17 December 2022
Data privacy laws are some of the most out-of-date laws in the nation. There is no single comprehensive bill that covers privacy and data collection for the entire country.
Only three states have bills that cover consumer protection for privacy and data: California, Virginia, and Colorado. However, these laws only apply to the citizens that live in each state. These laws follow the same general outline: websites have to inform consumers that they are selling your data and provide an opt out option of this. California goes further than the other two states by enabling citizens with the right to sue companies for specific types of data losses, and it created a universal opt out instead of forcing consumers to click to opt out on each site. Meanwhile, Virginia’s law was created with the help of Amazon and other big companies, which lessened the impact and force of the law by offering more protections to these companies.[i] [ii]
Many people are unaware that their data is being taken and sold. Companies openly advertise that they possess data, from demographic information to real-time locations, on millions of Americans, along with data on first responders, government workers, and military personnel. There are many companies that make money selling and collecting data, and companies of all sizes buy this data. This is all legal. There are not many restrictions placed on companies regarding the handling of data with people’s personal information. One important consequence of this is the police routinely buying data on people’s GPS locations, circumventing a warrant when they argue it takes too long to legally acquire. However, there is the risk that the police start obtaining the location of everyone, not just the criminals they are pursuing. Another important consequence is that dangerous people are able to buy data that reveals others’ locations and personal information, exemplified by a situation in 2020 when a man bought the information of a judge that he had appeared before. He stalked her, then shot her son and husband, killing the son and injuring the father.[iii]
Many of the giant tech firms claim they do not sell user’s data; however, many companies have found ways around this statement. Most basically, they have ads that include links to other websites that take your data. Many of the ads are targeted towards specific audiences, so advertisers can infer that the person fits into the audience. The advertiser can then find the person’s IP address and device ID, which allows the advertiser to identify the person. Another method of selling data is through real-time bidding. Companies, like Google, sell the ad space on their websites microseconds before you visit the website. However, in order to do this, they give the advertisers personal information about you, like your location and interests, which some of the advertisers will take and sell to other companies. This process is completely legal.[iv]
Lobbying by companies has played a huge role in the obstruction of a big change in data privacy law. Congress has been considering the American Data Privacy and Protection Act for the past few months. Controversially, many lawmakers wanted to include a right for citizens to sue companies for certain types of data breaches, also known as a private right of action. Lobbyists on the side of companies argue that people will be rushing to sue these companies, causing them to get bogged down. The language of the legislation has already been changed. The delay of the enforcement of the private right of action has been shortened from four years to two years.
However, some changes have been made in favor of the companies. First, an authentication process was added to the opt out policy, which some advocates argued weakened the law and granted companies the ability to not honor the law. This means that each consumer would have to look for the opt out selection on every website they visit, making it more difficult for the consumer and more likely that companies will obtain personal data.
As another win for data protection, the legislation granted enforcement to the Federal Trade Commission (FTC), removing this right from the Federal Communications Commission (FCC). The FTC has fewer powers than the FCC, which is well experienced in handling privacy enforcement for media industries and was already experienced in regulating the data industry. [v]
Data vendors also pose a big threat to national security. Foreign countries and enemies of the United States are able to purchase large amounts of data on Americans with ease. Some foreign governments already collect data on many American citizens to improve their intelligence, military, and democratic capabilities. There have been reports of Chinese companies collecting large amounts of data about persons worldwide, including Americans. It was also reported that the Chinese government used stolen data to expose CIA agents in Europe and Africa. The unregulated sales of large amounts of data are an incredible national security risk and an imminent threat to American citizens. [vi]
There is a desperate need for Congress to the pass the American Data Privacy and Protection Act. The lack of regulation and oversight by the American government should be concerning to its citizens. Many consumers are unaware that their data is being taken and sold. It has become a free-for-all in terms of who can buy the data of millions of Americans. This infringes on the privacy and security of all Americans and poses a national threat to U.S. security, as there is the possibility that foreign countries could purchase the data through third parties.
[i] “The State of Consumer Data Privacy Laws in the US (and Why It Matters).” The New York Times. The New York Times, September 6, 2021. https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/.
[ii] Feathers, Todd, Todd Feathers, Todd Feathers, Enterprise Reporter, and Enterprise Reporter. “Big Tech Is Pushing States to Pass Privacy Laws, and Yes, You Should Be Suspicious – the Markup.” Big Tech Is Pushing States to Pass Privacy Laws, and Yes, You Should Be Suspicious – The Markup. Accessed November 29, 2022. https://themarkup.org/privacy/2021/04/15/big-tech-is-pushing-states-to-pass-privacy-laws-and-yes-you-should-be-suspicious.
[iii] Birnbaum, Emily. “Big Tech’s Biggest Threats from States, from Washington to Florida.” Protocol. Protocol, March 4, 2021. https://www.protocol.com/policy/virginia-maryland-washington-big-tech.
[iv] Ng, Alfred, Alfred Ng, Alfred Ng, Reporter, and Reporter. “What Does It Actually Mean When a Company Says, ‘We Do Not Sell Your Data’? – the Markup.” What Does It Actually Mean When a Company Says, “We Do Not Sell Your Data”? – The Markup. Accessed November 29, 2022. https://themarkup.org/the-breakdown/2021/09/02/what-does-it-actually-mean-when-a-company-says-we-do-not-sell-your-data.
[v] David Stauss, Shelby Dolen. “Analyzing the American Data Privacy and Protection Act’s Private Right of Action.” Byte Back, August 2, 2022. https://www.bytebacklaw.com/2022/08/analyzing-the-american-data-privacy-and-protection-acts-private-right-of-action/.
[vi] “The Open Data Market and Risks to National Security.” Lawfare, February 3, 2022. https://www.lawfareblog.com/open-data-market-and-risks-national-security.
Image via Pexels Free Photos.
Policy & Political Review 