Data Privacy Advances, Despite Lack Of Federal Privacy Law
May 3, 2023 by Eric D. Reicin, President & CEO, BBB National Programs
When people talk about privacy, they sometimes speak in absolute terms, such as, “I do not want anyone having access to my data.” At the same time, in an effort to engage with friends, track their health data, follow breaking news, use generative AI, or explore one of the many metaverses, they may also be downloading apps, using devices, and clicking on terms of service that permit significant data collection.
Business and nonprofit leaders encounter similar challenges when managing privacy-related data collection and protection issues that arise from interactions with stakeholders. Organizational privacy views may contain a bit more nuance, but certainly business and nonprofit leaders do not want to give away blanket access to organizational proprietary data either.
In data collection, as in so many other areas of governance, it is critical for industries to serve as responsible stewards of data and do the right thing. That is why safe, transparent, and accountable data privacy practices are important. They are the glue that ensures consumers are provided access to their own data and that such data is not used for unsafe, discriminatory, illegal, or other nefarious purposes. They are also a bedrock of independent industry self-regulation.
Indeed, positive privacy hygiene can elevate an organization’s brand and enhance consumer trust while ensuring it is accountable to appropriate legal and compliance marketplace frameworks. Some of the largest multinational corporations across diverse industries have proclaimed privacy as a core pillar of their ESG governance.
All business leaders should prioritize responsible privacy practices for their organization, which includes paying attention to the data privacy landscape here in the United States.
At present, the U.S. does not have a comprehensive federal privacy law, but instead has a handful of federal laws that govern sector-specific data privacy practices, such as the Children’s Online Privacy Protection Rule (COPPA), Health Insurance Portability and Accountability Act (HIPAA), Genetic Information Nondiscrimination Act (GINA), Gramm-Leach-Bliley Act (GLBA), Family Educational Rights and Privacy Act (FERPA) and more.
In lockstep with these laws, a thoughtful, comprehensive federal privacy law would provide consumers with enhanced protections for their personal information as well as their more sensitive data. It would also seek to ensure that our children, our elderly, and our most vulnerable communities are granted the most robust privacy protections possible.
In the absence of a federal privacy law, the approach in the U.S. remains grounded in “notice and consent,” which many argue is an outdated framework requiring customers to review lengthy privacy policies on their phones and laptops and to accept terms of service they never actually read to access online activities.
This approach has come under increased scrutiny by the Federal Trade Commission (FTC), one of the primary agencies enforcing consumer protections. Over just the last few years, the FTC has used its authority under Section V, Unfair or Deceptive Acts or Practices, to scrutinize data privacy practices and brought a range of enforcement actions against brands (Drizly, Chegg, BetterHelp and others across almost every sector—from health to education, retail, and technology—that processes consumer data).
Given the current environment, many argue that the United States needs an appropriate privacy law to keep its edge among global competitors. More than $2 trillion underpins the global digital economy, and thus, the U.S. should seek to keep pace with economic and trade partners across both the developed and developing worlds, many of whom already have national privacy laws in place.
At the state level, six states (and growing) have charged forward in enacting unique models for their standards for data privacy. For example, a California resident may have different choices about how their data is shared or sold than a resident in the state of Utah who seeks to access the same platform or app. And there is even a third set of rules effective July 1, 2023, for neighboring Colorado residents. Business and nonprofit leaders are encountering the same confusion, if not more, as they try to comply with differing laws and regulations in each of those states.
Congress and the FTC have been hard at work, but there has also been a range of “soft law” federal activities and industry self-regulatory proposals to help ensure robust protections regarding the use of algorithms and automated decision-making, which are grounded in data. For example, when automated tools/AI/machine learning are used in hiring and employment (see my previous piece on this topic) for education, healthcare, and other critical areas, the industry can take a proactive role to minimize the biases that exist to avoid the unintended consequences of life-changing negative impacts of data bias on individuals—an extension of national data privacy conversations taking place that only industry can lead.
An appropriate federal privacy law would level the playing field for all companies and create much-needed uniformity in the digital marketplace to enable enhanced trust in the marketplace for businesses and consumers.
Moreover, as we begin to emerge from a post-pandemic world complicated by global tensions, the U.S. is faced with bigger questions about the guardrails it places around protecting its consumers’ and citizens’ most vulnerable information, a significant part of which is online.
At present, the passage of a federal privacy law remains uncertain at best. Various competing policy priorities (such as the budget, inflation, and more), political factors (including a split Congress), and legal policy choices (such as the extent of state law preemption and private rights of action for consumers) are factors holding back the likelihood of passage.
In the meantime, I encourage you to look to the sectoral, state, and “soft law” mechanisms in place to enhance data privacy for your organization. In doing so, you will be supporting enhanced consumer protections and robust business practices. You will also be demonstrating the kind of accountability that is one of the building blocks for independent industry self-regulation.
Originally published in Forbes.