Caroline Gallo, Contributing Member 2023-2024
Intellectual Property and Computer Law Journal
Introduction
Your personal data is making companies a lot of money. It is a pretty well-known secret that most people do not read the terms and conditions or privacy policies that pop up whenever you access a website for the first time.[1] A 2019 study found that only nine percent of people always read privacy policies before agreeing.[2] Most people quickly scroll down and click the agree button – otherwise, it is impossible to access the website.
Accepting the terms and conditions allows gigantic companies like Google, Amazon, and Facebook to collect your personal data information whenever you use their website, such as your IP address (unique identifier of your device on the internet), GPS location, phone number, and how often and long you use their website.[3] These companies claim they need to collect your data to personalize their website to your preference.[4] A company like Facebook makes most of its money through advertising, so it is vital to its business model to collect and then sell your data to its advertisers.[5] Advertisers use your data to distinguish the demographics of who is interacting with their ads and who is not.[6] But how much personal data information shared is too much?
This article explores the current data privacy landscape in the U.S. and the actions needed to be taken by Congress with mounting data privacy concerns among Americans. Part II provides background on data privacy laws, specifically a couple of federal laws introduced in Congress, active state laws, and California’s Delete Act. Part III discusses why there needs to be federal legislation and some concerns with the current data privacy protections. Finally, Part IV concludes that Congress should enact comprehensive federal legislation soon.
Background
Federal Data Privacy Acts
There is currently no active federal legislation governing data privacy in the United States.[7] Within the last couple of years, Congress introduced multiple data privacy acts but could not get enough votes to pass any of them.[8] The American Data Privacy and Protection Act (“ADPPA”), Data Privacy Act of 2023, and Upholding Protections for Health and Online Location Data Privacy (“UPHOLD”) Act are three recent data privacy acts introduced in Congress.[9]
The American Data Privacy and Protection Act
The House Energy and Commerce Committee voted to advance the ADPPA, a bipartisan bill, to the House of Representatives in July 2022.[10] The ADPPA applies to most entities but has different obligations for large data holders and service providers such as government entities.[11] Any data that “identifies or is linked or reasonably linkable to an individual” qualifies as data covered by ADPPA.[12] Social Security numbers, financial account numbers, log-in credentials, and race are a few examples of what is considered sensitive covered data under the ADPPA.[13] The ADPPA’s “duties of loyalty” limits entities from using covered data more than what is “reasonably necessary and proportionate” to the entity’s service.[14]
The ADPPA requires entities to release the kind of data they collect, the purpose of use, the length of keeping the data, and if the data is provided to other countries such as China, Russia, Iran, or North Korea.[15] It allows customers more control over their data by allowing them to delete their data from the entity, and the customer must give consent before an entity gives their sensitive covered data to a third party.[16] It requires third-party entities to register with the Federal Trade Commission (“FTC”), follow all FTC regulations, and create a searchable database where individuals could request all registered entities to stop collecting their data, similar to the National Do Not Call Registry.[17]
The two areas that set the ADPPA apart from other data privacy bills: it preempts any state laws that fall under the ADPPA, and it creates a deferred private right of action to sue covered entities two years after enactment.[18] Congress had two main concerns with the ADPPA. First, Congress felt the “duties of loyalty” provision was too narrow. Second, they worried that if the ADPPA preempts state law, it could limit privacy rights as ADPPA would be the maximum privacy rather than a minimum that states could build upon.[19]
Data Privacy Act of 2023
The Data Privacy Act of 2023 expands the Gramm-Leach-Bliley Act (“GLBA”) to include additional consumer protections.[20] The GLBA, enacted in 1999, requires financial institutions to give consumers the ability to give consent for their information to be shared with third parties.[21] The financial institution must provide a clear and obvious notice that the consumer’s information will be shared if they give consent. The institution must also give the consumer enough time to either accept or decline the sharing of information.[22] The financial institution must share annual privacy notices with the consumer, including information such as the categories of the parties receiving their information and the type of information the financial institution stores.[23]
