The Race Is On To Create A Federal Online Privacy Law: First Entry From Reps. Eshoo & Lofgren
from the lots-of-thought,-but-little-chance dept
There’s a race on to have Congress introduce a comprehensive federal privacy law. As you may (or may not?) know, the US really doesn’t have a law protecting our privacy. To date, any privacy protections have been a mixture of other laws, from the defanged 4th Amendment protecting (in theory more than reality) against government intrusion into our private lives, to the FTC’s consumer protection mandates. However, many people recognize that this probably isn’t doing enough to protect privacy in this age — and with the EU taking the lead with the GDPR, it’s become clear that the US needs to put at least something in place. So far, Congress has failed to come up with much, and there’s a bit of a ticking time bomb in the form of California’s hugely problematic CCPA law, which is set to go into effect on January 1st, despite a long list of problems with the law.
So much of the discussion has been around whether or not a new federal law will come into play that pre-empts various states trying to create their own set of privacy laws. Reps. Anna Eshoo and Zoe Lofgren have now announced their entrant into the discussion with their Online Privacy Act. It is quite long and detailed, coming in at 132 pages which I recommend reading. They’ve also created a one page summary of the bill.
The bill is ambitious, detailed and thoughtful… but also has some problems and is not likely to become law. There’s a lot in the bill, but it will create a brand new federal agency, staffed with 1,600 employees, to “enforce users’ privacy rights.” Along those lines, it establishes what those rights are — with much of it pulling from concepts currently found in the GDPR (i.e., rights to access, correct, delete, and download information companies hold about you). There are some opt-in requirements for using your data for things like machine learning (what seems like a response to the kerfuffle over IBM using Flickr images to train facial recognition AI).
The law would also put a bunch of obligations on companies regarding data minimization and also force the companies to be more upfront about what they need particular data for. It would also limit the sale or transfer of personal information. It also criminalizes “doxxing” which it defines as disclosing “personal information with intent to cause harm.” If this became law, that section might run into some 1st Amendment problems.
Part of the “thoughtfulness” of the bill is that Eshoo and Lofgren have clearly heard some of the concerns that were laid out about the GDPR or other approaches to privacy. It includes an exemption for small businesses and then also includes a “ramp up” phase for companies that cross out of the small business realm. I’m always a bit concerned about “small business exemptions” because they lead to weird incentives and not always great outcomes. From a purely efficient standpoint, I tend to think that if the law is written in a manner that requires exempting certain classes of companies, it tends to highlight problems with the overall law itself, though there are some exceptions to that rule.
Importantly, the bill also calls out that it should have no impact on journalism, and acts of journalism (reporting on people) should never be seen as violating the law. That could lead to some conflicting situations within the bill, but hopefully the blanket exemption on journalism would protect journalistic activity.
That said, there are still problems with the bill. The biggest one is that it does not appear to pre-empt state laws, which is kind of the whole reason for introducing a federal law in the first place. I know that some privacy activists have pushed back against state pre-emption, but that by itself makes the bill somewhat useless, because California’s law and other state privacy laws would more or less wipe this law off the books in terms of effectiveness. I understand the thinking that some have put forth that letting states craft their own privacy laws encourages more experimentation and thoughtfulness, but it makes little sense on an internet that crosses all borders. Complying with all state privacy laws is going to be a huge mess — and therefore it seems like a federal law must include pre-emption of state laws for it to be valid.
The bill also includes a private right of action, which is seen by many to be problematic — as it’s going to enable the rise of what are, in effect, privacy trolls. Again, there are reasonable concerns about if it’s only left up to government enforcement that enforcement will be lax, or will suffer from regulatory capture, but leaving open a broad private right of action could have significant problematic consequences. The bill also seems clearly designed to set up certain non-profits to file a bunch of class action privacy lawsuits:
NONPROFIT COLLECTIVE REPRESENTATION.? An individual shall have the right to appoint a nonprofit body, organization, or association which has been properly constituted in accordance with the law, has statutory objectives which are in the public interest, and is active in the field of the protection of individual rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in this Act on his or her behalf.
I worry a bit about the incentive structure there as well. I certainly have faith that groups like EFF would use this particular power wisely and in pursuit of actually protecting our privacy, but there are a number of non-profits out there that would likely take this to ridiculous extremes and immediately go after lots of companies for potentially dubious reasons.
Most reports on this acknowledge that this bill is unlikely to become law. It does not currently have bipartisan support, and the creation of an entirely new government agency, the lack of state pre-emption, and the private right of action have been seen as non-starters for many.
All that said, we’re likely to see a bunch of privacy bills showing up in Congress soon, so it’s worth exploring the details of this one. And, of course, it should be noted that both Lofgren and Eshoo represent parts of Silicon Valley, which might make you assume that the bill is “friendly” to tech companies. Looking through the details, though, and that would be a mistake. While I’m sure some will criticize the bill for not going far enough, this would create a pretty massive overhaul in how online privacy is handled in the US today and would, in effect, create an equivalent of the GDPR. That might still “benefit” large companies in making it more difficult for others and new entrants to compete (even with the small business exemption), but this bill doesn’t do any favors for internet companies.
I do still worry that most of our attempts to regulate privacy fail because we often misunderstand what privacy means, and I do worry that the approach in this bill, as with the GDPR and the CCPA, suggests a static, rather than dynamic internet world, in which the focus is on “limiting” things, rather than recognizing how they might be better enabled by putting more control in the hands of the end users. So much of the structure of this and other bills seems based on the idea that there are central entities “controlling” our data — which may be the case today, but need not necessarily be the case in the future.