The issue of consumer data privacy, the right of the consumer to be aware of and have some control over personal data collected and sold by companies online, is having a moment as several bills have recently been introduced to Congress while federal agencies and state legislatures have been also doing a lot of work on the subject.
Federal Jurisdiction of Consumer Data Privacy
Within the federal government, consumer data privacy generally falls under the heading of commerce. The Congressional subcommittees responsible for debating legislation on the issue are the Consumer Protection and Commerce subcommittee in the House of Representatives (part of the Committee on Energy and Commerce) and the Manufacturing, Trade, and Consumer Protection subcommittee in the Senate (part of the Committee on Commerce, Science and Transportation). Enforcement of the regulations devised by Congress and signed into law by the President usually falls to the Federal Trade Commission (FTC) and/or the Consumer Finance Protection Bureau (CFPB).
The FTC, the first federal agency to establish explicit regulations regarding consumer data privacy dating from the Fair Credit Reporting Act in 1970, is presently seeking comments on amendments to two rules pertaining to consumer data held by financial institutions, both of which went into effect in the early 21st century. The Privacy Rule of 2000 and the Safeguards Rule of 2003 both originated in the Gramm-Leach-Bliley Act of 1999, which established, among other things, that financial institutions had responsibilities surrounding customer data. The Privacy Rule mandates that financial institutions must tell customers what happens to their data and give them the option to opt-out of data collection, and the Safeguards Rule states that those institutions must keep customer data secure. The Dodd-Frank Act of 2010 and the 2015 FAST Act moved a lot of the FTC’s regulation enforcement of consumer data issues to the Consumer Financial Protection Bureau, leaving the FTC primarily in charge of auto lenders at the moment, and these rule changes would address that.
In other recent federal action, the National Institute of Standards and Technology (NIST) is seeking comments on the NIST Privacy Framework: An Enterprise Risk Management Tool. This is not a federal policy; it is instead a federally drafted framework which companies can voluntarily use to assess risk and develop methods of protecting their users’ data privacy.
In late 2018, the National Telecommunications and Information Administration (NTIA), part of the U.S Department of Commerce, solicited comments on “ways to advance consumer privacy while protecting prosperity and innovation.” You can read comments, including those by the American Library Association, the Electronic Frontier Foundation and other advocates of user privacy as well as by several industry trade organizations, here.
The States and Congress
In June 2018, California passed the California Consumer Privacy Act. Set to take effect in 2020, this is the first law of its kind in the country. Other states have passed laws that address some aspect of the overall issue (retail establishments in New Jersey, data brokers in Vermont), but the California law is the first to address consumer privacy as a whole. The far-reaching bill allows users to know what data companies collect about them and gives them the ability to block that data from being sold to other vendors. Consumers can also demand that vendors delete their data. The law establishes punishments for companies that violate the new regulations for handling sensitive data. Other states have been working on their own consumer privacy bills, and Colorado has signed one into law.
Members of the Congressional House and Senate subcommittees have been working for the past few years on different bills related to privacy. Given the impetus of the California law, the European Union’s General Data Protection Regulation, and newsmaking data breaches such as the 2018 Facebook/Cambridge Analytica scandal, there has been recently a greater push to construct a national data privacy law. This year, Sen. Marco Rubio (R-FL) has proposed the American Data Dissemination (ADD) Act, Sen. Amy Klobuchar (D-MN) the Social Media Privacy Protection and Consumer Rights Act, and Rep. Ted Lieu (D-CA) the Protecting Consumer Information Act. Some of the notable bills and resolutions introduced in 2017-2018 include the Data Care Act, introduced in December 2018 by Sen. Brian Schatz (D-HI) and 14 cosponsors. Sen. Ron Wyden (D-OR) proposed draft legislation for the Consumer Data Protection Act in November 2018, which is similar to the bill introduced by Rep. Lieu. In all these cases, legislators proposed to give regulatory powers to the FTC.
One stated reason for a federal law would be to prevent a patchwork of state laws that offer varying levels of protection. Such a law would also work in combination with the the GDPR, which has already caused tech companies to revise their privacy policies. However, committee debates over this issue have included discussion of a “preemption” clause, meaning that the national law would invalidate the protections of individual state laws, even if a state law went further in its reach than the national law. Lobbyists from technology companies have been very active in pushing for a relaxing of the California law’s strict regulations, both at the federal level and in California (OpenSecrets.org shows the lobbying dollars received in 2018 by the Senate Commerce, Science and Transportation Committee and the House Energy and Commerce Committee; see also tech companies like Apple Inc.’s donations to congressional committees and 2018 elections).
Should the lobbying succeed in weakening the California law, the tech industry would probably push less for the preemption. If the law remains in full effect, however (there are those working to make it even stronger), the ability to preempt the more stringent aspects of the law on companies that failed to follow it would be a great boon to the national tech companies. The California delegation in Congress is large and since privacy is a bipartisan issue, the California law might prove a strong influence on the final federal law. But what the California law will look like at the end of the year is still uncertain.
Interestingly, an earlier law about consumer data, the Fair and Accurate Credit Transactions Act of 2003, which stipulated that credit reporting agencies (CRAs) must disclose to the consumer information about how their data is being used, included a provision that CRAs must also tell consumers that they “may have additional rights under State law” (15 U.S. Code§ 1681g). Congress seemed more willing to allow states to establish stronger data privacy laws when the effect was limited to CRAs than to the wider tech industry.
This issue is still very much in flux; for example, a bill related to children’s data privacy was just introduced to the Senate in mid-March. While states continue to work independently, it remains to be seen whether a federal privacy bill will be passed this year and, if so, what it will look like.
Vicky Ludas Orlofsky has been the Instruction & Scholarly Communication Librarian at Stevens Institute of Technology in Hoboken, NJ, for more than five years. She has long had a personal and professional interest in issues of copyright, user privacy and intellectual freedom, which has informed her approach to instruction and reference. She lives in New Jersey with her family, and in her spare time, such as it is, enjoys bakeries, reading, and bullet journaling.