Privacy SOS

A data privacy battle is heating up in Congress. Here’s what to watch for.

Last week, tech industry giants testified before the Senate Committee on Commerce, Science, and Transportation about how the federal government should safeguard consumer privacy—and not a single consumer advocate was invited. Apparently fearful of meaningful state action that could tie the hands of Silicon Valley behemoths, companies urged Congress to pass a federal law that would take power from the states, in a legal move known as preemption.

Each of the companies represented at the hearing (Google, Amazon, Apple, Charter, AT&T and Twitter) collect and process billions of sensitive records about people in the United States, yet remain almost entirely unregulated in this country. Last week’s hearing marks a turning point in the debate around consumer privacy in Congress. After years of resisting calls for regulation, the companies appear shaken by the European Union’s General Data Protection Regulations (GDPR) and state efforts, and are finally speaking up in support of federal data privacy law. Unfortunately, as usual, the devil will be in the details—and, facing some of the most powerful companies on earth, it’s not clear Congress is ready to meet the challenge.

The worst-case scenario is that Congress, lobbied into submission and out of its depth, will pass a weak federal law that forbids states from enacting stronger protections. Thus far, the most nationally influential state to have seriously grappled with these issues is California. And if California’s experience is a harbinger of what’s to come in other states and at the federal level, consumers should be very, very concerned

Consumers must have the power to control the way their data is shared, retained, and used, and be able to move their data from one platform to another at will. But after sustained lobbying by tech companies weakened the original proposal, California’s AB 375, which became law this past summer, merely requires that companies notify consumers about how their data will be used. Importantly, the law does not require them to obtain consent for any data collection, or give consumers enhanced rights that would allow them to limit the ways tech companies can use their data once it’s been collected. The law requires companies to delete consumer data upon request, but huge loopholes permit companies to retain such information for research, security, and other purposes even if consumers ask that it be erased. Ultimately, AB 375 fails to give consumers the control they deserve by letting companies collect consumer data without consent.

Any federal law aiming to protect consumers from a corporate digital dragnet must do better.

The Senate hearing last week demonstrated that Congress is taking the need for a federal data protection law seriously. But in order for Congress to take meaningful action, it is imperative that consumer advocates be heard. At a minimum, any federal data privacy law should be stronger than existing state laws and establish:

    • A prohibition on using data to discriminate through automated decision making, ad targeting,  “pay-for-privacy”  or other schemes;
    • Consent and clear and comprehensive notice requirements mandating that consumers are informed about how their data will be used in terms the average person can understand and read in a reasonable amount time before collection or use;
    • Data portability standards which give consumers power to use and move data to exercise greater self-determination; and
    • Strong cyber security protections, including limits on data collection and effective consequences – including a private right of action.

The conversation about data privacy is happening in our nation’s capital because consumers are demanding it. The federal government is doing catch-up work here. Many states already protect consumer data, student data, children’s information, and biometric data. As a consequence, any federal legislation Congress contemplates must reject compromises to consumer civil rights and civil liberties and act as a floor, not a ceiling, to privacy protections in the United States. In other words, even if Congress passes a data privacy law, the states should retain the authority to pass stronger protections, if that’s what people in those states want.

Tech companies appear to be terrified of what people want, and are calling for pre-emption because it would put a cap on consumer power. Congress should not fall for these companies’ exaggerations of the cost of compliance, or claims that state laws force them to navigate an unmanageable “patchwork.” Data protection laws are no different from the “patchwork” of employment, tax, and commercial laws with which these companies are already expected to comply. The only difference here is that tech companies seek to control the narrative, and the scary part is that Congress just might let them. That’s why we must stay engaged, pay close attention, and be ready to call on our lawmakers to do the right thing. Our collective future may depend on it.

This blog post was co-authored by Kade Crockford and Siri Nelson.

© 2018 ACLU of Massachusetts.