Rationalizing Privacy Protections

Eakinomics: Rationalizing Privacy Protections With the arrival of the digital age has come an increased awareness of the importance of privacy protections. Unfortunately, the legal infrastructure for privacy issues has not kept pace. There is now a patchwork of state laws and federal regulations that is difficult to navigate. The straightforward solution is a federal privacy law to standardize data collection and usage practices, thereby providing clear guidelines to both consumers and businesses. Today the House Energy and Commerce Committee will mark up the American Data Privacy and Protection Act (ADPPA), a bipartisan agreement (the jury is still out in the Senate). AAF’s Jeffrey Westling took a look at an early version here (and a summary of recent change is here), but the bill has two main approaches to protecting consumer privacy: duties on entities that collect data and rights for individuals whose data is collected. On the former, Westling notes: “the legislation would create a duty of loyalty for any entity or person that collects data (denoted as “covered entities” in the legislation); this would prohibit the collection of data beyond what is reasonably necessary, proportionate, and limited to provide or maintain a specific product or service requested by an individual or a communication to the individual reasonably anticipated within the context of the relationship.” On the latter, he writes “the ADPPA would also create consumer data rights to ensure consumers can find out what data is being collected from them and how it is being used. Moreover, these ‘data ownership’ rights would allow individuals to access, correct, delete, and transfer their data to different services.” To be clear, nobody is entirely happy with the ADPPA; that is nature of bipartisan compromise. In particular, it includes a fairly expansive private right of action which plaintiffs’ lawyers will surely exploit to bring frivolous lawsuits and drive up costs for companies. Also, the federal law preempts state laws, but contains numerous exceptions that may still allow states to add additional compliance costs on businesses. Weirdly, the California Privacy Protection Agency – created to enforce California’s privacy law – is somehow given authority to enforce ADPPA, as it would the California law. Finally, while the bill would theoretically create a single framework, there is still some confusion over the authority of the Federal Communications Commission, which could lead to overlapping jurisdiction and duplicative frameworks for telecommunications companies. Eakinomics has been predicting federal privacy legislation for the past two Congresses because it is “obvious” that there needs to be a single federal standard. The ADPPA may not be the right solution, but it does seem that past performance may not be a good predictor of future outcomes, and privacy legislation may finally get over the finish line.