Why a U.S. federal privacy law could be worse than no law at all
Congress could help provide long-awaited privacy protections for Americans, but it also risks halting important experimentation.
Supreme Court Justice Louis Brandeis called privacy the “right to be let alone.” Perhaps Congress should give states trying to protect consumer data the same right.
For years, a gridlocked Congress ignored privacy, apart from occasionally scolding companies such as Equifax and Marriott after their major data breaches. In its absence, states have taken the lead in experimenting with privacy-related laws.
California, for example, recently passed legislation giving citizens the right to know what data businesses have on them – and to block the information’s sale to third parties. It’s the first of its kind in the U.S. and has prompted lawmakers in other states to try to follow suit.
That’s gotten the attention of businesses, especially in tech, which have been lobbying Congress to preempt a possible patchwork of state laws with what could amount to a weaker federal one. Some observers predict this could be that rare issue that inspires bipartisan compromise in Congress this year.
Sounds like great news, right?
Wrong.
As someone who has studied privacy for nearly two decades, I believe consumers are better off if Congress doesn’t intrude and lets states keep experimenting on how to best protect Americans’ personal data.
FOLLOWING CALIFORNIA’S LEAD
It may be hard to remember, but there was a time when companies were able to keep data breaches secret, so that consumers didn’t even know hackers had their information and that they needed to take steps to protect themselves.
Then California’s data breach law took effect in 2003. California requires companies that suffer data breaches to notify affected consumers as well as the state’s attorney general.
As lawmakers elsewhere learned from these notifications just how common data breaches had become, the other 49 states followed suit. The result is that more than 8,000 data breaches affecting more than 11 billion records have been made public – and all without Congress doing a thing.
If states had not acted on their own, Americans might never have learned about the Equifax or Marriott breaches, or about the 1,244 breaches affecting 446 million records that occurred just last year. And just as other states followed California on breaches, some are attempting to do the same on privacy legislation.
The California Consumer Privacy Act, which will take effect next year, will give Californians the right to learn what companies know about them and the kinds of businesses they sell that information to, as well as the right to block such sales. Consumers will also be able to require companies to delete information on them in some circumstances.
Legislators in states including Massachussetts, Washington and New York have introduced similar privacy bills this year.