Three Big Battlegrounds in the Coming War Over National Privacy Legislation

Washington is abuzz about the need for national privacy legislation. In the wake of the Facebook Cambridge Analytica scandal, even typically anti-regulation Republicans are calling for federal privacy legislation. The calculus has also shifted for some industry representatives who have concluded that federal legislation may actually be better for companies than states passing their own laws, which California has already done. There is still a major battle in the works, however, over what such legislation looks like and how meaningful it is. 

Numerous industry groups have issued “statements of principles” in the hopes of shaping the conversation over what the privacy law should look like. Many of these statements are lacking in key areas, however — and even with their positive elements, the devil will be in the details on whether they meaningfully empower individuals or end up being no more than broad, bland, and loophole-filled platitudes. 

Overall there is growing consensus that a bill must at a minimum:

  • Require transparency so that consumers know how their information is being collected, used, shared, and stored
  • Mandate measures allowing consumers flexibility to move data between services
  • Require notice and consent to use and share personal information (though the definition of personal information and what consent requires may be a point of contention)
  • Notify consumers and regulators when there has been a data breach
  • Ensure that companies adopt reasonable cybersecurity measures to protect against hacking and other breaches.

Despite this common ground, however, there are other fundamental issues where consumer privacy groups and some industry players will likely clash. Those battles will include these three issues:

Pre-emption of state protections

As Sen. Brian Schatz (D-Hawaii) aptly noted in a recent hearing, we would likely not even be having a debate about a federal privacy law but for a data privacy law recently passed in California. Despite successful industry efforts to water the California bill down before passage, it does give consumers rights to know what information companies collect about them, and consumers can opt out of companies selling their information. Industry is opposed to some of the law’s protections, and it’s afraid other states will follow California’s example or pass even stronger laws.

More state privacy laws could be good for consumers — for one thing, companies often find it easiest to apply the strongest law everywhere. After all, it’s not easy to explain to a consumer in South Dakota why they should have less privacy rights than a Californian. 

That’s why some representatives of the tech industry are pushing for a federal law that preempts state law — effectively gutting states’ ability to pass laws to protect consumers. A preemption proposal could sweep broadly, foreclosing states from passing new consumer protections, limiting enforcement by states agencies and attorneys general, and invalidating a host of existing protections for sensitive information like Social Security numbers, student data, and more.

This would be a major change. The existing framework explicitly allow states to protect consumers and take action to prevent fraud, even though the Federal Trade Commission is also tasked with this. Other laws, including the Telecom Act, allow states to put in place additional protections for consumers, provided it does not interfere with federal legislation. 

In these cases and others, federal law sets a floor — not a ceiling — for consumer rights. Particularly given the rapid pace of technological innovation, we should be wary of a federal law that locks in place limited nationwide standards that will soon be obsolete and blocks any innovation by the states, which are often more adept at responding to new challenges.  

Enforcement

Regulations mean little without robust enforcement, which some companies view with trepidation. As a result, much of the coming debate will likely revolve around how privacy standards will be enforced.

Europe has set a powerful example of what enforcement powers can look like. Under its recently enacted privacy regulations, violating companies can be fined up to 4 percent of their global annual revenue — a powerful incentive for companies to take the regulations seriously. In contrast, Federal Trade Commission’s fines are often miniscule compared to the profits of large companies. In addition, the commission is poorly resourced to effectively police industry. The FTC employs only about 1,100 people, with less than 100 attorneys focused specifically on privacy and enforcement. To put this in perspective, Facebook alone employs over 30,000 people and Alphabet, Google’s parent company, has over 89,000 employees. 

These factors may be part of the reason that the FTC has not always been the most effective privacy watchdog. Take the breach involving the data broker Equifax, for example. The information of over 140 million consumers was exposed due to what some members of Congress referred to as “malfeasance” on the part of the company. One year later, the company is on track to post record profits, and consumers have not been compensated for the cost of credit freezes the breach made necessary.

