Recent 2024 American Privacy Rights by Sen. Maria Cantwell (D-Wash.), Chair of the Senate Commerce Committee, and Rep. Cathy McMorris Rodgers (R-Wash.), Chair of the House Energy and Commerce Committee. With the introduction of the Act (APRA), federal regulations for consumers now apply. Data privacy is in a bright spotlight. Lawmakers aim to send a bipartisan bill to the president this year before McMorris Rodgers retires.
Comprehensive consumer privacy proposals have stalled for years, but the latest proposal increases the chances that Congress will pass far-reaching legislation. Congress therefore needs to carefully consider the possible effects on U.S. competitiveness and innovation.
Current state of privacy regulations
Consumer privacy protections are already enshrined in many federal and state laws. The European Union has also enacted major consumer data privacy laws, which are expected to impact other countries as well.
At the federal level, a variety of specialized laws protect consumers from unauthorized disclosure or misuse of personal information. Key laws include the Privacy Rights Act of 1974 (personal information held by the government), the Health Insurance Portability and Accountability Act (personal data held by health care providers and insurance companies), and the Gramm-Leach-Bliley Act. (Personal data held by financial institutions). ), and the Children's Online Privacy Protection Act (personal information of individuals under the age of 12). Numerous agency regulations have been promulgated to give effect to these laws.
Other federal agencies also play a role, but the Federal Trade Commission is the primary enforcement agency. The FTC has also challenged various violations of consumer privacy under its authority to address “unfair acts or practices” in or affecting commerce. The company sued Facebook in 2011 and obtained an order barring the company from misrepresenting its privacy practices. In 2019, Facebook agreed to a second, more expansive order to resolve allegations that it violated the FTC's first order and paid a $5 billion fine. Facebook and the FTC are embroiled in an ongoing lawsuit over allegations that Facebook violated the Second Order.
In recent years, 15 states have enacted comprehensive consumer data privacy laws. The California Consumer Privacy Act (CCPA), the most expansive, gives consumers broad rights to control their personal information, and businesses must respect this. Individuals have the right to opt out of data collection, processing, and sharing.
California consumers who do so may refuse to provide goods or services or have a different price or difference unless the price or difference is “reasonably related to the value provided to the consumer by the consumer's data.” You may not charge a price or offer a different quality of service. As Mercatus Center economist Dr. Tracy Miller explains, this restriction interferes with normal efficient business practices.[t]o Earn enough revenue to cover costs and remain in business” Companies may need to treat “.” . .consumer [who opt out] No. ”
As a practical matter, given the economic importance of the California market, virtually all U.S. companies engaged in online commerce must consider the mandates of the CCPA. Slightly different requirements imposed by other states impose additional compliance costs on businesses.
The European Union's General Data Protection Regulation (GDPR), which came into effect in 2018, requires “data controllers” to obtain “opt-in” consent from consumers before collecting and processing their data. Among other rights, consumers have broad data access rights to request and receive access to their personal data and to know when it is processed.
GDPR directly impacts many U.S. companies with operations in Europe and is similar to California's law. However, they do not share the CCPA's explicit “anti-discrimination” protections for consumers who opt out.
new proposal
APRA is a far-reaching bill. This is in response to concerns that federal uniformity is needed to preempt comprehensive state data privacy laws and eliminate the costly burden of duplicative and conflicting state laws. Nevertheless, this law does not preempt specialized state “consumer protection” or privacy laws directed at narrow concerns (e.g., financial records, public records, cyberstalking, etc.). There remains a risk that some of these provisions may apply to data privacy in some states, limiting APRA's potential for uniformity.
APRA requires businesses to minimize the collection, processing and transfer of data necessary to provide or maintain necessary products and services. Consumers have strong control over the use and transfer of their data, and the right to opt out of the use of their data entirely. Data security requirements are imposed on businesses. Other important provisions include restrictions on data brokers and prohibitions on the discriminatory application of algorithms that violate civil rights. As with the CCPA, companies are prohibited from denying or charging different rates for goods or services to individuals who exercise these new rights.
