Privacy law addresses the vast information explosion that has put privacy in the spotlight. Many recent proposals for privacy legislation aim at slices of the problem.
Healthy skepticism is an important part of privacy protection. Privacy laws protect our right to ask questions and seek answers from entities that hold our data.
Constitutional Rights
In the United States, the Supreme Court’s Griswold and Roe decisions created protection for the right to privacy. These cases, and others that follow them, establish that governmental infringements of privacy must be justified by a compelling state interest. These cases also emphasized that a right to privacy is fundamental, and that individuals have the power to protect it in their own ways.
The Supreme Court’s decision in Roe firmly established the concept of decisional privacy, which extends to a woman’s right to decide whether to have an abortion or marry, and to make other important life decisions. The decision cited the constitutional guarantee that people cannot be deprived of life, liberty or property without due process of law. This guarantee, known as the Fifth Amendment, is a key element in the constitution’s guarantee of privacy rights.
The federal Privacy Act of 1974 establishes four procedural and substantive rights in a person’s data. It requires government agencies to show an individual records kept about them, and establishes a code of fair information practices for these records. It also prohibits unauthorized disclosure of personal data and allows an individual to sue for violations. Some states have laws that go further than the federal law. These include laws that require businesses to have a privacy policy, and laws that allow consumers to opt out of marketing and sales of their data.
Federal Trade Commission Act
The Federal Trade Commission (FTC) is currently the nation’s primary consumer protection agency and many federal bills seek to expand its role in data privacy regulation. As such, the FTC will play an important role in overseeing and enforcing any future federal privacy legislation.
Specifically, the FTC’s core Section 5 authority gives the agency the power to take action against “unfair or deceptive acts or practices.” However, as privacy expert Gellman has critiqued, the FTC’s current enforcement regime focuses too heavily on economic harms and may overlook harms that cannot be quantified in financial terms.
As such, it may be more effective for the FTC to use its Section 18 rulemaking authority to establish binding federal regulations that would replace the existing notice and choice framework with substantive limits on data collection and disclosure. Both Commissioners Lina Khan and Rebecca Slaughter have endorsed this approach.
It is widely agreed that the FTC needs more capacity to regulate and enforce privacy law. While the agency has successfully brought numerous actions over the last several years addressing a wide range of issues including peer-to-peer file sharing, social media networking, spam, spyware and failure to adhere to privacy commitments, it is clear that the scope and intensity of the risks are outpacing the agency’s staffing and budget capacity. To address this, most of the major proposals including DATA 2020, COPRA and CDPA call for the FTC to be empowered to impose specific benchmarks for data security that can be used in bringing lawsuits.
State Laws
The United States lacks a comprehensive federal privacy decree, but several state laws offer protection for consumers. These laws vary in scope and requirements, so organizations that process data need to carefully consider each one and ensure compliance. In addition, they must stay up-to-date with any changes.
Some states have specialized privacy laws that protect sensitive data, such as medical records and financial information. These laws require entities to obtain consumer consent and take steps to secure the data. Others have general consumer privacy laws that apply to all types of personal information. These laws require entities to disclose their data collection and use practices, give consumers a right to opt out of selling their data, and impose penalties for noncompliance.
These laws are typically divided into two categories: vertical and horizontal. Vertical privacy laws protect specific types of data, such as fingerprints and retinal scans, while horizontal policies address how the data is used in a given context. Both can have significant ramifications for organizations that process or store personal data.
For example, the Colorado privacy law covers all personal information collected by businesses in that state. The California privacy law, meanwhile, requires businesses to disclose their data collection and use practices and allow consumers to opt out of the sale of their data. It also imposes substantial fines for violations and authorizes the state attorney general to bring enforcement actions.
European Union Law
After the data scandals surrounding Facebook, Cambridge Analytica and Google, calls for comprehensive privacy legislation have intensified. CEOs of major tech firms have joined public critics in urging Congress and state legislatures to adopt laws similar to Europe’s General Data Protection Regulation (GDPR).
The GDPR requires that companies explain how they collect, use and store personal information; protects people’s right to privacy; and gives them new ways to exercise control. But the regulation’s consent requirement is ill-suited to modern data practices, and informed consent remains difficult to achieve as advertising ecosystems become ever more complex.
While the GDPR prohibits the electronic transfer of personal data from Europe to countries where privacy protections are deemed inadequate, it contains several exceptions. For example, the law allows for transfers when: the data subject has unambiguously consented to the transfer; it is necessary to complete a transaction that involves the sale or processing of the data; the transfer is needed to protect a vital interest of the data subject; and in some cases, the data is already public.
The European Court of Justice is expected to decide whether the United States’ national security exception meets EU standards, and if so, how that determination will be made on a sector-by-sector basis. An across-the-board finding that the United States lacks adequate privacy protections would be disruptive to many U.S. industries, including some that would probably meet the adequacy standard, such as credit reporting.