Today, the House Energy & Commerce Subcommittee on Innovation, Data, and Commerce will hold a hearing on how a federal privacy law would fill gaps to protect Americans’ personal information.
Those gaps are massive. There is no comprehensive federal law in the US governing the collection and use of personal data. Instead, some types and uses of data are regulated by sector-specific laws such as the Health Insurance Portability and Accounting Act (HIPAA), the Fair Credit Reporting Act (FCRA), the Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA) and others, while many types of data are not protected at all. There are three overarching problems with this approach:
- A sectoral approach leaves huge gaps in protections that have allowed the expansion of data collection and abuse across many different sectors, most notably online services;
- The protections in the existing sectoral laws are actually quite narrow and limited, so even the types of data that are covered by these laws do not have adequate protection – many are based on an outdated notice-and-choice framework;
- A sectoral approach leads to confusion by the public about what types of personal data are protected. For example, many people assume that HIPAA covers their health information generally, when in fact most of the health data collected outside of the doctor/patient or insurance relationship is not covered by HIPAA.
In order to fill some of the gaps left by federal sectoral privacy laws, the Federal Trade Commission (FTC) has used its authority under the FTC Act, passed in 1914. The FTC’s mandate includes the power to prohibit unfair and deceptive trade practices, including the unfair and deceptive collection, use, or transfer of personal data. The Commission is also responsible for combatting unfair methods of competition and has specific authority to enforce and issue rules under several targeted privacy laws. However, the FTC does not have sufficient regulatory or penalty authorities to address the privacy threats posed by modern internet services. And there are significant limitations in the patchwork of data protection authorities at the FTC’s disposal. For example, the procedures by which the FTC can define unfair and deceptive practices are unnecessarily onerous, and the Commission is limited in its ability to penalize first- time data protection offenders.
The US needs a comprehensive, coherent approach to privacy and data protection. A recent study from the Irish Council for Civil Liberties (ICCL) found that the Real-Time Bidding (RTB) market, which is the engine that tracks and shares what people view online and their location in order to drive targeted advertising, alone exposes the average American’s data 747 times per day. This means U.S. Internet users’ online activity and location is being tracked and disclosed 107 trillion times per year. ICCL cited some dangerous examples of the use of this data:
There is no way to restrict the use of RTB data after it is broadcast. Data brokers used it to profile Black Lives…