All the state-level talk and action on comprehensive privacy legislation so far this year and in years prior arrive back at the same question: When is U.S. Congress going to step up to the plate with a federal law? It's a question that continues to go largely unanswered, but glimmers of potential movement keep emerging through the cracks of an ongoing gridlock that exists on Capitol Hill.
The first congressional forum of 2022 concerning comprehensive privacy legislation came from the U.S. House Committee on House Administration, which held a hearing titled "Big Data: Privacy Risks and Needed Reforms in the Public and Private Sectors." Testimony covered some of the most common debates raised in the past, including what constitutes appropriate consumer safeguards, who should be regulated under the law, and the most effective and appropriate form of enforcement.
The subject of the hearing itself was less surprising than the committee in which it was being held. Former U.S. Federal Trade Commission Chair Jon Leibowitz recently wrote an op-ed subtly noting the House Committee on Commerce and Energy was moving toward a markup on a bipartisan bill. However, the interest in privacy is only new for the Committee on House Administration, not its chair, Rep. Zoe Lofgren, D-Calif. Lofgren has planted herself firmly in federal privacy law talks in the last three years, co-sponsoring the Online Privacy Act with Rep. Anna Eshoo, D-Calif., in 2019 and 2021.
So while the hearing seemed like a familiar congressional fact-finding exercise, Lofgren's willingness to leave no rock unturned as far as drafting legislation and becoming knowledgeable on the matter is notable. She also made clear that she's interested in having companies tailor to legislation, not the law meeting business needs.
"I'm mindful that if we constrain the collection and retention of data by internet companies, it will require a change in their business models," Lofgren said. "I think that's necessary because right now the propensity and capacity to manipulate every person in America is unacceptably high."
Enforcement: FTC or separate authority
A key component in Lofgren and Eshoo's bill is the creation of the Digital Privacy Agency to handle privacy rights violations enforcement. The idea has been much-discussed given a perceived shortage of resources at the FTC to properly enforce a federal law and a separate proposal for a stand-alone privacy regulator in the Data Protection Act introduced by Sen. Kirsten Gillibrand, D-N.Y., in recent congressional sessions.
Lofgren said it's her understanding that the technological staff at the FTC is "simply no match" for the digital expertise Big Tech companies carry, which ultimately justifies the need to cultivate a new capable authority. Electronic Privacy Information Center Deputy Director Caitriona Fitzgerald testified before the committee that she also falls on the side of shifting powers to a new regulator based on its ability to narrow its focus.
"We're encouraged by recent actions by the FTC on privacy, but (it) has limited resources and an incredibly broad mandate," Fitzgerald said. "The task of data protection is best done by a specialized independent regulator. When you think about the outside presence of technology in our lives and economy, I think this is something that 20 years down the line no one will question why we have a data protection agency just as no one questions why we have the (Federal Aviation Administration) or the (Environmental Protection Agency)."
In contrast, Information Technology and Innovation Foundation Vice President Daniel Castro believes the FTC "has the authority it needs" along with "the reputation and experience to do this job." Castro's view is stood up by current FTC officials claiming the agency is ready and able to tackle enforcement powers, albeit with additional funding expected. Taking privacy out of the FTC's hands could ultimately prove detrimental to consumers, according to Castro.
"When we think about protecting consumer privacy, this overlaps with fraud and security. Those are things the FTC is also focused on, so splitting up that mission may actually weaken protection for consumers."
Targeted ads in focus
Conversations on a potential law are becoming more and more focused on what's being done with the data after it's collected, with targeted advertising being the most talked about use case. Federal lawmakers are attempting to address targeted advertising through a more narrow bill, the Banning Surveillance Advertising Act, introduced in January, but ultimately a comprehensive federal bill is likely to absorb that proposal or any other like it into an omnibus framework.
What remains clear to Harvard Business School Charles Edward Wilson Professor Emerita Shoshana Zuboff is something needs to be done to stymie the potential harms surveillance advertising will cause if its allowed to continue its rampant growth across industries.
"Surveillance capitalism doesn't care what you think, what you believe or how you act. What it does care about is that you think, believe and act in ways that it can capture the data," Zuboff said. "With that aggregation comes computation, applying artificial intelligence, and coming up with predictive algorithms and targeting methodologies. And with those methodologies, various functions are achieved and that includes increasing engagement. That a euphemism for increasing the footprint for greater data extraction."
Included in this targeted advertising dilemma is so-called "dark patterns," which are earning equal attention and worry. Language for prohibiting dark patterns is included in privacy laws adopted in California and Colorado while state attorneys general recently filed lawsuits against Google for alleged deployment of these deceptive practices. Mozilla Chief Security Officer Marshall Erwin said regulatory engagement in this area is necessary, but added that "we wouldn't want a regulator designing a user experience in the browser … but actually acting to say what the standards should be and here's what looks like a deceptive versus a sound practice."
Erwin also opined that an inevitable intersection of privacy and competition will arise when "closing down these privacy gaps means denying data to big and small parties," but he doesn't think that should deter lawmakers from moving forward with legislation.
"We reject that basic idea of leaving the internet more permissive to sort of protect business models," Erwin said. "What we want to see is an overall more protective platform that has an even playing field for big and small businesses. ... We're going to push back pretty aggressively on any suggestion that we should leave privacy holes in the browser or operating systems."
Photo by Darren Halstead on Unsplash
The IAPP Westin Research Center compiled this updating tracker of proposed and enacted comprehensive privacy bills from across the country to aid our members’ efforts to stay abreast of the changing state-privacy landscape.
The IAPP created a chart containing information from each U.S. state or territory’s data breach notification law concerning entities that own, control or process personal data.
If you want to comment on this post, you need to login.