New D.C. data privacy bill fails to address issues of intent, consent
Ever since GDPR came into effect in Europe, U.S. states have been ramping up their efforts to produce similar data privacy regulations for their constituents. In the aftermath of the Cambridge Analytica scandal privacy is hot news, and, due to the lack of federal law to rule them all; the weight of enforcement is falling on state attorneys general.
A privacy bill just introduced in the District of Columbia is the latest evidence of an emerging patchwork of state-level privacy laws. The Security Breach Protection Amendment Act of 2019 (SBPAA) is designed to overhaul the district's data breach laws and improve protections for consumers’ personal information.
SBPAA outlines various procedures that firms must abide by in the case of data breaches. This includes having to notify victims and inform the Office of the Attorney General in writing. As well as to provide two years of identity theft prevention services to any individual whose social security or tax identification number is breached.
If passed, the legislation would also require firms to begin implementing robust security standards against the unauthorized access and use of people’s personal data.
The law would also seek to expound on the types of information that are considered sensitive to include social security numbers, driver’s license numbers, credit or debit card numbers, passport numbers, taxpayer identification numbers, military ID numbers, health information, biometric data, genetic information and DNA profiles, as well as health insurance information.
SBPAA also clearly denotes that an individual’s first name, first initial and last name, and any other personal identifier that either on its own or in combination with other data sets can be used to identify that individual - is “personal information.” Email addresses are also included in the definition.
However, unlike GDPR in the EU and CPPA in California, the new privacy law does not provide regulations on the collection of data, nor impose the need for consumer consent before data collection. In addition, it sets no limitations on the purposes for which data can be handled once it is collected.
Troublingly, there is also no specific mention of digital identifiers such as IP addresses within the categorization of “personal information,” which produces another concerning grey area.
For firms, SBPAA is a stark reminder that until a federal law is passed, providing adequate data privacy and security right across America is quickly becoming a logistical nightmare.
Law firms such as Dentons LLP have already noticed an uptick in tech companies seeking legal advice about navigating the emerging maze of state-level policies. And, those large law firms are responding by improving their understanding and expertise of those various legal environments.
There can be no doubt that improved data privacy protections - such as those created by California’s CCPA and DC’s SBPAA - are a step in the direction for consumer rights. However, there may be unintended side effects too.
The patchwork of distinct policies is inspiring tech firms to suddenly begin lobbying hard for a nationwide law. Firms know that having to cater to differing state laws will be both inconvenient and costly. Doing so will affect not only how data is accessed and stored in each location but also how it can be processed and shared across state boundary lines.
Advertising methods that could once legally span the entire US, will need to be adjusted in the same way that they have been since GDPR came into effect in the EU. For example, when GDPR came into effect a large number of US websites decided to stop providing their content in Europe. Now imagine the effect that similar laws could have across the US.
Simple systems that once created revenue without a fuss will suddenly become much trickier to manage and implement. Of course, firms could simply opt to adhere to the strictest privacy laws across the board. This would solve the problem, however, while there are lucrative profits to be made - it is like asking the baby to get out of the candy store.
Instead, big tech firms like Facebook and Google are leveraging the Internet Association to lobby the government for a nationwide federal privacy bill. That instantly causes alarm bells because until recently those same firms were dead against that very same kind of law. So why the turnaround?
Big Tech knows that the preemption doctrine written into the supremacy clause of Article 6 of the U.S. Constitution, allows for any federal privacy law to supersede all conflicting state laws, even if they that are part of the state's constitution. In other words, the ends justify the means.
Any federal privacy law that has the full support of Big Tech is more than likely going to be a watered down one size fits all bill designed to placate the public’s desire for a GDPR-like law - while simultaneously permitting big tech to keep on processing data for profit.
For this reason, the new D.C law is questionable. While it certainly has some positive attributes, it also seems to have some pretty glaring holes and grey areas when compared to other similar laws. Remember, this is Capitol Hill, and if this legislation is passed and was ever used as the blueprint for a nationwide federal privacy bill it would appear to be a rather big win for Big Tech.