Do Not Disturb: Parsing the Privacy Debate in Congress

It’s been a rough week for tech in a year that’s been rough for tech. Twitter disclosed improper sharing of user location data, Apple lost a pivotal antitrust case in the Supreme Court, and Facebook, awaiting a fine upwards of $5 billion for violating a Federal Trade Commission (FTC) consent decree, continues to take punches from both sides of the aisle.

Meanwhile, efforts to create a national privacy framework are ramping up on Capitol Hill. Presidential candidates are also chiming in on reforms they’d like to see. A variety of legislative proposals are being negotiated or are already in the “hopper” and several hearings have been convened on the topic. Lawmakers have identified myriad issues they want to tackle, from consumer data protection and content policing to, more recently, use of antitrust laws to break up social media giants. While there appears to be broad consensus that Congress should do something, there is no agreement yet on what exactly that something should be. This post explores some of the issues Congress may address in a federal privacy framework.

Before we dive in to the issues, let’s begin with an overview of current privacy laws.

Current Privacy Laws

As the Government Accountability Office (GAO) noted in its January 2019 report on Internet Privacy, “The United States does not have a comprehensive Internet privacy law governing the collection, use, and sale or other disclosure of consumers’ personal information.” But there are a number of existing federal laws and regulations that address consumer privacy in a variety of contexts and to varying degrees.

The Privacy Act of 1974 governs how federal agencies collect, maintain, use and disseminate information about individuals. Other laws, including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act, establish rules for the use of personal financial and health information. The Children’s Online Privacy Protection Act (COPPA) restricts the collection of personal information from children under the age of 13 by online services, including websites and apps.

Rules on government and private sector handling of communication records and content can be found in laws such as the Communications Decency Act (CDA), the Federal Wiretap Act, the Stored Communications Act, and the Foreign Intelligence Surveillance Act.

A number of federal agencies, including the Federal Communications Commission (FCC), the Federal Trade Commission (FTC), and the Securities and Exchange Commission (SEC) are empowered to investigate and bring enforcement actions for privacy infractions, fraud, or cyber breaches. According to GAO,

The FTC currently has the lead in overseeing Internet privacy across all industries, with some exceptions. Specifically, FTC addresses consumer concerns about Internet privacy using its broad authority under the FTC Act to protect consumers from unfair and deceptive trade practices. FTC has jurisdiction over a broad range of entities and activities that are part of the Internet economy, including websites, applications (apps), advertising networks, data brokers, device manufacturers, and others. The common carrier exemption in the FTC Act, however, prohibits FTC from taking action against common carriers, such as providers of telecommunications services.

A patchwork of state laws regulate use of consumer data and impose varying notification requirements and remedies following a so-called “data breach.” Most notably, California’s Consumer Privacy Act (CCPA), set to take effect in January 2020, imposes sweeping privacy rules for certain tech businesses in its jurisdiction, potentially covering a large swath of U.S. tech businesses. Similar to the EU’s General Data Protection Regulation (GDPR), the CCPA empowers consumers to reject the sale or retention of their data by tech companies and authorizes sanctions for violations and data breach incidents.

Who Will be Subject to the New Privacy Rules?

It appears, for now at least, that Congress does not intend to upend the existing federal privacy laws noted above, but rather establish new privacy rules for certain online service providers. A task that may be easier said than done.

The role tech companies play in commerce is evolving. Many of the big five -- Facebook, Apple, Amazon, Microsoft and Google (FAAMG), are expanding their businesses into areas governed by existing privacy laws. Amazon is a perfect example, expanding beyond online marketplace to seller, movie and TV producer, online payment provider, smart home pioneer, and prescription drug and health care provider. No doubt consumer data plays a key role in each of these services and while a financial behemoth like Amazon has the resources to comply with multiple laws and regulations, the same cannot be said for small and midsize companies utilizing connected technology to deliver traditional brick-and-mortar products and services.

The breadth and scope of a national privacy framework will therefore hinge on its relationship to existing laws. Will a health care app that currently complies with HIPAA also be subjected to the new privacy rules? Will record-keeping requirements in order to comply with laws such as the Bank Secrecy Act trump a consumer’s right to request deletion of their data?

Notably, the CCPA includes a broad exception to the record deletion right in instances in which the business needs the consumer data to “comply with a legal obligation.” Legislation introduced by Senator Rubio (R-FL) in January exempts businesses from some, but not all, of the existing federal privacy laws. S. 1214, introduced by Senator Markey (D-MA) in April, preserves a laundry list of existing federal privacy laws.

The devil is in the details, or in this case the definitions. While Congress’ focus is online businesses, the use of a broad definition could also capture businesses whose online presence is incidental to its products or services. Many businesses have websites through which visitors can contact the business, sign up for updates, or subscribe to newsletters. Will a restaurant that allows patrons to make a reservation via its website be treated similarly to an app like OpenTable? Will decentralized technologies such as peer-to-peer, distributed apps, and blockchain be treated similarly to centralized platforms?

The various proposals introduced to date also do not distinguish between private and public online platforms thereby liking lumping federal, state and local government sites and public educational institutions together with privately operated platforms, and creating potential conflict with existing laws such as the Privacy Act, the Family Educational Rights and Privacy Act of 1974, or the Children’s Internet Protection Act (which requires certain schools to monitor the online activities of minors).

Coincidentally, this issue reared its head just this week with the launch of a White House website soliciting reports of political bias by social media platforms. The site requires participants to disclose their name, age, citizenship status, and contact information, and agree to an irrevocable license to the government to use certain information disclosed through the site, garnering protests from privacy and consumer advocates.

