So, as we continue in this series on California Consumer Privacy Act (CCPA) – many other privacy initiatives are occurring in the US. We all know that with the continued rise of consumer data breaches and growing privacy concerns, there have been massive changes occurring for many countries on privacy regulations. Those countries do this through overarching or umbrella style regulations that cover all kinds of data without needlessly separating the protections for data types. However, consumer privacy protections in the US are currently managed through a sectoral approach, both at the federal and state-specific level. And while it may seem like a messy hodgepodge of industry-specific provisions, each of the measures rose out of necessity to address a very specific need. In this post, we will help you understand the history of the US privacy landscape and where it stands today.
At the most abstract level, although the US Constitution does not explicitly include the right to privacy, the Supreme Court has found that the Constitution implicitly grants a right to privacy against governmental intrusion.
As stated in the Fourth Amendment of the US Constitution
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Privacy in Healthcare—HIPPA
In healthcare, for instance, the concept of informed consent was originally developed for rare, high-risk and potentially life-threatening situations, like surgery and medical research. In health care, one cannot get assistance without disclosing intimate physical and behavioral facts to others. If one doesn’t disclose this otherwise private information, death or serious permanent harm might result.
Rooted in the Hippocratic Oath, this ethical rule frames a fiduciary role that exists between the physician and her patient. The physician receives health information in trust to be used only for legitimate health care purposes. Using that health information for other purposes would be a breach of that trust, contrary to the Hippocratic Oath’s first principle, “do no harm.” An excerpt from the Oath administered says “I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know”.
Research shows that patients trust their doctors to make appropriate health information-disclosure decisions, including sharing information with other health professionals who are responsible for the patient’s care. We don’t really want people rushed to a hospital in an ambulance to check the privacy settings of their electronic health record portal app or for doctors and nurses to fail to supply care to an unconscious person because they don’t know the person’s privacy choices
It comes as no surprise that the roots of the Health Insurance Portability and Accountability Act (HIPAA) stem from the early 1990s, when it first became apparent that the medical care industry would become more efficient by computerizing medical records. In addition, the industry also needed new standards regarding the management of healthcare data. These standards included rules regarding the portability of medical information as well as the establishment and protection of a patient’s right to medical privacy. There was also the issue of ensuring that people could keep their health care coverage when they left their jobs.
Privacy in Finance—GLBA
Likewise, we have the same story with the financial industry. In the drive to digitize financial records and reports of data mishandling and breaches, regulators sought consumer protections for financial records and transactions. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions—companies that offer consumers financial products or services like loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data. GLBA also required financial institutions offering consumers loan services, financial or investment advice, and/or insurance, to fully explain their information-sharing practices to their customers. Firms must allow their customers the option to “opt-out” if they do not want their sensitive information shared. While many consider critical information, such as bank balances and account numbers, to be confidential, in reality, this data is consistently bought and sold by banks, credit card companies, and others. GLBA required limited privacy protections against such personal data sales, along with pretexting (obtaining personal information through false pretenses).
Data Privacy Today
And now enter the modern era of massive data uses and cloud services. IMD World Competitiveness Center has pioneered research on how nations and enterprises compete to lay the foundations for future prosperity and in their 2018study, rising from the 3rd spot the USA leads the ranking followed by Singapore, Sweden, Denmark, and Switzerland. Americans’ rapid move toward mobile internet service appears to be coming at the expense of home broadband connections, according to the latest computer and Internet use data released by National Telecommunications and Information Administration (NTIA). At the same time, many Americans are using a wider range of computing devices in their daily lives. Both of these findings suggest that technological changes are driving a profound shift in how Americans use the internet, which may be opening a new digital divide based on the use of particular types of devices and Internet services.
Billions of people were affected by data breaches and cyber attacks in 2018–765 million in the months of April, May, and June alone. Losses surpassing tens of millions of dollars, according to global digital security firm Positive Technologies. Cyber attacks increased 32 percent in the first three months of the year and 47 percent during the April-June period, compared to the same periods in 2017, according to Positive Technologies. There wasn’t a breach “quite as significant” as the Equifax data breach from September 2017 in which an estimated 143 million Americans faced potential lifelong threat of identity theft. Breaches and cyber attacks continue to escalate and it’s not like it’s slowing down.
Privacy watchdogs in Europe say they are continuing to see an increase in data breach reports as well as privacy complaints. That should be no surprise, because as we reported in our GDPR series, the EU on May 25 2018, began enforcing its General Data Protection Regulation. Among its provisions, GDPR requires organizations that suffer a breach that may have exposed Europeans’ personal information to notify relevant authorities. The number of data breach reports filed since GDPR went into effect has hit about 3,500 in Ireland, over 4,600 in Germany, 6,000 in France and 8,000 in the U.K.