The Data Privacy Act of 2023 requires financial institutions to notify consumers the reason their data is collected, how their data is used, and the provide the ability to decline the collection of their data.[24] Similar to ADPPA, it preempts states from having their own privacy protections and allows consumers to request the financial institution delete their data.[25]
UPHOLD Act
In March 2023, U.S. Senators Amy Klobuchar, Elizabeth Warren, and Mazie Hirono introduced the UPHOLD Act to protect personal health data.[26] It prevents companies from selling personal health and location data for advertising.[27] The legislation arose after the U.S. Supreme Court reversed Roe v. Wade, which caused growing concerns about women’s reproductive data stored on apps potentially being used against them.[28] It prohibits using personally identifiable health data, which can be inputted by the user, fitness trackers, or their internet search histories, for advertising.[29] There are no restrictions on public health campaigns, such as a vaccination campaign, but it places constraints on companies’ use of data without consent.[30]
State Data Privacy Acts
There are only 12 states that signed data privacy bills into law: California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia.[31] California, Colorado, Connecticut, Utah, and Virginia are the only states with legislation currently in effect; the other seven states’ legislation becomes effective in 2024 or 2025.[32] All 12 states’ legislation includes the right to access (the consumer knows which information is shared with which third parties), right to delete (the customer can request their personal information be deleted under specific circumstances), right to portability (consumer can ask for their personal information in a file format), right to opt out of sales (consumer can decline their personal information gets sold to third parties), and a notice transparency requirement (entity must provide consumers with notice of their data practices and programs).[33]
California’s Delete Act
California recently took its data privacy laws a step further when Governor Gavin Newsom signed the Delete Act on October 10, 2023.[34] Data brokers, defined as “companies that collect, use and sell personal data without a consumer’s knowledge,” must now register with the California Privacy Protection Agency instead of the California Department of Justice.[35] If they don’t register, there is a $200 fine for each day they are noncompliant.[36] The Delete Act streamlines the process of consumers requesting their personal data to be deleted by allowing consumers to click on one button to delete from every registered data broker in California within 45 days. This streamlined process will go into effect in 2026.[37] Previously, consumers were required to send a separate request to each data broker.[38] This proved to be a hassle for consumers since California has almost 500 registered data brokers.[39]
Discussion
The current lack of federal legislation allows companies to run rampant with consumers’ personal data. States are slowly enacting their own legislation, but due to a lack of uniformity across states, there needs to be federal legislation, too. Currently 18 states have no comprehensive data privacy bills introduced, and 13 states with inactive bills.[40] This demonstrates the need for federal legislation because over half of the states are not taking any action toward alleviating data privacy concerns.
Looking at the federal legislation previously introduced to Congress, the ADPPA is the most comprehensive. The Data Privacy Act of 2023 and UPHOLD Act specifically address data privacy concerns pertaining to financial institutions and health care data, so while the passage of either legislation would be great in making progress towards better data privacy protections, neither Act goes far enough. By delaying the enactment of comprehensive federal legislation, Congress runs the risk of eventually all 50 states enacting 50 varying data privacy laws. These different laws would make it very difficult for nationwide companies to remain compliant in each state. The House Energy and Commerce Committee completed meetings in April 2023 to discuss a new draft of the ADPPA, which would need to pass the committee’s vote again before reintroduction to Congress and hopefully a congressional vote this time around.[41]
Some see California’s Delete Act as excessive. A major concern with the deletion request mechanism is the loss of revenue due to businesses struggling to find new customers without any data.[42] It also makes it difficult for data brokers to stay compliant due to the 45-day provision after a consumer has made a deletion request.[43] Deletion requests may take days to process, but the consumer’s data may still be collected while the request is processed.[44] It is also unclear who will be verifying the deletion requests.[45] There is also concern surrounding the personal data collected during the deletion request to authenticate the identity of the individual making the request.[46] Data brokers will need enough information from the deletion request to match up the consumer in their database to successfully remove the data.[47] States should closely follow how California approaches these issues while considering their own data privacy legislation.