State governments and private citizens have often been critical to fill the federal government’s enforcement void. For example, the Massachusetts attorney general is currently suing Equifax seeking damages, and private citizens have filed numerous lawsuits seeking to recover damages from the company. 

The Equifax breach highlights some of the elements that are necessary to ensure strong enforcement. First of all, the FTC needs more resources, the ability to promptly level meaningful penalties for privacy violations, and expanded rulemaking authority. Additionally, state attorneys general and agencies must be permitted to investigate and enforce violations of any new federal rules, as well as continue other ongoing enforcement activities. Finally, consumers must have the ability to take companies to court when the rules are violated — an idea that is strongly opposed by many in industry.

What enforcement measures companies will get behind — if any — could be a contentious issue. 

Limits on use and retention of information

One of the central problems with the current privacy rules is that they rely on a regime of “notice and consent.” Under the current system, as long as a company informs you (often very vaguely) what it is doing somewhere in a 16-page fine-print click-through agreement, and you “agree” by clicking through that agreement, then the company has covered its bases. Based on the literally impossible legal fiction that consumers read and understand every such agreement, our current, deeply problematic ecosystem of widespread privacy invasions has been allowed to fester.

The reality is that many consumers can’t possibly understand how their data is being used and abused, and they don’t have meaningful control when forced to choose between agreeing to turn over their data or not using a particular service.

Europe’s solution to this quandary has been to put in place regulations that create a presumption that consent cannot be freely given if use of a service is premised on a consumer handing over data that is not necessary for that service. However, many in industry have opposed this measure, in part because imagining new uses for consumer data is how many companies plan to turn a profit. 

Any privacy legislation must tackle this problem in a meaningful way. Legislation must limit the purposes for which consumer data can be used, require purging of data within certain timeframes, and prevent coercive conditioning of services on waiving privacy rights.

Otherwise, we risk ending up in the same place we began — with consumers simply checking boxes to consent with no real understanding of or control over how their data will be used.

View comments (21)
Read the Terms of Use

Anonymous

This issue is multi-faceted, as all U.S. Supreme Court cases are, this could also be a "Citizens United" clarification. Do "human-citizens" have greater privacy rights than "corporate-citizens"? In the case of privacy and warrantless domestic spying, the votes of human-citizens far outweigh the votes of corporate-citizens. Human-citizens also have legal responsibilities to follow laws. After 9/11 corporate-citizens were ordered, through punitive measures, by the U.S. Department of Justice, to violate the Federal Criminal Code including felony crimes (ex: Qwest Communications about 6 months before 9/11). Conservatives invented this crazy legal theory that also violates the 14th Amendment since it only requires human-citizens (us) to follow laws. This issue would be a great clarification of "Citizens United".

Anonymous

The time may be ripe for the U.S. Supreme Court to clarify Article VI of the United States Constitution. It's one of the clearest worded parts in The Constitution - it essentially mandates, by law, that all three levels of government and all three branches - local, state and federal - are required to follow the U.S. Constitution including the Bill of Rights. During the Jim Crow era, some local and state authorities violated Article VI, by violating the constitutional rights of African-Americans, Jewish-Americans and other minority groups. The federal government was on solid constitutional ground by having the DOJ and FBI "check & balance" some local and state governments. The flaw in the current interpretation, by the U.S. Supreme Court, is that the federal government doesn't have the authority to violate our rights either under Article VI but there is no effective check & balance. When J. Edgar Hoover subjected Martin Luther King, Jr. to unequal treatment, cruel & unusual punishment and denied him constitutional due process, under the illegal COINTElPRO tactics, there was no check & balance on the federal government when it violated Article VI and the 14th Amendment. Today the environment is far worse, after 2001 the federal government actually "deputized" local and state governments with "preemption grants". Each state now has "Fusion Centers" (blacklisting centers) that illegally violates Article VI. In other words, unlike the Jim Crow era, some parts of the federal government are not only complicit in violating constitutional rights but promote and fund it with our own tax dollars. Since COiNTELPRO style blacklisting (non-confrontational covert tactics) robs Americans of legal standing, plaintiffs can't use the court system to check & balance this evil practice. An American without any criminal record, without charge, without trial and without guilty verdict can receive a life sentence of punishment by all three branches at all three levels of government. We no longer have a justice system, we now have a Cold War era Stasi or secret police. The U.S. Supreme Court should make this a top priority to restore checks & balances when some federal officials sometimes violate Article VI.