Because of all this and in the absence of a US federal entity enacting comprehensive privacy protections, states have begun picking up the slack.
To be clear, the notion of states implementing local statutes to protect their own residents isn’t new. All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. Right to privacy and social media content laws have been considered and enacted in several states, such as California’s “online erasure” law protecting minors from leaving a digital trail. However, the United States is still far behind that of European Union countries in protecting privacy online. (For example, Maciej Szpunar, advocate general for the European Court of Justice, has issued a recommendation that the court rule for in the “right to be forgotten” case thus protecting both adults and minors.) But the fact that so many states are jumping on this bandwagon says something about the growing concern about the lack of comprehensive federal regulation:
- Hawaii – S.B. 418
- Massachusetts – S.D. 341
- New Mexico – Consumer Information Privacy Act (S.B. 176)
- Rhode Island – Consumer Privacy Protection Act (S.B. 234)
- Washington – Washington Privacy Act (S.B. 5376 / H.B. 1854)
- New Jersey – A.B. 4640 / S.B. 3153
- New York – Online Consumer Protection Act (S.B. 2323 / A.B. 3818)
- New York – S.B. 1177
- New York – Right to Know Act (S.B. 224 / A.B. 3739)
- North Dakota – H.B. 1485
- Virginia – H.B. 2535
- Arizona, H.B. 2259
- California, A.B. 288
- Connecticut, H.B. 6601
- New Jersey, S.B. 2634 / A.B. 3923
But it’s not for the want of trying: U.S. Federal data privacy legislation is complicated, and passing a comprehensive federal data privacy bill will involve two polarized sides coming together on the issue of preemption over state laws and other federal laws like HIPAA and GLBA that govern data by sector or industry.
Here’s just a sample of what’s being proposed:
- American Data Dissemination (ADD) Act (S. 142)
- Social Media Privacy and Consumer Rights Act (S. 189)
- Data Care Act (S. 3744)
- Consumer Data Protection Act
- Consumer Online Notification for Stopping Edge-provider Network Transgressions
- (CONSENT) Act (S. 2639)
- Information Transparency & Personal Data Control Act (H.R. 6864)
- Application Privacy, Protection, and Security (APPS) Act (H.R. 6547)
- Data Broker Accountability and Transparency Act (H.R. 6548 / S. 1815)]
To further complicate things, enforcement of whatever gets enacted will also be challenging. While state attorneys general have an important role to play, the Federal Trade Commission (FTC) considers itself the “top cop on the privacy beat.” The FTC has the general power to prohibit “unfair and deceptive trade practices” under Section 5 of the FTC Act, and has attempted to establish a data-security baseline through over sixty (60) different enforcement actions. However, companies have begun to aggressively push back against the FTC’s legal authority to police data-security practices, and the FTC has limited jurisdiction over banks, insurance companies, nonprofit entities, and even some internet service providers.
So what’s next? Does the US become a country with 50 completely different state-run laws, or will we see the federal government step in?
What we know is this, the twenty-first-century economy will be fueled by personal data. But it is not yet clear what rules will govern this information, with whom the information will be shared, and what protections will be put in place. A baseline data-protection law would provide a legal framework for answering these questions.
The U.S. Congress should join other advanced economies in their approach to data protection by creating a single comprehensive data-protection framework. Meaningful federal laws and regulations should seek to resolve the differences among the existing federal and state legal rights and responsibilities. This would not only simplify compliance for US companies, but would also strengthen and bring the United States in line with emerging data-protection norms. Congress could implement an effective baseline privacy regime with at least the following four qualities.
A simpler and more comprehensive approach to individual digital dignity is warranted, especially after this past year of increasing magnitude of breaches and digital stewardship failures. A baseline privacy framework could ensure that all companies become responsible and ethical stewards of data, bring the United States in line with global standards, and better protect the data of US citizens.
About Dennis Dayman
Dennis Dayman has more than 20 years of experience combating spam, security/privacy issues, data governance issues, and improving email delivery through industry policy, ISP relations and technical solutions. As Return Path’s chief privacy and security officer, Dayman leverages his experience and key relationships to provide best practices to Return Path, its customers, and ensures the compliance of their communications data flows. He is also responsible for coordinating and managing Return Path’s international electronic commerce, privacy and Internet related policy issues.