U.S. data privacy and security solutions emerging at the federal level

Although a handful of U.S. states have enacted strict privacy laws, the United States still lacks a comprehensive federal privacy statute, a vacuum that has fueled what many observers argue is a culture of “surveillance capitalism.” The lack of a national privacy law looms particularly large now as the Supreme Court seems poised to overturn its landmark abortion decision Roe v. Wade, which is likely to accelerate private data hunting expeditions by prosecutors and law enforcement in nearly 30 U.S. states.

Absent a federal privacy law that would protect the location data of abortion seekers, Senator Elizabeth Warren (D-MA) introduced a bill that would essentially outlaw the sale of location data harvested from smartphones. However, the U.S. Congress and the Biden administration have recently taken surprising steps to tackle the problem of data privacy on a national basis through legislation, policy and regulatory measures that seek to stem the escalation of privacy-invading practices and technologies.

A new privacy bill comes with bipartisan and bi-cameral support

The most significant of these privacy measures is a draft discussion bill called the American Data Privacy and Protection Act (ADPPA), released by bipartisan House and Senate leaders on June 3. The 64-page bill has been compared in scope and force to some noteworthy predecessors, including the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), and the EU’s General Data Protection Regulation (GDPR).

Some highlights of the wide-ranging bill include:

• Broad applicability to covered data held by covered entities: The bill expansively defines “covered entities” as any entity that collects, processes, or transfers covered data and is subject to the jurisdiction of the Federal Trade Commission (FTC), including nonprofits and telecommunications common carriers. “Covered data” is defined as information identifying, linked, or reasonably linkable to an individual or device linkable to an individual, including derived data and unique identifiers but not de-identified data, employee data, or publicly available information. However, some healthcare organizations, depending on their relationship to HIPAA, would not be required to comply, and some small organizations with annual revenues of $41 million or less would not be required to comply with some aspects of the law under the “small data exception.”
• Data minimization: The bill imposes a baseline duty on all covered entities to not unnecessarily collect or use covered data, regardless of any consent or transparency requirements. Covered entities are “prohibited from collecting, processing or transferring covered data beyond what is reasonably necessary, proportionate, and limited to provide specific products and services requested by individuals, communicate with individuals in a manner they reasonably anticipate given the context of their relationship with the covered entity.”
• Restricted practices: Covered entities are prohibited from and significantly restricted in engaging in certain data practices regarding specific types of covered data except for very limited circumstances. Social Security numbers, password information, and nonconsensual intimate images are subject to further restrictions.
• Privacy by design: Under the bill, covered entities must implement reasonable policies, practices, and procedures for collecting, processing, and transferring protected data, corresponding to the entity’s size, complexity, activities related to covered data, the types and amount of covered data the entity engages with, and the cost of implementation compared to the risks posed.
• Loyalty to individuals and pricing: Covered entities may not condition or effectively condition the provision or termination of services or products to individuals by having individuals waive any privacy rights in the Act. The prohibition does not prevent covered entities from differentiating the price of or levels of services based on an individual providing financial information collected and used or payment when an individual explicitly requests a product.
• Consumer data rights: Under the ADPPA, consumers would have rights to well-constructed privacy policies and data ownership on par with those extended under HIPAA and GDPR, including the right to export their covered data in a portable format. In addition, consumers must express affirmative consent to the collection of sensitive data and be given the means to provide and withdraw consent clearly and straightforwardly.
• Third-party collecting entities: Third-party collecting entities that process covered data of more than 5,000 individuals must annually register with the FTC.
• Civil rights and algorithms: Under the bill, covered entities may not collect, process or transfer covered data in a manner that discriminates based on race, color, religion, national origin, gender, sexual orientation or disability.
• Data security and protection of covered data: The ADPPA requires covered entities to implement and maintain data security practices and procedures that protect and secure covered data against unauthorized use and acquisition. The draft bill defines requirements covered entities must meet to assess vulnerabilities, take preventive and corrective action, evaluate their systems, and retain and dispose of covered data.

ADPPA passage faces long odds

As has been true for every federal privacy law proposal emerging over the past ten years, the ADPPA faces an uphill struggle even as some influential political and industry figures champion its passage. For example, a draft letter from the U.S. Chamber of Commerce that was circulated but not sent to Congressional offices called the proposed legislation “unworkable.”

A private right of action for individuals to sue companies that don’t abide by the legislation’s provisions has stirred up its own spate of objections from the business sector even though it doesn’t become effective until four years after the bill becomes law. Another sticking point is the bill’s pre-emption of state privacy laws, which would primarily affect California, Colorado, Connecticut, Utah and Virginia. However, the bill’s preemption provisions allow for some exceptions for certain kinds of data.

Given his company’s embrace of privacy as a market differentiator, it’s not surprising that Apple CEO Tim Cook told Congress that lawmakers should pass the bill “as soon as possible.” It’s also no surprise that some cybersecurity practitioners support the bill, too.

Gary Brickhouse, CISO and vice president of governance, risk, and compliance at GuidePoint Security, tells CSO that, “In general, it’s an absolutely great idea. It’s something that we’ve needed for years.”

Brickhouse thinks a federal law could ease companies’ burdens in tracking and implementing a welter of state and international privacy obligations. “It’s really hard to navigate the current landscape, especially because [it’s hard to answer whether], ‘Is this customer data from the state of California, or is it from Washington or Virginia or Maryland?’ So, to some degree, this constant juggling has to happen,” he says.

The House Energy and Commerce Subcommittee on Consumer Protection and Commerce plans to mark up the bill on Thursday, June 22, with a full committee markup contemplated sometime after the July 4 recess.

Advancing privacy-enhancing technologies

Legislation isn’t the only path toward improved privacy emerging at the federal level. Through the White House Science and Technology Policy Office, the Biden administration seeks to develop a national strategy for “responsibly harnessing privacy-preserving data sharing and analytics to benefit individuals and society.”

The goal, according to a notice of inquiry (NOI) published in the Federal Register, is to develop the opportunity in privacy-enhancing technologies (PETs) so that users’ data can be collected in a “secure, privacy-enhancing way.” However, despite their benefits for human rights and democracy, PETs have “not achieved widespread adoption due to various factors, among them, limited technical expertise, perceived risks, financial cost, and the need for more research and development,” the NOI states. Therefore, the “Federal government seeks to develop a national strategy for advancing and adopting privacy-preserving data sharing and analysis.” Comments on the NOI are due before the close of business on July 8.

FTC plans to take action on consumer privacy

Finally, on the regulatory front, the Federal Trade Commission (FTC) announced earlier this week that it is considering a summer rulemaking to safeguard people against privacy abuses. The rulemaking, first floated last year, is intended “to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.”

Three of the current FTC commissioners are strong privacy advocates. Alvaro Bedoya, founding director of the Center on Privacy & Technology at Georgetown University Law Center, was sworn in as a commissioner on May 16, 2022. Commissioner Rebecca Kelly Slaughter previously served as acting FTC chair and is an outspoken critic of the abuse of consumer data. In one of her first major speeches after becoming the current FTC chair, Lina Khan called for the federal government to expand its policing of data abuses given the vast “surveillance” enabled by modern technology.

The FTC has proposed a public-comment period for the rulemaking that will end in August 2022.