Author: Jeff Cassman

Alan Butler of the Electronic Privacy Information Center and Hayley Tsukayama of the Electronic Frontier Foundation argue for and against the need for an overriding federal privacy law. 

In the absence of a federal data privacy law, seven states—California, Colorado, Connecticut, Utah, Virginia, Iowa, and most recently Indiana have adopted consumer data privacy laws of their own. But this patchwork system—and the gaps it creates—has prompted some lawmakers and advocates to push for a uniform data privacy system for the entire US. 

The American Data Privacy and Protection Act aimed to create a uniform law, but it stalled in Congress last year despite bipartisan backing and has yet to be reintroduced. The legislation prompts ongoing questions about whether a federal law should take precedence over existing state laws. Two data privacy experts offer their perspectives on the issue. 

Read more here.

“Traditional privacy and data security practices are designed to keep out strangers attempting to defraud the victim,” Electronic Privacy Information Center Fellow Chris Frascella said. He authored EPIC’s comments on the U.S. Federal Communications Commission regulations to implement the act. Such approaches frequently fail in the context of tech abuse. 

Read more here.

The Electronic Privacy Information Center’s (EPIC) complaint lays out Grindr’s history of compromising users’ privacy and safety, pointing most recently to allegations made by the app’s former chief privacy officer, Ronald De Jesus, who is suing the company for wrongful termination. 

De Jesus’s suit, filed in June, alleges that Grindr fired him after he alerted executives to rampant violations of the company’s privacy policy, according to EPIC’s complaint. 

Read more here.

23andMe said it didn’t find any evidence of a “data security incident” in last week’s leak, a distinction it drew because the information hackers gathered was available to opted-in users. But putting the burden on consumers to protect their own sensitive data with strong passwords and careful management is wrongheaded, said Suzanne Bernstein, a law fellow at digital rights nonprofit Electronic Privacy Information Center. 

“If 23andMe is collecting, storing and processing a tremendous amount of very highly sensitive personal data, I think at the end of the day they should take responsibility for that,” she said. 

The solution, according to Bernstein, is not to expect consumers to evaluate each company by sifting through long and hard-to-understand privacy policies — but for lawmakers to pass and enforce tough privacy and security rules that companies can’t wriggle around. 

Read more here.

On Monday, EPIC applauded the Federal Communications Commission for its proposal to require telecom companies that provide U.S.-international service to certify that they are following basic cybersecurity standards, such as the Cybersecurity Framework developed by the National Institute of Standards and Technology. EPIC emphasized the importance of independent and thorough annual audits, of consistent enforcement for deficient or false certifications, and of ultimately requiring all providers (not just those seeking to maintain their international operating authority) to follow basic cybersecurity best practices.

EPIC outlined how bad data breaches have become, including in the telecom sector, the impact of poor cybersecurity and privacy practices on consumer trust, and the priority the White House has placed on remedying this problem through its National Cybersecurity Strategy. EPIC urged the FCC to require that auditors be independent and conduct actual testing of the effectiveness of a company’s cybersecurity measures not merely interview staff about the measures that company claims to have implemented. Similarly, because the FCC would not require anything more than a certification from each company that they are following the standard, EPIC urged the agency to bring enforcement actions for deficient or false certifications. Some commenters challenged the FCC’s authority to impose this requirement; EPIC responded to many of these challenges, such as those based in the Major Questions doctrine and the Congressional Review Act, in support of the Commission’s proposal, and noted that this must not be the Commission’s final effort in seeking to improve cybersecurity in the telecom sector.

EPIC regularly comments on regulations and testifies on policies to promote better cybersecurity practices that protect consumer data from unauthorized access and other misuse.

In comments filed Friday, EPIC urged the Federal Trade Commission to explicitly include endorsements from police departments and other government agencies in the agency’s latest proposed rule regulating corporate responsibility for misleading consumer reviews and endorsements. EPIC’s comments proposed changes to the rule that would ensure it covers non-natural persons making endorsements, like government agencies and third-party companies.

EPIC also expanded on previous comments highlighting how surveillance technology companies like Amazon Ring, ALPR-maker Flock, and Taser-maker Axon leverage public-sector endorsements to make claims of their products effectiveness, safety, and crime prevention features that are not supported.

EPIC has published reports and filed amicus briefs regarding technology that has not substantiated its explicit crime reduction claims or implicit accuracy claims, petitioned the FTC for rulemaking regarding the privacy and security of consumer data, and filed comments in support of more robust disclosures by law enforcement organizations regarding their use of surveillance technology.

This morning, the Supreme Court will hear argument in an interesting—and, unfortunately, salacious—case about Article III standing. Acheson Hotels v. Laufer is about whether a person with disabilities has the right to sue a hotel when the hotel fails to provide accessibility information on their website as required by the Americans with Disabilities Act, or ADA. 

The Constitution gives federal courts jurisdiction to hear “case[s] or controvers[ies].” From these three words, the Supreme Court has spun a complex doctrine that requires plaintiffs to allege that they have suffered (1) an actual or imminent injury (2) that can be fairly traced to the actions of the defendant and (3) can be redressed by a favorable ruling of the court. For the injury prong, plaintiffs must show that their injury is both particularized—that is, they are the ones who suffered the injury—and concrete—which, following Transunion v. Ramirez, essentially means that the injury is sufficiently analogous to one traditionally recognized in American courts. 

Article III standing was originally proposed as a means of testing whether the federal courts were infringing on the policymaking authority of the legislative and executive branches. But in cases like Acheson Hotels, the purpose of Article III standing has been flipped on its head, and instead of preventing courts from infringing on the powers of the other branches, it instead is used to do just that by denying plaintiffs a forum to vindicate rights granted them by the legislature. 

Laufer claims that she suffered two injuries from Acheson Hotels’ failure to provide her with accessibility information: an informational harm from the denial of information itself and a stigmatic or dignitary harm from experiencing discrimination based on her status as a person with disabilities. Both of these harms have long been recognized in Americans courts, mostly in the context of the First and Fourteenth Amendments. 

Defendant Acheson Hotels argues that Laufer did not suffer any injury because she is a “tester.” Testers are people who test compliance with civil rights laws by purposefully subjecting themselves to potential discrimination. In a case called Havens Realty Corp. v. Coleman, the Supreme Court announced that testers have standing to bring civil rights claims. Like Laufer, the plaintiff in Havens Realty sought information that they had no plans to use. But Acheson Hotels says their case is different because the Court’s thinking on informational standing has evolved. And Laufer was discriminated against online.

Unlike the plaintiff in Havens Realty, a representative at Acheson Hotels did not personally refuse to provide information to Laufer. Instead, Laufer navigated to Acheson Hotels’ website, looked for the accessibility information, and found none. Acheson Hotels maintains that Laufer merely observed a lack of information, and thus merely observed a harm that could potentially impact someone else who actually wanted to make a reservation at the hotel. But Laufer was not a mere observer—she was a user of the Acheson Hotels website, and as a user, personally experienced both the denial information to which she had a right and the dignitary harm that comes from being discriminated against. 

Acheson…