FAQ: Understanding U.S. privacy protections in place and under consideration

What U.S. laws and regulations are already on the books?

The issue isn’t that the United States doesn’t already have rules governing data privacy, but rather that those existing rules are either narrow (in terms of audience or industry) and often focus more on breaches than the misuse or misapplication of data.

The most controversial regulation isn’t domestic at all. Europe’s General Data Protection Regulation (GDPR), within its 99 articles, places demands on U.S. companies that do business with (and collect data from) EU residents.

It inspired California’s state-crafted law, the Consumer Privacy Act of 2018. Similar to GDPR, California customers will have the right to demand that specific data be deleted from an online enterprise’s databases.

The legislation will: grant consumers the right to request deletion of personal information; give consumers the right to know what personal information is shared or sold to third parties; and authorize consumers to opt out of the sale of personal information by a business.

The Children’s Online Privacy Protection Act, crafted and enforced by the Federal Trade Commission, requires commercial Websites or online services to obtain parental consent before collecting personal information from children under 13.

The Health Insurance Portability and Accountability Act, passed in 1996, imposes data privacy and security provisions for safeguarding medical information.

The Gramm-Leach-Bliley Act requires that banks and other financial institutions send annual privacy notices to customers that describe how non-public personal information is shared. These notices must describe the privacy practices of financial institutions, including whether and how they share customers’ nonpublic personal information.

What is happening in Congress?

There was a lot of activity in the current, lame duck session of Congress to take up improved data-focused legislation. The question, for now, is whether any of those efforts, informed by committee hearings in both chambers, will move forward, or need to wait for a new session with newly elected officials in 2019.

Among the developments to watch is the successful reelection of Rep. Ro Khanna (D-Calif.). Working with Tim Berners-Lee, the creator of the World Wide Web, Khanna has unveiled an “Internet Bill of Rights,” with assurances citizens should have when it comes to consenting to the collection and dissemination of their personal data.

In a separate white paper, Sen. Mark Warner (D-Va.) has outlined data privacy rights that could form the basis of legislation. Notably, he pitched a “fiduciary duty” for those who collect and share personal information.

Sen. Ron Wyden (D-Ore.) has made public the draft of proposed legislation that would require senior executives of companies with more than $1 billion in annual revenue, or data on more than 50 million consumers, to file annual reports with the FTC detailing whether or not they complied with the privacy and data security standards. The bill could include criminal penalties for making false statements in these reports.

Senators Amy Klobuchar (D-Minn.) and John Kennedy (R-La.) introduced legislation that would: give consumers the right to opt-out of data collection and keep their information private by disabling data tracking and collection; and require that terms of service agreements be in plain language.

In September 2017, Equifax announced that hackers had stolen the sensitive personal information of more than 145 million Americans. In response, Sens. Warner and Elizabeth Warren (D-Mass.) introduced the Data Breach Prevention and Compensation Act. It seeks to create an Office of Cyber-security at the FTC tasked with supervision of credit rating agencies, imposing penalties for breaches of consumer data and compromised personal identifying information.

The latest twist on legislation: a bill proposal released by chipset-maker Intel in early November.

“We recognize the need for a legal structure to prevent harmful uses of the technology and to preserve personal privacy so that all individuals embrace new, data-driven technologies,” the company said in a statement. “The U.S. needs a law that promotes ethical data stewardship, not one that just attempts to minimize harm.”

The proposal builds upon Fair Information Practice Principles from the Organization for Economic Cooperation and Development’s “Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data.”

“The OECD FIPPs are ‘the Global Common Language of Privacy’ and many of the privacy laws around the world are based on them,” Intel says.

The legislative pitch would require that most uses of data will require a risk/benefit analysis that will restrict an organization from using data in a way that creates undue risk for individuals. Organizations must also state their purposes for collecting and processing data, “described narrowly and specifically,” and adopt “reasonable measures to protect personal data.”

The FTC would be tasked with enforcement with increased autonomy, authority, and responsibilities.

What is the Trump administration doing?

Since taking office, President Trump has periodically called in tech leaders for “listening sessions” to debate potential ways the White House could, or should, develop a policy for consumer data privacy.

Among the resulting, in-play initiatives is an expanded framework for consumer privacy by the National Institute of Standards and Technology.

NIST, a non-regulatory agency of the Department of Commerce, provides and oversees one of the nation’s most widely-used cyber-security frameworks for both private and public entities. In September, it launched a collaborative project “to develop a voluntary privacy framework to help organizations manage risk.”

The envisioned privacy framework will provide an enterprise-level approach that helps organizations “prioritize strategies for flexible and effective privacy protection solutions.”

“NIST’s goal is to develop a framework that will bridge the gaps between privacy professionals and senior executives, so that organizations can respond effectively to these challenges without stifling innovation,” NIST Senior Privacy Policy Advisor Naomi Lefkovitz said.

Parallel with the NIST initiative, the Commerce Department’s National Telecommunications and Information Administration (NTIA) is developing “a domestic legal and policy approach for consumer privacy.”

It recently issued a request for comments on a proposed approach to consumer data privacy, “Developing the Administration’s Approach to Consumer Privacy.” The deadline for that feedback was Nov. 9.

With the goal of publishing “high-level principles” for building better privacy protections, the NTIA had sought industry feedback on the following assumptions:

• Organizations should be transparent about how they collect, use, share, and store users’ personal information.
• Users should be able to exercise control over the personal information they provide to organizations.
• The collection, use, storage, and sharing of personal data should be reasonably minimized in a manner proportional to the scope of privacy risks.
• Organizations should take steps to manage the risk of disclosure or harmful uses of data.

What are states doing?

State attorneys general are flexing their muscles regarding data breaches and what they view as improper uses of data.

In June, New Jersey Attorney General Gurbir Grewal announced plans to create a new civil enforcement unit, known as the Data Privacy & Cybersecurity Section, within his office. It will enforce laws that protect New Jersey residents’ data privacy and cyber-security by bringing civil actions against violators. Another role of the Section will be to provide legal advice to the State’s Executive Branch agencies on compliance with cyber-related state and federal laws and standards.

Among other projects, it will assume responsibility for the Office’s ongoing investigation into Facebook’s transfer of personal information to Cambridge Analytica.

Legislatively, in addition to a plethora of data breach notification laws, Illinois enacted the Biometric Information Privacy Act, a restriction on face recognition, thumbprint scans, and other identifiers. Facebook currently faces a class-action lawsuit on its use of this technology, without user consent, for “tag suggestions.” Texas and Washington also have biometric identifier laws on the books.

Besides enacting the Consumer Privacy Act of 2018, California in September passed the nation’s first law covering the Internet of Things. Starting Jan. 1, 2020, any company selling an internet-connected device must ensure “reasonable” security features that prevent unauthorized access and data disclosure.

Colorado has a new law that requires covered entities to: develop and maintain written policies on the disposal of personal information and “implement reasonable security procedures and practices commensurate with the sensitivity of personal data processed as well as the size and complexity of the entity.”

Earlier this year, Vermont enacted a law that imposes controls on data brokers. It requires data brokers to register with the state on an annual basis. Those registrations must include disclosures on whether, and how, consumers may opt out of having their personal data used. Disclosures must also reveal how data is collected, retained, protected, and whether it is sold to third parties. The state attorney general is tasked with enforcement of the new law.