US must catch up with rest of the world on data privacy

Current patchwork of often outdated laws offers sparse protections

We need strong federal data privacy laws that would give everyday Americans more control over their personal information, Davis writes.  (Bill Clark/CQ Roll Call file photo)
We need strong federal data privacy laws that would give everyday Americans more control over their personal information, Davis writes. (Bill Clark/CQ Roll Call file photo)
Posted October 14, 2021 at 6:00am

The U.S. is woefully behind the rest of the world in enacting universal, comprehensive data privacy laws that protect consumers. A messy patchwork of disjointed and woefully outdated laws leaves Americans vulnerable to attacks on their private data.

However, the federal government can learn from other governments, both foreign and domestic, to develop laws that give everyday Americans more control over their personal information.

It would be inaccurate to say that the U.S. does not have laws that protect data. In fact, it has too many. According to The New York Times, the U.S. “has a mix of laws that go by acronyms like HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA.” How could anyone expect the average American to know the details behind these laws, designed to target specific industries in limited (and often outdated) circumstances, much less know what any one of these acronyms stand for?

You can rest assured that your VHS rental records will never be leaked, thanks to the Video Privacy Protection Act, or VPPA, passed in 1988. But what’s deeply concerning is how little protection these laws offer Americans in the 21st century with far more prevalent and pervasive technologies. In most states, companies can use, share or sell your data without your consent and are not required to notify you if your data has been breached.

Around the world, governments have taken concrete steps to enact data privacy legislation. The European Union’s General Data Protection Regulation, which became effective in 2018, is both a consumer data privacy law as well as a data security law. It gives individuals the right to access and delete data, correct incorrect data, and opt out of processing at any time. The GDPR also requires explicit consent when consumers hand over their data.

Brazil, inspired by the GDPR, followed suit, passing the General Data Protection Law, which took effect last year. And in August, our chief adversary, China, passed the Personal Information Protection Law, a comprehensive set of rules around data collection, processing and protection. Isn’t something wrong when even China is reining in Big Tech and enacting tougher data privacy laws than the United States? 

While other parts of the world have tackled this important and pressing issue, the U.S. doesn’t need to look further than our own “laboratories of democracy” — state governments. While the current number of states that have comprehensive data privacy laws may seem small (CaliforniaColorado and Virginia), there’s been a sizable increase in interest from other states in a relatively short amount of time. The International Association of Privacy Professionals counts six states actively considering legislation and another 17 that have considered legislation.

The Californian Consumer Privacy Act, or CCPA, which was signed into law in 2018 and became effective last year, shares many similarities with the EU’s GDPR and has been called the “most comprehensive internet-focused data privacy legislation in the U.S.” Like the GDPR, consumers can access and delete data and opt out of processing at any time. However, consumers cannot correct incorrect data, and while the GDPR explicitly requires consent, the CCPA only requires a privacy notice to be made available informing consumers of their right to opt out.

Experts identify four basic protections that should be considered when considering data privacy legislation: data collection and sharing rights; opt-in consent; data minimization and nondiscrimination; and no data-use discrimination. Beyond that, a comprehensive notification law, which would codify what happens when a data breach takes place, is strongly encouraged. A hotly contested provision, “private right of action,” which would allow an individual to sue a company over privacy violations, has led to some legislation stalling in the states. But some argue that this provision may not be needed so long as there’s adequate enforcement behind the laws. And while experts would prefer an opt-in consent model, the ability to use browser extensions or other tools that opt out automatically may be a welcome compromise.

The best way to protect consumer data privacy may be through more competition and a concept called data portability. At the federal level, Reps. David Cicilline, D-R.I., Ken Buck, R-Colo., Mary Gay Scanlon, D-Pa., and Burgess Owens, R-Utah, are championing bipartisan legislation approved by the House Judiciary Committee that would allow users to seamlessly move their data from one platform to another. The ACCESS Act would empower consumers to reward tech companies that respect their data and punish those that don’t.

While this is an ever-evolving issue, the U.S. cannot afford to fall further behind. Losing out to China on yet another issue could be catastrophic for America’s future. Many governments have risen to the occasion to address this important matter, and, while no solutions are perfect, these actions signal they are serious about addressing this public safety issue. The U.S. should follow suit.

Mike Davis is the founder and president of the Internet Accountability Project, a conservative grassroots advocacy organization that opposes Big Tech and seeks to hold these companies accountable for their bad acts. He was previously chief counsel for nominations on the Senate Judiciary Committee under the chairmanship of Sen. Charles E. Grassley, R-Iowa.