Anonymous

There is a huge crisis that judges, prosecutors and ACLU should try to understand and focus on: "Non-Confrontational Blacklisting". This worst form of torture could unknowingly harm up to a million Americans and result in loss of income and even premature death without some of the targets knowing why. Most Americans are familiar with the somewhat OVERT forms of blacklisting like the Red Scare and McCarthyism but know nothing about the more lethal forms of COVERT blacklisting like Cointelpro. Some history: when Senator Joseph McCarthy was publicly humiliated by CBS journalist Edward R. Murrow (later allied with Dwight D. Eisenhower) for abuses of OVERT blacklisting, the U.S. Department of Justice, FBI and other federal agencies devolved into illegal COVERT blacklisting like Cointelpro used against Baptist ministers like Martin Luther King, Jr. For the most part these agencies were never held accountable. To the best of my knowledge, the only FBI agents to serve prison time were during the Fred Hampton assassination engineered by FBI agents. Essentially it was business as usual except this COVERT blacklisting is almost impossible to police by judges and prosecutors. It also obstructs justice by robbing targeted Americans of "legal standing" in court. The goal is not OVERT arrest or conviction, the goal is COVERT punishment for mostly legal 1st Amendment activity. What is so genuinely evil about this form of blacklisting is that many of the actual government participants are otherwise good people with good intentions but without sufficient leadership in their own agencies. They fear their supervisor and peer group more than their Oath of Office. Although some federal agencies are in the spotlight over this illegal practice, it many times originates with local police and local government then eventually (over years and decades) gravitates to the federal level. Generally speaking many local officials subscribe to a "guilty until proven innocent" and "guilt by association" mindset (contrary to America's model of government). Many local police officials - if placed under sodium pentathol - would tell you that they could find something illegal or embarrassing on anyone if they surveilled them 24/7 - anyone. The 14th Amendment makes this practice a federal crime but since prosecutors don't understand blacklisting there is virtually no enforcement. How this would work in 2018: a citizen of a small town may not belong to the right church or not attend church at all. A citizen's family or friend is under suspicion (guilt by association). One looks ethnically different. One might be dating a police officer's daughter. One might support a non-violent and legal group like "Black Lives Matter" or the "Tea Party". There could be dozens of reasons why a local police officer wants to fit illegal or embarrassing to you. "Psychology Today" has studied this issue for decades: once a person has been defamed (covertly) or placed under suspicion, it actually affects the "interpretation" of that person, including how police officers and prosecutors interpret a case. For example: most of us have driven through neighborhoods looking at real estate or have gotten lost driving or taken photographs of buildings, bridges, etc. Once covertly defamed and deemed suspicious by local police, an honest officer years later actually views that as "suspicious activity" - looking for real estate may be reported as "casing the neighborhood". Photographing the Golden Gate bridge on your honeymoon might place you on some type of watchlist. The well-meaning police officers may not have intended for that report to destroy a person's job, marriage or shorten their lifespan. Once on a suspicious list, the harm becomes worse over years and decades. Since you are never confronted, you may not know why you are not allowed to get hired for certain jobs, why you were turned down for a certain security clearance or why you get harassed by police all of the time. You can't file a police report or internal affairs report because it is COVERT blacklisting - in some cases the perps actually are the police. This can result in premature death, probably far exceeding many overt causes of death. It's a huge problem without a paper trail. Some ways to resolve this crisis: judges, Congress and state legislatures could strip state "Fusion Centers" (blacklisting centers) of excessive secrecy - make them subject to most FOIA requests. If there are legitimate secrecy concerns, Fusion Centers could share that with their co-equal branches (courts and Congress) and not the general public. Fusion Centers should have strict oversight and have to report "Terrorism-Searches/Investigations VS. Terrorism-Convictions" to the Legislative and Judicial branches. Some state legislatures have essentially made Fusion Centers unaccountable to the voters. If a judge or prosecutor uncovers months, years, decades of COVERT blacklisting, the targets must be notified and in some cases official apologies (from judges and prosecutors) plus financial compensation. This form of blacklisting results in "Employment Tampering" and can destroy the job history of it's targets. Many post 9/11 blacklistees have a hard time filling out a job application - they need this apology to apply for jobs. Although blacklisted Americans might be able to obtain an entry level job, they may not be able to advance or make more money in higher positions. In the computer age, one has to explain reasons for leaving jobs (some Bush era blacklistees left jobs due to assault & battery by interrogators) - these Americans need that official apology letter from judges and prosecutors. Some police officers or federal agents that may have falsified reports are not likely to apologize to something that might place them in prison - judges and prosdcutors need to do this. Once on a COVERT suspicious persons list, police and officials assume the authority to choose your occupation and to choose your friends and social circle, so they can interrogate you for life. When other nations do this we call them totalitarian, authoritarian or fascist. America is supposed to be better than that!