Businesses of all shapes and sizes will need to pay close attention to the definitions of both covered entities and applicable personal information. Congress will need to take great care in balancing the endowment of rights to consumers with the legitimate legal, cybersecurity, and national security needs of the government and take heed not to overly burden American businesses with cumbersome – or even conflicting – regulatory requirements.

What “Privacy” Rules Will Be Included?

Use of Consumer Data

Consumer notice lies at the heart of the privacy debate. In the aftermath of the Cambridge Analytica scandal, it seems likely that online businesses will, at a minimum, be required to inform their users about the collection, retention and use of their personal data and whether and to what extent that information is shared with or sold to third parties.

On May 21st, the Senate Judiciary Committee will hold a hearing on “Understanding the Digital Advertising Ecosystem and the Impact of Data Privacy and Competition Policy.” Also on the 21st, the Senate Commerce Subcommittee on Communications, Technology, Innovation and the Internet will convene a hearing on “Optimizing for Engagement: Understanding the Use of Persuasive Technology on Internet Platforms.”

Consumer Rights

Running a close second to notice is empowering consumers with certain rights to approve the use of their data (including the sale to or sharing with third parties), to access and correct information, or to compel businesses to delete the information. Some proposals include varying exceptions to these requirements, from narrow public safety exceptions involving death or serious physical injury to broader exceptions to protect against cyber intrusions and identity theft or comply with lawful process.

What appears to be missing, however, is any restriction on consumer rights that conflict with First Amendment free speech protections, something California included in amendments to its CCPA.

Content Policing

Capitol Hill is keenly focused on content policing by online platforms and there is wide disagreement about whether these platforms are doing too little or too much. President Trump and many Hill Republicans argue that platforms, like Twitter and Facebook, are unfairly discriminating against conservatives by removing content or deleting accounts. Democrats, on the other hand, believe these same platforms are not doing enough to remove what they see as offensive content or block terrorist or violent extremist content.

Just this week, Facebook announced new rules restricting access to its Facebook Live feature after the tool was used to livestream the March shootings at New Zealand mosques that killed 51 worshippers. Facebook also joined Microsoft, Google, Twitter, and Amazon in a proposal to combat terrorist content on their platforms.

Legislating on content policing is tricky because once Congress chimes in, the First Amendment kicks in. There’s a LOT of online content that offends at least one person, or is disturbing, or espouses extremist or terrorist views. But the vast majority of it is nonetheless constitutionally protected speech, including, so-called “hate” speech and rhetoric used by ISIS and extremist groups to recruit adherents. So while private businesses can remove users or delete content, including First Amendment-protected content, the government cannot mandate that they do so – or require that they keep content on their platforms.

Some in Congress are also eyeing weakening liability protections for online platforms, namely those provided in Section 230 of the CDA. CDA 230 shields providers from liability for user-posted content but simultaneously empowers them to restrict access to “obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable” material. In April 2018, President Trump signed legislation walking back these liability protections for sex trafficking ads. While Senator Hawley (R-MO) has criticized CDA 230 as enabling social media bias against conservatives, Senator Manchin (D-WV) has expressed support for an opioid exemption to the law.

Up next for content policing is a House Homeland Security hearing on online terrorist content slated for early June.

Enhanced Child Protections

The revelations about the volume of online data collected and shared by tech companies has spurred a renewed focus on the monitoring of minors’ online behavior. Several proposals have already been introduced this session to amend COPPA to require parental consent and deletion of data collected about children under 13.

Facial Recognition

The use of facial recognition, particularly by American police agencies, has longed been surrounded by controversy. This week the San Francisco Board of Supervisors voted to ban the use of the technology by its police department and other government agencies. Some in Congress are also looking to reign in the commercial use of the technology. In March, Senators Blunt (R-MO) and Schatz (D-HI) introduced the Commercial Facial Recognition Privacy Act of 2019, requiring prior user consent for facial recognition collection and sharing.

The House Oversight and Reform Committee will examine this issue on May 22nd at a hearing on “Facial Recognition Technology (Part 1): Its Impact on our Civil Rights and Liberties.”

Antitrust

Presidential candidates including Elizabeth Warren and Bernie Sanders, seizing upon the controversies surrounding Facebook and other tech giants, are calling for the use of antitrust laws to break up what they characterize as tech monopolies. This certainly isn’t a new topic of conversation. Legal experts and commentators have opined about the application of U.S. antitrust laws to the FAAMG. The European Union has thrice levied fines exceeding €8 billion against Google for what it deemed to be anti-competitive practices. It remains to be seen, however, whether Congress will jump aboard the antitrust bandwagon.

Data Breach Notification

Prior to wading into the much larger privacy pool, Congress’ perennial debate centered on national data breach notification rules. According to the National Conference of State Legislatures, “All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.” The private sector has lobbied Congress for years to replace this patchwork of state laws with a uniform national standard. While it may seem logical to include such a standard in a national privacy framework, Congress is split on the issue.

FTC Rulemaking Authority

Congress is also divided, largely along party lines, on the breadth of FTC rulemaking authority, with Democrats okay with granting broad power to the FTC and Republicans preferring the opposite. Ironically, the FTC itself has eschewed the notion of it being left to sort out the details of a national privacy framework.

Preemption of State Laws

That leaves us with arguably the biggest obstacle to privacy legislation – whether a federal privacy law should preempt state laws. This issue has plagued federal data breach notification legislation for over a decade. California congressional Democrats and other Democratic lawmakers generally oppose preemption while Republicans are more open to one national standard. As with data breach, preemption could easily become the iceberg that sinks the privacy ship.

Other issues, such as algorithm bias, AI ethics, and drone policy, could also make their way into a privacy bill. If the length of this blog is any indication, Congress has its work cut out for it if it hopes to produce a federal privacy bill before year’s end.