This week is Data Privacy Week: an international effort to inform and empower individuals and businesses to respect privacy, safeguard data, and enable trust. This includes activities to raise awareness, promote privacy and data protection best practices, and to foster important discussions on how we define and enforce privacy rights and technical safeguards.
This is no small order. So much of our lives – and thus our personal information – is online. That information is valuable and consequential. However, there is a lack of understanding – and transparency – as to how our personal information is collected, analyzed, and shared. There is also lack of actual, individual, power to identify and control that collection and use and to enforce where there are failures of that expectation of use.
That is why, this week, in recognition of Data Privacy Week, I want to use this article to highlight where we are at in the United States and how far we have to go to achieve meaningful protections for data privacy.
DEFINING PRIVACY – AND UNDERSTANDING THE CURRENT LIMITATIONS OF CONSUMER DATA PRIVACY RIGHTS
Privacy is defined as “the state or condition of being free from being observed or disturbed.” Since the advent of the digital age the concept of privacy has necessarily expanded to include the right to some level of control over how your personal information is collected and used.
Privacy is highly valued. It probably then comes as a surprise to recognize that there is no single, uniform, federal right to data privacy. Instead, we have a collection of various, intersecting federal and state regulations covering data categories or populations. For example, we protect a patient’s health information, insofar as it relates to its use and disclosure and secured maintenance by specific entities and their associates (HIPAA). The Fair Credit Reporting Act (FCRA) protects information collected by consumer reporting agencies and institutes protections to ensure the accuracy of information retained. See also the Children’s Online Privacy Protection Rule (COPPA) or the Family Educational Rights and Privacy Act (FERPA). So, we have a handful of federal (and state) statutes that protect certain data points, when collected or maintained by specific actors or regarding specific populations. That is not a very efficient or effective manner to assure broader consumer protections and operational transparency.
It also means that many data privacy protections often come down to the state level. In the absence of a state privacy law prohibiting or regulating the same, consumer data collection and use (including the sale of that data) is pretty much ‘up for grabs.’ This means that companies can collect, use, and share data without notifying users.
There is action at the state level to correct this (Figure 1): three states (California, Colorado, and Virginia) have passed comprehensive consumer privacy laws, and another handful of states (Massachusetts, New York, Pennsylvania, and North Carolina) have similar legislation currently in committee but still face opposition from industry stakeholders (a point well illustrated by the sidelining of the North Carolina Privacy Act). But relying on the states to address a fundamental defect in the digital economy and its infrastructure introduces further costs and barriers to consumers as well as to companies seeking to comply with disparate regulatory requirements.
INTRODUCING EUROPE’S GENERAL DATA PROTECTION REGULATION (GDPR) AND PRIVACY BY DESIGN
If one of the biggest barriers in the United States to protecting and enforcing consumer privacy rights is the absence of a uniform, federal right to data privacy, a close second is the fact that the burden is placed on the individual to manage and enforce their data privacy expectations. This is an unreasonable, onerous, expectation, not least because the data economy is largely “invisible” to consumers and users of common digital services and platforms.
Placing the burden on the individual also reflects a reactive approach to regulation, meaning that action and redress is only available in the event of a violation of a recognized, individual right.
This does not reflect the reality of the digital eco-system, and the business models driving that ecosystem. Instead, a more proactive, systems-level approach is needed, as argued and developed by Dr. Ann Cavoukian in her Privacy by Design framework. This framework requires that privacy be embedded into the design of any system, such that protecting privacy is the “default” status. In doing so it moves the system biases and burdens from the individual to those seeking to utilize data. This is important – and since the passage of the GDPR by the European Union over five years ago, we have a model for how such a framework might be instituted.
The GDPR prohibits the processing of personal data in the absence of a lawful purpose, and then proceeds to define the six lawful purposes. The first of which is where the individual has consented to the collection and use of such data and that consent is informed, freely given, and unambiguous. Such consent is also subject to withdrawal, and it must not be more difficult to opt out of data collection (or withdraw consent) than it is to opt in.
The GDPR has been a game changer, not just because of its comprehensive nature, but also its proactive approach to regulating an emergent area of the digital economy. I would argue that, in addition to standardizing regulations (which is a good thing for compliance officers and the companies they serve) two of the biggest benefits of the GDPR are that it (1) forces greater transparency as to how entities collect and use data, and (2) requires a consumer’s active participation, while providing consumers with meaningful tools to exclude themselves from that marketplace. Sunlight is the best disinfectant –the digital world is no exception.
FINAL ROUND UP
That brings us back to the state of Data Privacy in the United States today. While I tend to write more on cybersecurity and how to prevent and respond to data breaches, that is only a fairly small component of a broader data security and use discussion. Before we even get to the question of how we manage breaches, it is important to understand how we define and protect our collective and individual expectation of privacy rights in the digital age. And that means recognizing that currently, our regulatory structure and digital ecosystem is just not geared to meaningfully respect privacy. We’re moving against the current; if we want things to be different we need to move upstream and interrupt and change that current. (And we are back to principles of #SystemsThinking).
While there are discrete steps that individuals can take to manage and protect their digital footprint, and that businesses can implement to better promote transparency and trust with their clients as it relates to their use of consumer data, we need broader, political, and structural action – specifically Congressional action to pass bipartisan Data Privacy legislation creating a uniform, enforceable federal right to data privacy. This is one of those (too few) spaces where there is a real opportunity, and appetite for Bipartisan action, as reflected by the emergence of both Republican and Democratic sponsored legislation over the last year. I encourage you to reach out to your representatives to support passage of a federal data privacy act.
RESOURCES
To learn more about Data Privacy, Data Privacy Week, and pending Legislative Efforts we recommend the following resources:
- National CyberSecurity Alliance Resource Library: Includes practical tools (videos and tipsheets) on how to protect yourself and your devices.
- New York Times, Wirecutter. The State of Consumer Data and Privacy Laws in the US (And Why it Matters): Their illustration of the state laws succinctly summarizes the frustration of fragmentation.
- The Stranger, Washington Lawmakers Throw a Bunch of Data Privacy Bills at the Wall to See What Sticks: An opinion column in a Seattle Based Journal that gives some insight into the sausage making of state legislative process.