By: Thomas Daly
One of the most concerning issues of the century implicates an area of law that has no comprehensive federal regulatory scheme. Cautionary tales of juggernaut data brokers have surfaced throughout popular film and television for decades, depicting governments with far too much information about their citizens to private companies developing breakthrough technology based on massive samples of human behavior. While most people rationalize that they are just a “drop in the bucket” and of no particular interest as an individual, many are raising concerns about what information is being collected from them, how it is used, and who gets to see it. From the various forms of internet cookies to automotive event data recorders in collisions, personal credit information, facial recognition, and health-related data, various types of information people inadvertently put out in the world make some firms a lot of money. With abundant legal loopholes concerning the sale and distribution of aggregate, third party entities are able to purchase data from cellphone carriers and internet providers and then turn around and sell this information to government bodies, research firms, and anything in between.
While the United States has several sector-specific and medium-specific laws and regulations tailored to telecommunications, health information, credit information, and marketing, there is no comprehensive federal law that governs data privacy.[1] The Federal Trade Commission Act (“FTC Act”), the Children’s Online Privacy Protection Act (“COPPA”), the Health Insurance Portability and Accounting Act (“HIPAA”), the Gramm Leach Bliley Act (“GLBA”), and the Fair Credit Reporting Act (“FCRA”) all regulate the collection of information and impose standards for collection notification, data security, privacy policies, and information sharing for various industries and sectors.[2] At the state level, California leads the legislation race with the California Consumer Privacy Act (“CCPA”) passed in 2018, and the California Privacy Rights Act (“CPRA”) recently approved in late 2020 as Proposition 24.[3] These two bodies of law place cross-sector regulations on data privacy and introduce important definitions, grant broad consumer rights, and impose legal duties on entities that collect data.[4] The CRPA introduced rights of certification (right to correct inaccurate personal information), rights to restriction (right to limit the use and disclosure of personal information), as well as expanded data breach liability, limited the time companies can retain personal information on consumers, and imposed stricter third-party security standards.[5] The CRPA will grant a state agency with the power to fine transgressors, hold hearings about violations, and clarify privacy guidelines beginning in July of 2023.[6]
Colorado implemented the Colorado Privacy Act (“CPA”) in June of 2020, which granted residents rights over their information and placed obligations on data firms doing certain levels business in the state or with its residents.[7] The Virginia Consumer Data Protection Act (“CDPA”) was passed in March of 2021, and mirrors the CCPA in certain ways by granting a state agency with powers to set data privacy standards and enforce them.[8]
As of September 1, 2021, there are active data privacy bills in committee in Massachusetts, New York, North Carolina, Minnesota, and Pennsylvania, and one data privacy bill introduced on the floor of the Ohio State Senate.[9] In 2021, data privacy bills have failed at various legislative stages in Alabama, Alaska, Arizona, Connecticut, Florida, Illinois, Kentucky, Maryland, Mississippi, North Dakota, Texas, Utah, Washington, and West Virginia.[10] Of particular note is a federal bill introduced April 21, 2021, by Senator Ron Wyden (D-OR) titled S. 1265 – Fourth Amendment Is Not For Sale Act.[11] The bill proposes requiring court orders to compel data from third parties, regulates law enforcement agencies from purchasing data on U.S. citizens, closes loopholes in current sector-specific and medium-specific laws that permit intelligence agencies from acquiring data on U.S. citizens’ international communications, and takes away the Attorney General’s power to grant civil immunity to data providers for surveillance assistance.[12]
With all of this legislative activity, and plenty of international examples of country-wide privacy regulation, it is a wonder why the United States has not implemented a broad federal statutory scheme. While data privacy issues can be specific to states in a way that might call for individualized regulation similar to American criminal law, there are too many common areas of concern not to warrant at the very least a data privacy equivalent of the Model Penal Code.
[1] Angelique Carson, Data privacy laws: What you need to know in 2021 (Sept. 4, 2021, 9:30 AM), https://www.osano.com/articles/data-privacy-laws.
[2] Id.
[3] Id.
[4] Id.
[5] Id.
[6] Id.
[7] Id.
[8] Id.
[9] Sarah Pippy, US State Privacy Legislation Tracker, International Association of Privacy Professionals (Sept. 1, 2021, 10:11 AM), https://iapp.org/resources/article/us-state-privacy-legislation-tracker/.
[10] Id.
[11] Press Release, Office of Ron Wyden, United States Senator for Oregon, Wyden, Paul and Bipartisan Members of Congress Introduce The Fourth Amendment Is Not For Sale Act (Apr. 21, 2021) (on file with author).
[12] Id.