Anonymous

Since the United States has joined the international club that practices human rights abuses like torture, blacklisting and detaining people without charge or trial, isn't it time for ACLU attorneys to debate the constitutionality of "Secret Congressional Committees"? The U.S. Constitution defines the "republic" (people's representatives) part of "constitutional democratic republic" as the entire 535 members of Congress, not a handful of special members that hold leverage over the hundreds of other members of Congress. One could make a strong argument that torture, blacklisting, warrantless spying and locking people up without charge or trial - actions that betrayed American values and forever tarnished our reputation - never would have happened if all 535 members had been fully informed. There is no secrecy justification, the national security agencies can easily monitor 535 people for potential leaks. The harm far outweighs the benefits: since 9/11 we have destroyed the Geneva Convention protections for U.S. troops captured in future conflicts, we have destroyed the "Nuremberg Defense" legal protections to deter war crimes against citizens and U.S. troops in future conflicts, we have destroyed Ronald Reagan's treaty against torture and cruel punishment, we have exploited the Espionage Act of 1917 to punish legal whistleblowing (non-spies). For the first time in history Amnesty International and the International Red Cross (a Christian organization) have denounced the United States for human rights abuses. If all 535 members were given equal representation and included, it's likely America wouldn't have embraced the tactics of totalitarian and authoritarian regimes. From an ACLU perspective, are secret committees that keep most members of Congress outside the loop constitutional? One of America's greatest Supreme Court justices, Louis Brandeis once said "Sunlight is the best disinfectant". Brandeis meant that we cannot have democracy, where the voters self-govern, where our representatives exercise extreme secrecy of the voters. Excessive secrecy is the greatest enemy to America.

Anonymous

Local police are trying to intimidate citizens commenting on this post. Harassed by local officers from two separate counties in less than 10 minutes. This is a federal criminal violation for any police officer: Title 18 US Code 241, 18 USC 242, 18 USC 245. 42 USC 14141 and 42 USC 1983. Any federal prosecutor has all they need to indict these officers.

Anonymous

Big news: The Washington Post reports on November 13, 2018 that "Driverless Vehicles" will "likey be monitored" inside the passenger cabin, with camera surveillance presumably by law enforcement and other authorities to deter criminality inside vehicles. This is a major change to the Fourth Amendment and the "Plain View" exception to search and seizure rights. The article was written by Washington Post writer Danielle Paquette.

