Rob Shavell, Co-Founder and CEO of Abine/DeleteMe, discusses how “local & limited” privacy laws will shape the future of national privacy legislation
Outlined in legal commentaries such as The Right to Privacy as far back as 1890, a “right to be left alone” has long been a characteristic part of the American experience. Unfortunately, over the last 20 years or so, this right has been severely undermined and gone increasingly undefended. With legislation lagging behind technological capability, it is often much easier for social media giants or data brokers to collect and abuse an individual’s personal information than for that same person to prevent them from doing so.
As far as consumer data protection in the digital realm goes, however, the US federal government has so far been conspicuously absent. Catalyzed by events like the Cambridge Analytica scandal, the passing of GDPR in the EU, and corporate support for privacy, the US government’s rollout of a GDPR-esque law for its citizens has been “coming soon” for years. Though there has been no shortage of proposals for federal privacy legislation across the political divide, a top-down protective package for US citizens still seems elusive.
However, that’s not to say that privacy protection is not happening, reform is just taking a different path. Rather than coming down from the federal government, robust privacy protections are being put in place not only at the state level but also in governance at its most fundamental—both municipally and locally. With privacy protection increasingly rising from the bottom up, consumers may actually get far better protection than any presumed federal legislation might deliver.
A watered-down US GDPR is not in consumers’ best interest
Since the GDPR came into effect in the EU in 2018, its influence on the US data protection debate cannot be ignored. The law made numerous US-based companies trading in the EU subject to its regulations, but also directly influenced comprehensive laws passed in states like California and Virginia. However, while the development of GDPR has undoubtedly had a positive impact on US data protection, copy-and-pasting “toughest privacy and security law in the world” was never going to be as realistic or as beneficial in the US as perhaps was hoped.
The main reason for that is, the US is intrinsically different than the EU. Legislation around issues like privacy at the state level frequently move at different speeds and directions—the fact that a state like California jumped the gun to provide privacy protection to its residents is a testament to that. But a perennially polarised US Congress also means getting a comprehensive piece of data protection legislation passed at the national level is both an immense political challenge and an ultimately reductive process.
It’s not necessarily that there is a shortage of political desire to enact greater consumer privacy protection. Representatives from all parties are broadly in agreement that consumers need better defence against violations of their personal information. But even at a glance, the various pieces of proposed legislation that aim to do this—such as the Republican-led SAFE DATA Act and the Democrats’ COPRA bill—differ significantly. Divisive issues, such as whether consumers have a private right of action (like the GDPR and the CPRA) or which businesses would be eligible for coverage, present potential stumbling blocks.
This means that any piece of federal data protection legislation that manages to pass through Congress will be unlikely to please everyone. For consumers, federal privacy reform that happens too quickly may result in something significantly weaker than the GDPR, or even existing state-level equivalents.
Real privacy reform is happening at the local level
The obvious counterbalance to the problem is the quickening march of state-level legislation. Rather than waiting for a central federal-level privacy law, a few states are taking matters into their own hands. California, with the CCPA, was the first US state to pass consumer privacy legislation back in 2018. Strengthened by its recently passed CPRA, the state’s privacy protections have become by far the strongest in the country. Others, like Colorado and Virginia, have since followed suit with similar legislation, while other pieces of legislation are in progress nationwide.
But even more powerful privacy protections are increasingly being implemented at the local level, often with greater immediate impact. Laws based around single issues, like facial recognition or biometric data, can profoundly impact the present and future of consumer privacy. For example, in King County, Washington State, the local legislature recently passed a law prohibiting its offices (including law enforcement) from using facial recognition outside of searches for missing children. The law’s passing will impact two million people within the county, including Seattle, and create a template for similar actions nationwide. Case in point, Baltimore’s city council, likely inspired by King County’s initiative, voted in June to effectively ban any entity, public or private, from using facial recognition technology.
At the state level, issue-specific privacy legislation is also giving consumers real protection against potential abuse of their data. In Illinois, the Biometric Information Privacy Act (BIPA), passed in 2008, has already extended far-reaching restrictions on collecting and using biometric data within the state. Critically, this law has been tested in court and is setting a legal precedent for enforcing privacy protection within the US as a whole. Similarly, New York has restricted geolocation data within particular-use cases, such as insurance customer profiling.
Local laws help build better federal privacy
The rising tide of lower-level privacy laws may seem relatively insignificant against the urgent need to enact federal-level protection for consumer privacy. However, each new piece of legislation is still a vital step toward genuine consumer protection. As more facets of consumer privacy get legal recognition and protection, the privacy bar rises, and when local-level laws are successfully tested in court, their existence increases the pressure on abusers of privacy far beyond the areas where they are put into action.
Whenever new protection for consumer privacy comes into play, any future federal legislation will both have to cover more ground and provide consumers with greater protection.