to suggest that the legislative action there is occurring in a vacuum. Several states have already introduced or passed their own privacy laws, forcing the hand of federal lawmakers.
Most notably, California enacted its own California Data Privacy Protection Act in June 2018. While the law does not go into effect until 2020, it has already shifted the terms of the debate on consumer data privacy, given the sheer size of California and its role as the home of Silicon Valley. The Act gives California residents: (a) the right to know what personal information a platform is collecting on them; (b) the right to “opt out” of having their data sold to third parties; (c) the right to ask platforms to delete their personal information (with some exceptions); and (d) the right to receive “equal service and pricing” even if they exercise any of these rights.
Obviously, this law is much more stringent than current U.S. law when it comes to protecting consumer data. It is equally clear that the California law – and efforts to pass similar laws in other states – are motivating large tech companies such as Facebook and Google to call for a federal privacy law. Given the open nature of the internet, it would admittedly be difficult to ask companies to comply with a patchwork of disparate laws in each state. Federal legislation would likely be less consumer-friendly than the California law, and would presumably preempt the state laws. Sen. Rubio’s proposed legislation, in particular, has been criticized by consumer groups as being extremely industry-friendly. Keep this in mind when you see tech executives suddenly touting the need for federal digital privacy legislation.
Europe’s GDPR – a Model for the U.S.?
Essentially, the goal of the GDPR law is to give citizens of EU counties more control of their data and to protect them from data breaches. The GDPR requires “informed consent” from users before companies can process their data, and gives consumers the right to access their personal data and to have to have it returned (or transmitted to another company). It also gives EU citizens the “right to be forgotten” – that is, the right to have their personal data deleted (in some cases) upon request. In a feature that American consumers would probably welcome, it requires companies operating in the EU to inform users when their data has been hacked.
Many tech industry leaders initially criticized the GDPR as a classic case of European overregulation. Indeed, the “right to be forgotten” is a concept that has not yet been accepted in the U.S., as anyone who has tried to get negative content about them removed from Google search results can attest. So nearly a year after the GDPR took effect, what have the results been? It depends on who you ask. Proponents of European privacy laws argue that the GDPR has given companies an opportunity “to put their house in order when it comes to the data they hold…build trust with their customers and offer innovative, more privacy-friendly services.” More skeptical observers claim that it has been successful in notifying consumers about breaches, but “largely a failure when it comes to imposing fines on companies that fail to adequately protect their customers’ data.”
While large tech companies appear to have adjusted to the new European data protection laws, don’t expect an American federal data protection law to simply copy the GDPR. The GDPR was imposed on companies in a top-down manner by the European Commission, while tech lobbyists are already closely involved in legislative efforts in Washington. Depending on your perspective, this may mean either that U.S. privacy rules give tech companies much-needed flexibility, or that they will lack teeth and fail to protect consumers. Stay tuned.
What Can You Do Now to Protect Your Data?
Although some type of data legislation will likely pass Congress at some point, congressional gridlock means that nothing should be taken for granted. Even if passed, any new rules would likely not take effect for some time. So what can you do to protect your data right now?
The default privacy settings for the largest online platforms presume that you would love nothing more than to share all your data with them. For example, if you own an Android smartphone, Google’s activity controls automatically track everywhere you go if you have Location History turned on. Do you use Facebook? If you do, be aware that anyone can see your friends list and the pages you follow unless you adjust the privacy settings. To describe the tweaks you would need to make to your online profiles if you’re interested in protecting your data would take a whole other article. This primer from the Washington Post, though, is a good place to start. It includes step-by-step instructions for adjusting your privacy settings for Facebook, Google, Amazon, Microsoft, and Apple.
Also consider activating two-factor authentication on sites that offer it. When you enter your password on a site with two-factor authentication, you will receive a separate one-time code via email or text, which you must also enter to access the site. It’s another layer of protection that can be particularly important for sensitive information such as online banking.
With a presidential primary campaign already in full swing, it is apparent that the issue of data privacy is not going away. Indeed, one reason tech companies are scrambling to support privacy legislation is to head off more radical proposals, such as Sen. Elizabeth Warren’s call to break up Facebook, Amazon and Google. Regardless of what transpires in Washington, consumers are starting to realize how valuable their data is – and how worrisome it would be to have their data fall into the wrong hands.