Uncle Sam is Leaving Data Privacy to the States
Just over one year ago, in August 2018, a news story appeared under the headline...
“The United States finally starts to talk about data privacy legislation”
Despite the US Commerce Secretary's condemnation of Europe's GDPR in May, there are signs that federal and state governments are starting to take data privacy seriously.
It seems that's exactly what they did ....TALK about it!
Fifteen months after its enactment, the influence of the European Union's General Data Protection Regulation (GDPR) has traveled far and wide.
The results has been an astonishing 281,000 data breaches and more than €50 million in fines, imposed on some of the world’s largest tech corporations over the misuse of people's personal data. The legislation has truly drawn a line in the sand in terms of what companies can and cannot get away with, regarding sensitive user data.
But, while the GDPR has mostly clarified the ambiguous rules concerning personal information in European states, the U.S. has yet to catch up.
U.S. data privacy laws vary greatly from one state to another, instead of unity of standards from country to country. And, as California and New York take their places on the starting line for consumer legislation, there is a risk that differing rules could end in a weaker federal privacy law - if indeed, federal legislation ever arrives.
Without a federal consumer privacy law, state rules could become privacy that is confusing and difficult to to comply with.
In First Place: California
With no forward-movement on the part of Congress, individual states will have to take full responsibility for consumer privacy protection, with California being the first state to make a stand.
The California Consumer Privacy Act (CCPA) will become active on January 1, 2020, giving California residents control over their personal information.
As reported by Wired, the sweeping law gives Californian residents the ability to request the data that businesses collect on them, demand that it be deleted and opt out of having that data sold to third parties. Tech companies are clearly worried about the changes and have lobbied hard for their watering down, with legislative bodies, backed by major tech bodies, advancing a series of changes in April that would offer exemptions for certain categories of businesses.
The law will ultimately result in strict control of consumer data use from corporate entities, as well as major fines for tech companies that do not comply. Fines will total $7,500 per violation and $750 for each record compromised — which could add up to a considerable sum for smaller business. Major corporations have already begun to prepare for the incoming rules, but smaller online businesses could be hit hard if they are not ready when the laws come into effect.
In Second Place: A Tough Approach by New York
The Californian overhaul has been praised by privacy advocates for its hard-line stance on the issue though the law has since been overshadowed by the even tougher stance made by the state of New York. The New York Privacy Act entered the state senate last month and, if approved, would grant the strictest controls over personal data in the U.S.
This bill shares similarities with the Californian law in that the user can better understand who holds what data and request that any such information be deleted or corrected. However, the East Coast approach would give New Yorker’s the right to sue companies directly over privacy violations. On the West Coast, this element of law enforcement is left to the state’s office and only applies to businesses that gross more than $25 million annually. New York’s act would allow for personal litigation against any company of any size - something that could hold major repercussions for those who do not play by the rules.
Perhaps unsurprisingly, privacy proponents have praised the bill, while tech representatives have all but trashed it. A director for the Internet Association, which represents the likes of Facebook, Google, Amazon and Microsoft, has called the act “unworkable” and questioned whether the legislation actually provides “meaningful control” over personal data.
The reactions mirror those of the Californian law rollout, and one can only predict that similar battles on either side of the debate will continue to play out, while there remains no formal federal position. It begs the question, where is privacy protection headed on a national scale?
Since the federal government currently has no position on privacy protections, it seems that state-by-state legislature will continue to be the way forward for the time being.
Maine and Nevada already have consumer privacy protections signed into law. While both pale in comparison to the protections presented by California and New York, they are a start. The citizens of Maine, under the Act to Protect the Privacy of Online Consumer Information, are protected from broadband providers using, selling, distributing or permitting access to customer personal information for purposes other than providing services.
Meanwhile, Nevada’s Senate Bill 220 amends the state’s existing law to require websites and online services to post privacy notices to users regarding access to their information.
Other states seem to be following similar paths - though none are as strong as the protections put forward by California or New York. Maryland’s Online Consumer Protection Act, if passed, would force companies to demand access to user data and disclose when user data is being collected and what user data is being sold.
Texas has decided to revise its provisions relating to security breaches by creating the Texas Privacy Protection Advisory Council. North Dakota, similarly, has chosen to provide a legislative management study of consumer personal data disclosures.
Problems with a State-by-State Approach
There are three essential problems with a state-by-state approach to consumer privacy.
Differing governmental battlegrounds make for higher susceptibility to corporate lobbying. Lobby groups have already played a big part in the legislature push in California and New York, so one can only imagine smaller, less affluent states being prime targets for big tech lobbyists.
A patchwork of protections legislated at the state level makes for an uneven and confusing legal environment. Different rules in Nebraska from Idaho could translate into privacy that is complex and onerous for any company. Again, this would be to the detriment of smaller companies without the resources nor legalese to operate across differing privacy expectations.
The right to privacy is fundamental for many. Protecting privacy on state lines will only make for uneven rules that are more difficult to enforce. Further, they will simply be more difficult to understand for both consumers and companies. As evidenced by the GDPR, one rule for one region works.
Need for Federal Oversight
The U.S. needs federal oversight on something as important as citizen digital privacy to ensure one standard for many - competing data laws will only result in weaker laws across the board.
This is an issue that will only grow in importance as internet-of-things devices continue to take over our homes and our lives in the coming years. These devices, which often use susceptible connections between the server and receiver, have the potential to reveal sensitive details of unsuspecting users.
This should be especially concerning when many of these devices have the ability to collect countless data points through microphones, cameras and sensors.
California and New York have created two sets of laws, which, by and large, do protect user privacy. In the absence of federal oversight, both states have acted to ensure the rights of their respective citizens. However, this does not detract from the need for federal action on this issue. Fifty different approaches to privacy will not improve upon one strong, national standard - the future of the nation’s citizens depends on it.