By: Paul Andersen
With the almost complete adoption of personal computers, mobile phones, the significant increase in consumer products that can connect to the internet, and approximately 4.7 billion social media users, consumer data has become a source of substantial income for companies worldwide. With the increase in this data’s value and demand, consumers and government agencies are seeking comprehensive legislation regulating the collection, use, and sale of their data. While China and countries in the European Union (“EU”) have implemented comprehensive data privacy and protection laws, the United States’ (“U.S.”) attempts to pass comprehensive federal data privacy legislation have consistently failed since the 1970s. The inability to pass federal legislation has resulted in a “patchwork” approach involving sector-specific federal privacy laws and state-driven privacy legislation that the American Data Privacy and Protection Act is intended to replace.
The U.S. sector-specific federal privacy laws provide consumers protections through regulation of certain financial data, healthcare data, telecommunications data, and data gathered by the government. While these laws provide consumers with specific data protections, these protections are limited in scope and there is no central enforcement agency responsible for compliance. The government’s attempt to address these deficiencies has primarily involved empowering the Federal Trade Commission (“FTC”) to bring enforcement actions against companies to protect consumers from deceptive and unfair business practices. The FTC has broadly interpreted deceptive and unfair business practices to include a company’s failure to follow its published data collection, privacy, and security policies. While the FTC has been actively pursuing cases falling under deceptive and unfair business practices, most data privacy protections—if they exist at all—are at the state level. However, only five states – California, Colorado, Connecticut, Utah, and Virginia—have comprehensive privacy laws. Additionally, the lack of uniformity in state legislation and enforcement agencies, lack of decision-making about whether to implement private rights of action, and lack of comprehensive state-level legislation across all fifty states have left and companies questioning what they are expected to comply with and how much it will cost.
Comparatively, China and the EU have led the development of comprehensive data privacy laws. For countries in the EU, the General Data Protection Regulation (“GDPR”) was enacted in May 2018. GDPR paragraphs 23, 24, and 25 impose data regulations on any entity—no matter where they are located—if targeting or collecting data from people in EU Member States. The GDPR requires entities to follow seven data protection and accountability principles:
- “Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject;”
- “Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.”
- “Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.”
- “Accuracy — You must keep personal data accurate and up to date.”
- “Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.”
- “Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).”
- Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
The GDPR enforces these standards by requiring entities to obtain “freely given, specific, informed and unambiguous consent” and to communicate with users in a “transparent, intelligible and easily accessible form.” Further, when data is collected entities must share specific information with users—the entities identity, contact details, data protection officer contact details, purpose and legal basis for the collection, recipients of the data, timeframe it will be stored, the users right to request the data be destroyed, the users right to portability, the users right to correct inaccurate information, the users right to object to data collection, and the users right to know when the data is used for a new purpose other than the one originally stated. Finally, entities must take “appropriate technical and organizational measures” for data protection. If entities violate the GDPR they face fines of either 4% of their global revenue or ~$20,000,000, whichever is higher. EU countries have been quick to address alleged violations, as highlighted with recent actions against companies like Meta.
China implemented its first national cybersecurity law, the Network Security Law of the People’s Republic of China in 2017. This law implemented strict personal data protection requirements, specifically requiring Chinese companies to:
- State the purposes, means, and scope for collecting or using information.
- Obtain the informed consent of the persons whose data is gathered.
- Establish information protection systems to strictly maintain the confidentiality of users whose data is collected.
- Only gather data related to the services provided to users.
- Not disclose, tamper with, or destroy user information or provide collected information to others without user consent.
- Inform and remedy users when personal data is “leak[ed], destory[ed], or lo[st].”
- Not illegally acquire, sell, or provide personal user data.
In the fall of 2021, China built on these protections with the passage of the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”). The DSL established significant collection and protection requirements for entities collecting “core data”—data related to national security, the national economy, important aspects of people’s livelihoods, major public interests, etc. It also expanded the entities required to follow these laws from companies initially collecting data to all intermediary services using personal data for commercial purposes. The PIPL was modeled after the GDPR and applies to the collection, use, transmission, and deletion of “personal information.” The law defined “personal information” as “all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling.” The law requires that all entities obtain an individual’s informed consent, with some exceptions for contractual agreements, emergency situations, and information in the public domain. Further, entities collecting “sensitive personal information”—information relating to an “individual’s biometric characteristics, religious beliefs, medical health, financial accounts, individual location tracking, and information about minors under 14”—must also show the specific purpose and necessity for that data’s collection and follow strict data protection measures. While China’s enforcement of these laws is still to be seen, there are significant fines associated with violations.
The United States’ most recent attempt to catch up to China and the EU, and avoid a “patchwork” state-level approach to data privacy, was the introduction of H.R. 8152 - The American Data Privacy and Protection Act on June 21, 2022. This act would require covered entities to:
If passed in its current form, the bill will prioritize consumer privacy interests over individual company and state-specific interests. First, the bill establishes the FTC as the federal enforcement agency and state attorneys general as the state enforcement agencies. It also empowers the FTC to issue federal regulations for complying with the Act. While these measures provide consumers with a central enforcement entity at the federal and state level, and evolving data privacy regulations, companies likely have less influence over the federal process as compared to state level legislation. Second, four years after enactment, individuals may bring civil private rights of action for violations. Fears that these civil actions will cripple companies are a significant reason federal legislation has failed previously. Third, the bill preempts almost all state laws that are covered by its provisions. While this preemption provides consumers uniform protections, enforcement measures, and potential remedies, it may result in less buy-in from companies because of the blanket regulation approach that ignores their priorities. Historically, these negative perceptions about private rights of action and a blanket approach to regulation have resulted in many lawmakers voting no on federal data privacy legislation.
What remains to be seen is if the current, or any, version will pass the House and Senate. While this is the first data privacy act to pass through committee, States with comprehensive data privacy laws are hesitant to support it because they fear complete preemption will stop States from implementing more stringent requirements and inhibit innovation. However, the current bi-partisan draft indicates a willingness to provide limited waivers to assuage these concerns. Additionally, the sticking point for many representatives is when, and if, private rights of actions should be allowed because of their impact on businesses. However, even with these uncertainties, many believe there is positive momentum to pass a version of the bill this term. Even with this momentum, the Act’s fate will likely be determined by whether representatives choose to respond to consumer data privacy demands or business’s desire for more hands-off regulation this election cycle.