The FTC is directed to issue guidance on key areas covered by APRA. The FTC, state attorneys general, and private citizens are authorized to litigate to enforce it.
trade off
Concerns have already been raised about the potential downsides of APRA. Kron Kitchen, a technology expert at the American Enterprise Institute, said of the potential harm to American innovation:
“Strict data minimization and consent requirements could limit the data available for the development of new technologies and services, just as new AI models and other data-requiring technologies are maturing. “Compliance will be a burden, especially for startups and small businesses, and could slow the pace of innovation and technological progress in the United States.”
Sen. Ted Cruz (R-Texas), ranking member of the Senate Commerce Committee, is concerned about unreasonable regulatory costs, abusive lawsuits, and favoritism to “Big Tech.”
“[I] A data privacy bill that would empower trial lawyers, strengthen Big Tech by imposing new regulatory costs on emerging competitors, and give the FTC unprecedented power to be the arbiter of internet speech and DEI compliance. I cannot support it. ”
More generally, APRA begins with the assumption that federal privacy law is a pure good with no downside, ignoring the inevitable trade-offs between the costs and benefits of any regulatory scheme. The need to consider trade-offs has been emphasized by technologists Matt Perrault of the University of North Carolina and Dr. Andrew K. Woods of the University of Arizona.
“Privacy is important, of course, but it is clearly more important than other important social goals such as innovation, health, and safety. In that sense, privacy is just like any other social value. , should be protected when the benefits of protection outweigh the costs.The key is therefore to determine which types of privacy protections and privacy reforms meet this criterion. You need to defend your claim: “This is important because it makes the world better in the following ways, and that world is better than another world without this regulation.”
Perot and Woods urge Congress to consider a cost-benefit analysis before passing privacy regulations. They point out that this analysis could be conducted through a referral by Congress to a staff of economic experts at agencies such as the Congressional Research Service or the White House Office of International and Regulatory Affairs.
The potential for competitive harm (including to consumers) is one factor worth considering. A 2023 study by Dr. Stanley Goldberg of Stanford University, citing his and other research, found that GDPR would provide a competitive advantage to large companies (which can better absorb new regulatory costs) over small businesses. It was found that it brings about Goldberg concluded:
“Privacy regulations can be costly for businesses, especially small ones, but can be beneficial for established businesses. Regulations are effective in reducing some online tracking, but marketing It can negatively impact activity, make it harder for consumers to find the products they want, and hurt companies' profits.”
Alternatives to Choice of Law
It takes time to thoroughly weigh the potential disadvantages and benefits of APRA. Additionally, there are other options.
Scholars Jeffrey Mann of the International Center for Law and Economics and Jim Harper of the American Enterprise Institute propose a legislative alternative that avoids difficult cost-benefit analyzes while reducing the growing burden of proliferating national privacy regulations. ing.
“[W]We propose federal legislation that would require states to recognize choice-of-law provisions in contracts so that businesses and consumers can choose which state's privacy laws they want to adopt. Privacy will continue to be regulated at the state level. However, the federal government provides for jurisdictional competition between states, allowing companies operating nationally to comply with the privacy laws of any state. Unlike a single federal privacy law, this approach would provide the nation's businesses with 50 competing privacy regimes. Protecting choice of law can encourage competition and innovation in privacy practices while preserving a meaningful state privacy regulatory role. ”
This new approach has not yet been widely discussed or implemented in Congress. Critics may argue that by enacting laws that minimize privacy protections, states will encourage a “race to the bottom” to attract businesses. On the other hand, politically motivated consumers concerned about privacy may be motivated to vote only for legislators who support strong privacy measures. This proposal should immediately reduce business costs by easing the burden of complex compliance and allowing states to compete to find appropriate solutions. This can lead to a generally recognized and accepted set of regulations that can be widely adopted over time.
The path forward for privacy regulation
ARPA has the potential to gain significant traction and could directly benefit privacy-minded consumers in the short term. It could also impose serious costs on U.S. competition and innovation. In sharp contrast, fostering competition among state privacy regimes can lead to innovative privacy protections that reduce regulatory costs for businesses. So Congress has a lot to think about.