Over the past few years, countries such as Brazil, Japan and Kenya have passed data protection laws, many having been inspired by the EU’s General Data Protection Regulation (GDPR). However, the US is not one of them. The United States remains without a comprehensive data protection law.
What is emerging instead is a patchwork of laws at state-level. There are three states in the US with comprehensive data laws: California, Virginia and Colorado.
But the details of all these laws vary. In addition, many other states have laws in development.
“There is a patchwork situation developing,”said Lartease Tiffith, EVP, public policy of IAB. “There have been about 21 states who have introduced privacy bills, all in different iterations.”
“There are issues around interoperability where businesses and consumers won’t be able to follow just one law. They have to go through and actually examine each individual law in every state and put in place systems to comply with that,” Tiffith added.
He says that for small to medium businesses, it’s particularly difficult to comply with different laws.
“We saw this when GDPR went into effect that a lot of the small folks stopped operating in Europe because they didn’t have the budget to go through and create a compliance programme,” said Tiffith, “Some businesses are also facing the same issue with the California Privacy Rights Act (CPRA) where small to medium sized businesses will decide not to deliver services and goods. That’s not good for society.”
Erica Darragh is a campaigner and community manager at Fight for the Future, a digital rights advocacy group. Darragh agrees that the state-level laws are not the best way to protect privacy.
“Everybody in the US is getting different internet experiences,” she said.
Darragh also says that just because consumers are in a state where there is a law in place, does not mean they’re fully protected.
“Even in a state where there is some kind of data protection law, it is an ongoing battle with tech companies to be able to enforce it. There are some states that have attempted to pass data privacy laws, but the industry took over and effectively ended up writing the bill,” she said.
Fight for the Future and other privacy activists argue that lack of privacy laws have ramifications far beyond the tech industry.
“The Fourth Amendment requires the government to have a warrant to surveil citizens. But one of the ways that they’ve circumvented that is there are no rules preventing the government from buying data from private companies,” said Darragh.
She points to recent cases, such as LA police trying to access footage of 2020’s Black Lives Matter protests from Amazon’s Ring doorbell, as examples of how unregulated data sharing can go much further than the industry.
“There’s a really strong chance that for every story we hear about this kind of thing, there’s countless others that have also happened, but never made it to the news,” she added.
One common goal?
Both privacy campaigners like Fight for the Future and the IAB believe that the US’s current patchwork of data privacy laws is inadequate. Both would like to see Congress introduce a federal data privacy law.
“I think there’s actually a lot of commonality between what companies are looking for and what privacy advocates are looking for,” said the IAB’s Lartease Tiffith.
Fight for the Future’s Erica Darragh disagrees. She is unconvinced about the industry’s sincerity on wanting more comprehensive laws.
“It’s a pattern we’ve seen before, where the industry will really fight against particular types of legislation. And then when it seems like the political will is kind of shifting towards actually moving on it, they jump in and start to write legislation and advocate for legislation that benefits them,” Darragh said.
The IAB began advocating for a federal privacy law around the same time that the California Consumer Privacy Act (CCPA) was passed in 2018, to prevent the emergence of a patchwork of state laws. In the past the trade group had argued that the industry should be allowed to self-regulate.
The trade body now says that a federal law is the best way to protect both business and consumer interests.
As one might expect, the details of what privacy activists versus the industry wants in a federal data law varies.
There are two major departure points.
The first is over private right of action, something which privacy activists want in a federal law and which the industry largely does not. Private right of action is when a law allows private citizens to take legal action as an individual to enforce their rights.
Tiffith argues that private right of action can give rise to frivolous lawsuits.
“For most businesses, if they get sued, they’re gonna easily pay thousands of dollars to defend themselves,” he said, “Even if they win on the merits of their case, they’ve still lost out because they paid thousands of dollars defending themselves from a frivolous lawsuit that should have never happened to begin with.”
Erica Darragh says that many of these companies are very well equipped to handle lawsuits.
“Many tech companies literally budget for lawsuits. They have a lot of resources to deal with these. Arguing against private right to action on the grounds of the potential inconvenience that could happen to tech companies for their abusive practices feels like gaslighting,” she said.
The other major departure point between activists and the industry is on how a potential federal law might interact with other state laws. Privacy activists would like to see a federal law act as a floor on data protection, which could then be built on by state legislation.
The advertising and tech industry would like to see a federal law nullify state legislation.
“The problem is that this would lead to a system where instead of having to worry about a 50 state patchwork, we have a 51 state patchwork because now we have to deal with the federal law too,” said the IAB’s Tiffith.
What are the chances?
There is little agreement on what a federal data law would look like. But it also seems unlikely that Congress will pass legislation in the near future anyway.
With Congress pretty evenly split between the Republicans and Democrats, any bill would need bipartisan support. This can be pretty hard to achieve. In addition, privacy isn’t exactly top of the agenda for the legislature.
“I would put it at very unlikely that we’ll see a federal privacy law passed this year, because I think that Congress has a lot of other issues it’s dealing with,” said Lartease Tiffith, “They have other priorities.”
While not hopeful on the chances of a federal law in the immediate future, Tiffith says the IAB expects to see progress on these issues through other channels.
“What I think will happen instead is the Biden administration will probably issue some rulemaking around privacy in the form of an executive order,” he said.
An executive order is a directive made by the President of the United States. Executive orders are directions issued to federal agencies.
While Tiffith is hopeful that executive orders can be a channel for the progress the IAB wants to see, he warns that there are limitations to how useful they are.
“I don’t believe this is something Congress should dodge. I think they should seek to get something done on a federal level and through legislation,” he said, ”We shouldn’t rely on executive orders alone, because it’s temporary. The next administration can come in and change it to something else. And that’s not providing predictability to users or to businesses.”
As for digital rights activists, they’re turning to another part of the US government to push for progress.
The Federal Trade Commission (FTC) is an independent US government agency that is set up to enforce antitrust laws and promote consumer protection. Members are nominated and then confirmed by the US Senate.
“The FTC has really broad powers to begin to tackle abusive data practices. The current FTC, with the addition of the current nominees (provided they’re confirmed), would create the strongest data privacy and consumer protection focused FTC we’ve ever had,” said Erica Darragh.
“There’s potential that the stars can align and we would be able to address this on a regulatory level before a legislative solution surfaces,” she added.