Conclusion
In conclusion, Congress needs to take action sooner rather than later regarding data privacy legislation. Multiple bipartisan bills have been introduced, but none have come close to passing. Congress needs to establish a baseline for data privacy across all states. A comprehensive act like the ADPPA would be a great fit if they can gather enough congressional votes. Enacting legislation similar to California’s Delete Act sounds good in theory for consumers, but states and Congress should wait to see if the potentially detrimental economic effects outweigh the data privacy benefits before enacting their own version.
[1] 4. Americans’ attitudes and experiences with privacy policies and Laws, Pew Research Center (November 15, 2019), https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/
[2] Id.
[3] The Data Big Tech Companies Have On You, Security.org (October 12, 2023), https://www.security.org/resources/data-tech-companies-have/.
[4] Id.
[5] Id.
[6] Id.
[7] Gregory T. Parks & Ronald W. Del Sesto, US Data Privacy Legislation: Could a Federal Law Be on the Horizon?, Morgan Lewis (July 31, 2023), https://www.morganlewis.com/pubs/2023/07/us-data-privacy-legislation-could-a-federal-law-be-on-the-horizon.
[8] Id.
[9] Id.
[10] Jonathan M. Gaffney, Eric N. Holmes & Chris D. Linebaugh, Overview of the American Data Privacy and Protection Act, H.R. 8152, Congressional Research Service 1 (August 31, 2022), https://crsreports.congress.gov/product/pdf/LSB/LSB10776.
[11] Id.
[12] Id.
[13] American Data Privacy and Protection Act, U.S. House of Representatives Document Repository 25-28 (July 22, 2022, 8:58 AM), https://docs.house.gov/meetings/IF/IF00/20220720/115041/BILLS-1178152rh.pdf.
[14] Gaffney, Holmes & Linebaugh supra note 8, at 2.
[15] Id.
[16] Id.
[17] Id.
[18] Id. at 3.
[19] Id. at 4-5.
[20] H.R. 1165, Data Privacy Act of 2023, Congressional Budget Office (June 13, 2023), https://www.cbo.gov/publication/59267.
[21] Katy Liu, Guide to the Gramm–Leach–Bliley Act, IAPP, https://iapp.org/resources/article/guide-to-the-gramm-leach-bliley-act/ (last visited Oct 30, 2023).
[22] Id.
[23] Id.
[24] H.R. 1165: Data Privacy Act of 2023, GovTrack.us, https://www.govtrack.us/congress/bills/118/hr1165/summary (last visited Oct 30, 2023).
[25] Id.
[26] Klobuchar, Warren, Hirono Introduce Legislation to Expand Personal Health Data Privacy Protections, U.S. Senator Amy Klobuchar (March 3, 2023), https://www.klobuchar.senate.gov/public/index.cfm/2023/3/klobuchar-warren-hirono-introduce-legislation-to-expand-personal-health-data-privacy-protections.
[27] Id.
[28] Id.
[29] Id.
[30] Id.
[31] US State Privacy Legislation Tracker, IAPP 1 (October 20, 2023), https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law_Chart.pdf.
[32] Id.
[33] Id. at 1-2.
[34] Jedidiah Bracy, California governor signs Delete Act into law, IAPP (October 11, 2023), https://iapp.org/news/a/california-governor-signs-ca-delete-act-into-law/.
[35] Id.
[36] Id.
[37] Id.
[38] Id.
[39] Id.
[40] US State Privacy Legislation Tracker, supra note 29.
[41] Steve Alder, Revised American Data Privacy and Protection Act Due to be Released, The HIPPA Journal (April 14, 2023), https://www.hipaajournal.com/revised-american-data-privacy-and-protection-act-due-to-be-released/.
[42] Bracy, supra note 32.
[43] Id.
[44] Id.
[45] Id.
[46] Id.
[47] Id.
The University of Cincinnati Intellectual Property and Computer Law Journal 
Leave a comment