What forces have kept the United States from passing comprehensive data privacy legislation over the years? Is it “Americans’ conceptions of privacy itself” that have doomed omnibus laws? Writing in Axios this week, journalist Margaret Harding McGill focused on our culture of individualism and deep-rooted conceptions of privacy as a right rooted primarily in sovereignty over physical space. Is it instead the potential high cost of new compliance obligations? Or the fact that privacy is a “slow burn issue” that is easy to drop to the bottom of Congress’ agenda. McGill raises these factors too.

Regardless of its origins, the main impediment to legislative action has been a lack of real consensus about the proper shape of U.S. data privacy standards. Especially in the past decade, as well-established norms around notice- and choice-based data protection have been challenged by the cross-contextual processing of our ever-connected lifestyles, we have struggled to agree on what should define the modern American flavor of privacy. This has led to infighting at every level of policy discourse. Disagreements have been a constant feature of advocacy within the business community and the civil society community alike.

In recent years, on the business side, the foundations of consensus have emerged. There is widespread support for the idea of a unifying federal standard on data privacy. It is no secret that this has been driven by the strong advancements of state-level rules in California, Colorado and other states. The approaching threat of a “patchwork” of fractured privacy laws has been a major factor driving business support for federal action, with the understanding that federal rules would preempt most diverging state standards.

In contrast, civil society has still struggled to coalesce around a single strategy. Some have focused on advancing ever-stronger state protections, with mixed success. Others, working at the federal level, have disagreed about the right focus for privacy legislation. Should it codify established best practices, converge with European advancements, or go farther still to enshrine standards for privacy rights that can endure in an era of ubiquitous algorithms and sensors? The debate has raged on.

This discordant history is what makes this week’s coalition letter to House Speaker Nancy Pelosi, D-Calif., so remarkable. With a couple of notable absences, the letter represents an unprecedented consensus among civil rights, privacy and consumer organizations. Together, they deliver a forceful message: “The time is now to pass a comprehensive federal privacy and civil rights law.”

The 48 organizations describe the American Data Privacy and Protection Act as a “meaningful compromise that has bipartisan support” and would “provide long overdue and much needed protections for individuals and communities.” They call on Speaker Pelosi to bring the ADPPA to a vote on the House floor.

Only time will tell whether the forces of coalescence or quiescence will carry the day.

Here's what else I’m thinking about:

  • The U.S. Federal Trade Commission began accepting comments on its Advance Notice of Proposed Rulemaking on Commercial Surveillance and Data Security. The final day to comment is Oct. 21. Although the ANPR raises 95 possible topics for comment, commenters are welcome to pick and choose among them to help the agency understand the best solutions to the structural issues it has raised, including alternative mechanisms to the path of creating a new Trade Regulation Rule.
  • The FTC’s newest commissioner, Alvaro Bedoya, is profiled in a Washington Post article highlighting some of his policy priorities at the agency, including the health, safety, and privacy of kids and teens online as well as algorithmic discrimination issues. The article offers a preview of Commissioner Bedoya’s thoughts on the intersection of competition and privacy: “I remain very interested in data as a barrier to entry, and whether certain things that are good for competition may be bad for privacy and trying to figure out that balance.”
  • The Federal Communications Commission published responses from mobile carriers to a request from the agency seeking information about their policies related to the collection, storage and processing of geolocation data. Announcing the publication, FCC Chairwoman Jessica Rosenworcel called on the agency’s Enforcement Bureau to investigate whether the carriers fully disclose use and sharing of the data.
  • Despite White House support, U.S. efforts to craft an Artificial Intelligence Bill of Rights have “stalled,” according to a Council on Foreign Relations blog post. The Office of Science and Technology Policy kickstarted the initiative last year, but there has been scarce public progress on the initiative.
  • A whistleblower complaint from ex-Twitter security chief Peiter Zatko featured allegations of ongoing bad privacy practices at the company, including a lack of clarity about purpose-limitations around collected data, among many other allegations. The complaint was sent to the U.S. Securities and Exchange Commission and, in redacted form, to members of Congress, before being published by CNN and The Washington Post. Given the timeline of Zatko’s involvement with the company, it is hard to say whether the renewed allegations go beyond the FTC’s recent enforcement of its consent agreement with the company, which featured similar claims. The Senate Judiciary Committee subpoenaed Zatko to testify at a hearing on Sept. 13.
  • California’s attorney general announced the first enforcement action of the California Consumer Privacy Act against cosmetics brand Sephora. The complaint and settlement underscore prior statements from California’s privacy enforcers that third-party sharing of website browsing data, including for advertising and sometimes analytics purposes, can violate California’s data privacy laws. The settlement includes an agreement from Sephora to respect the Global Privacy Control signal, which California’s regulators say must be respected as an opt-out signal.

Under scrutiny

  • Data brokers are the subject of a Politico Pro article (paywall) analyzing a recent 11% increase in spending from the industry on federal lobbying activities, potentially in response to the ADPPA.
  • Geolocation data rules should be considered with more than just the precision of the data in mind, but also its identifiability, argues Jason Sarfati, Gravy Analytics Vice President of Legal and Chief Privacy Officer, in an IAPP op-ed.
  • Palantir’s patents are scrutinized in a paper in the journal Information Society “offering insight into how Palantir documents its broad surveillance capabilities.”
  • Snap settled a lawsuit under Illinois’ biometrics law alleging that its in-app camera filters, known as “Lenses” process biometric information without proper consent. Snap continues to deny this assessment and issued this statement: “Snapchat Lenses do not collect biometric data that can be used to identify a specific person, or engage in facial identification. For example, Lenses can be used to identify an eye or a nose as being part of a face, but cannot identify an eye or a nose as belonging to any specific person. Moreover, even the limited data that is used to power Lenses is never sent to Snap’s servers — the data never leaves the user’s mobile device. And while we are confident that Lenses do not violate BIPA, out of an abundance of caution and as a testament to our commitment to user privacy, earlier this year we rolled out an in-app consent notice for Snapchatters in Illinois.”

Upcoming happenings

Please send feedback, updates and slow burns to cobun@iapp.org.