Data Privacy Advances, Despite Lack Of Federal Privacy Law

May 3, 2023 by Eric D. Reicin, President & CEO, BBB National Programs

When people talk about privacy, they sometimes speak in absolute terms, such as, “I do not want anyone having access to my data.” At the same time, in an effort to engage with friends, track their health data, follow breaking news, use generative AI, or explore one of the many metaverses, they may also be downloading apps, using devices, and clicking on terms of service that permit significant data collection.

Business and nonprofit leaders encounter similar challenges when managing privacy-related data collection and protection issues that arise from interactions with stakeholders. Organizational privacy views may contain a bit more nuance, but certainly business and nonprofit leaders do not want to give away blanket access to organizational proprietary data either.

In data collection, as in so many other areas of governance, it is critical for industries to serve as responsible stewards of data and do the right thing. That is why safe, transparent, and accountable data privacy practices are important. They are the glue that ensures consumers are provided access to their own data and that such data is not used for unsafe, discriminatory, illegal, or other nefarious purposes. They are also a bedrock of independent industry self-regulation.

Indeed, positive privacy hygiene can elevate an organization’s brand and enhance consumer trust while ensuring it is accountable to appropriate legal and compliance marketplace frameworks. Some of the largest multinational corporations across diverse industries have proclaimed privacy as a core pillar of their ESG governance.

All business leaders should prioritize responsible privacy practices for their organization, which includes paying attention to the data privacy landscape here in the United States.

At present, the U.S. does not have a comprehensive federal privacy law, but instead has a handful of federal laws that govern sector-specific data privacy practices, such as the Children’s Online Privacy Protection Rule (COPPA), Health Insurance Portability and Accountability Act (HIPAA), Genetic Information Nondiscrimination Act (GINA), Gramm-Leach-Bliley Act (GLBA), Family Educational Rights and Privacy Act (FERPA) and more.

In lockstep with these laws, a thoughtful, comprehensive federal privacy law would provide consumers with enhanced protections for their personal information as well as their more sensitive data. It would also seek to ensure that our children, our elderly, and our most vulnerable communities are granted the most robust privacy protections possible.

In the absence of a federal privacy law, the approach in the U.S. remains grounded in “notice and consent,” which many argue is an outdated framework requiring customers to review lengthy privacy policies on their phones and laptops and to accept terms of service they never actually read to access online activities.

This approach has come under increased scrutiny by the Federal Trade Commission (FTC), one of the primary agencies enforcing consumer protections. Over just the last few years, the FTC has used its authority under Section V, Unfair or Deceptive Acts or Practices, to scrutinize data privacy practices and brought a range of enforcement actions against brands (Drizly, Chegg, BetterHelp and others across almost every sector—from health to education, retail, and technology—that processes consumer data).

Given the current environment, many argue that the United States needs an appropriate privacy law to keep its edge among global competitors. More than $2 trillion underpins the global digital economy, and thus, the U.S. should seek to keep pace with economic and trade partners across both the developed and developing worlds, many of whom already have national privacy laws in place.

At the state level, six states (and growing) have charged forward in enacting unique models for their standards for data privacy. For example, a California resident may have different choices about how their data is shared or sold than a resident in the state of Utah who seeks to access the same platform or app. And there is even a third set of rules effective July 1, 2023, for neighboring Colorado residents. Business and nonprofit leaders are encountering the same confusion, if not more, as they try to comply with differing laws and regulations in each of those states.

Congress and the FTC have been hard at work, but there has also been a range of “soft law” federal activities and industry self-regulatory proposals to help ensure robust protections regarding the use of algorithms and automated decision-making, which are grounded in data. For example, when automated tools/AI/machine learning are used in hiring and employment (see my previous piece on this topic) for education, healthcare, and other critical areas, the industry can take a proactive role to minimize the biases that exist to avoid the unintended consequences of life-changing negative impacts of data bias on individuals—an extension of national data privacy conversations taking place that only industry can lead.

An appropriate federal privacy law would level the playing field for all companies and create much-needed uniformity in the digital marketplace to enable enhanced trust in the marketplace for businesses and consumers.

Moreover, as we begin to emerge from a post-pandemic world complicated by global tensions, the U.S. is faced with bigger questions about the guardrails it places around protecting its consumers’ and citizens’ most vulnerable information, a significant part of which is online.

At present, the passage of a federal privacy law remains uncertain at best. Various competing policy priorities (such as the budget, inflation, and more), political factors (including a split Congress), and legal policy choices (such as the extent of state law preemption and private rights of action for consumers) are factors holding back the likelihood of passage.

In the meantime, I encourage you to look to the sectoral, state, and “soft law” mechanisms in place to enhance data privacy for your organization. In doing so, you will be supporting enhanced consumer protections and robust business practices. You will also be demonstrating the kind of accountability that is one of the building blocks for independent industry self-regulation.

Originally published in Forbes

Suggested Articles

Blog

Old MacDonald Had an Engagement Farm: Lessons Learned from FTC v. NGL

Capturing user engagement is the foundation of internet commerce. And while the incentives to prompt greater engagement are certainly understandable, the recent NGL Labs case from the FTC raises important questions about the ethical and legal ramifications when companies try to artificially generate engagement among their userbase.
Read more
Blog

Independence Day Edition: CBPR Framework Offers “Checks & Balances”

Going, Going, Gone Global, a webinar on the CBPR Global Forum, delved into how privacy impacts businesses’ brand reputation and builds trust with key stakeholders, discussed the purpose of the Global CBPR, and its value to Global Forum members.
Read more
Blog

Industry Self-Regulation: Part of the Solution for Governing Generative AI

The spotlight on generative AI remains bright. The benefits and risks continue to be ever-present in the minds of business and political leaders. No matter the timing or the setting, the creation of transparency, accountability, and collaboration among stakeholders is key to successful industry self-regulation as is the importance of setting standards and best practices.
Read more
Blog

The Demise of “Chevron Deference”: Who Will Fill the Regulatory Gaps?

The Supreme Court's 1984 ruling in Chevron v. NRDC held that courts should defer to federal agencies’ interpretations of ambiguous federal laws so long as those interpretations are reasonable. So given the court’s decision to overturn it, where does that leave companies that want a level playing field and perhaps even to raise the bar, instead of racing to the bottom?
Read more