Anonymous

Some Americans have been subjected to full-blown "totalitarianism" by their government for more than 6000 consecutive days in violation of the Constitution's habeas corpus rule. Habeas Corpus suspension was designed for days and months, not years or decades. None of these Americans have legal standing to challenge this illegal detention in court thanks to the Roberts' Court and neither party will solve this problem. The Roberts Court has essentially ruled that defenseless citizens have to prove domestic spying against the most powerful agencies on Earth. Maybe we need a constitutional amendment to counter Cointelpro style tactics by any agency?

Anonymous

Spyware on computers and other electronic devices could literally be dangerous to your physical health and there is no data on spyware. For example: if you were the target of warrantless domestic spying, a "wireless" transmitter may be added to a corded computer with a corded mouse. If you were take a "non-contact" electrical probe, used by most electricians, that transmitter's electromagnetic field is strong enough to set off a probe rated for 110 voltage - not the low voltage setting. By comparison. that same meter would be set off near an electrical cord to a lamp or microwave oven but no other parts of the device. A computer rigged with spyware sets off the meter on any part of the computer, not just the electrical cord. Why this matters: for purposes of "legal standing" a plaintiff can not only cite financial harm (electricity costs, repairing hacked computers, job interference, etc) but possibliy physical harm. Agencies are also using mobile X-ray devices near bridges and other infrastructure. Americans illegally being spied upon - without judicial warrant - may be receiving a stronger dose of radiation. Maybe those doing the illegal domestic spying might take that possible harm into account. A federal judge could order testing of all this illegal spyware to see what the danger risk really is. Today there are no statistics on spyware health dangers. This testing may be valuable when the Bush war crimes commission starts indicting U.S. officials.

Anonymous

The ACLU should lobby to make "Employment Tampering" a Class I Felony by local. state and especially federal officials. 9/11 Blacklistees have been subjected to "totalitarianism" by the U.S. government. Since it's "non-confrontational" it subverts checks & balances by the Judicial Branch. For example: my occupation is professional harness climbing. The U.S. government will allowed me to do dangerous tree work for ten years working for the government's customers but tries to obstruct me from working on highrise buildings, cell towers, bridges, etc. I've never had a criminal record nor ever been accused of anything. Employment Tampering (Cointelpro tactic) should be a Class I Felony.

Anonymous

An issue we haven't heard the ACLU address: "Constituent Privacy and the First Amendment". Would love to see an article on this. The First Amendment makes it illegal for a governing entity to try to silence or disrupt legal freedom of speech. Federal criminal statutes also define and clarify the what that means and the range of legal penalties. It is everyone's civic duty to vote and participate in the democratic process. A big issue the ACLU may not be aware of is when constituents contact their representatives in Congress, state legislatures or town councils - many legislators simply forward the constituent's private information directly to the Executive Branch agency itself without protecting or concealing the constituent's private information. The net result appears to be that the agency's security arm then punishes or tries to intimidate that legal First Amendment exercise. This security arm apparently views "We the People" not as their employer, but as someone not allowed to participate in the democratic process. As best as I can tell, nobody polices the agencies' security arm violating the First Anendment and federal criminal statutes. The result is a chilling effect on legal First Anendment activity. The ACLU should litigate, possibly via a writ, for legislative branch officials and staffers to protect and conceal a constituent's private information from exeuctutive branch agencies. For example: years ago constitutents simply trying to improve DHS's illegal blacklisting practices were then harassed by DHS officials. When the Inspector General of DHS and the DHS Privacy Office were notified of abuses by DHS officials, apparently then the Privacy Office itself also harassed legal First Amendment speech. Congress, state legislatures and town councils should be required by law to not facilitate this illegal retaliation. The federal Privacy Act already makes it a felony for federal officials to share private information on Americans, we could simply amend this act at the federal level.

Pages

Stay Informed