In an impassioned speech in Brussels this October, Tim Cook, the CEO of Apple, threw his weight behind a federal privacy law, denouncing the data collection practices engaged in by his fellow technological giants such as Google and Facebook. While it is not new for tech companies to push for stronger privacy laws, the renewed impetus for the movement comes from the European Union’s General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, and California’s Consumer Privacy Act, which will go into effect on January 1, 2020. On the heels of California’s legislation, other states such as Georgia have also introduced similar bills. This patchwork of legislations across states with different levels of obligations has pushed the tech industries to petition Congress to enact a federal legislation. Earlier in November, Senator Ron Wyden (D–OR) introduced a federal privacy bill, but many news outlets report it as unlikely to be passed into law. While the tech companies’ interest may stem more from the desire to avoid compliance with 50 different laws on privacy, this post analyzes the public policy implications of a federal legislation on privacy for the complicated digital economy.
Present federal protections for privacy rights:
The current approach at the federal level in regulating the collection and use of private information is sector-specific, with no umbrella legislation that prevents or regulates how sensitive information is to be used. The only such umbrella legislation on privacy is the Privacy Act of 1974 which applies only to the collection, maintenance, use and dissemination of individual information by federal agencies. Paul Schwartz describes the sector-specific approach to privacy in the United States and explains that federal sector-specific legislations such as the Video Privacy Protection Act and the Wiretap Act merely establish “floors” upon which several states have enacted much more stringent regulations. Paul M. Schwartz, Preemption and Privacy,118 Yale L.J.902, 919 (2009). There is also a sprinkling of regulatory requirements imposed by agencies such as the Securities and Exchange Commission that require public companies to disclose material cybersecurity risks and incidents. Not only is there is no federal omnibus privacy legislation, neither is there a single enforcement authority; rather, enforcement is carried out by three actors: the Federal Trade Commission (FTC), state attorney generals who self-describe themselves as the “Internet’s police”, and class-action attorneys. By and large, however, enforcement of privacy laws at the federal level is toothless, based largely on a breach of the contractual policy of privacy that consumers agree to in click-wrap agreements, and pursued by the FTC if the activities are deceptive or unfair.
Need for a federal privacy law:
Most of the arguments in favor of a federal privacy law have come from within the industry itself, calling for a uniform law that sets one standard for the entire country as opposed to 50 different standards. This argument seems to be inspired by the reality that state-wide privacy laws are in the offing and will make matters complicated for Big Tech, and an effort to shape public debate by being a part of it. In response to the call for comments by the National Telecommunications & Information Administration (NTIA) on developing the Trump administration’s approach to privacy law, Amazon has called for a uniform federal law that will replace the “patchwork of different privacy obligations”, arguing that differing obligations will be expensive, time-consuming and divert resources that could otherwise be used in innovation. AT&T has framed the need for a federal law in terms of the difficulties to consumers in navigating differing and complicated state-specific legislations.
Privacy advocates, on the other hand, also welcome a federal law on the subject but have called for such standards to be a floor and not a ceiling, and strongly criticize the language of pre-emption of state laws that is adopted by technology industries. Privacy scholars, who submitted comments to the NTIA, explain that states have historically been “laboratories of experimentation” and have been willing to experiment with different approaches to regulate privacy.
Today, there is bipartisan support on the need for a federal privacy law, yet little consensus on what that law should look like. But popular opinion seems to suggest that Americans want more protections for their privacy, not less, and it is unclear whether a federal policy that preempts state requirements will accomplish this. While there is merit to the suggestion that having 50 different state laws and one federal law would only be burdensome and complicated for all actors involved, it is also important to ensure that a uniform federal policy sets the bar high enough so that it affords meaningful protection to internet users.