In light of international Data Privacy Day, our CIO, Kim Verska, shares insight on surprising practices surrounding privacy and security of personal data in the United States.
Here is what Kim has to share:
Countries all over the world are passing laws regulating the privacy and security of personal data, but thanks to a largely deadlocked Congress, the US still lacks one national law. Unlike the EU and many other countries, the US has never subscribed to the view that the right to control one’s own data is at its core a “fundamental” human right. Instead, we view personal data as an asset that can be exchanged for free services (such as when you browse online content without paying a subscription), or that can be bargained away by “consent” buried in non-negotiable terms and conditions that you must agree to in order to buy products or services online. The modern-day US economy is built upon, and is dependent on, this concept of “data as value” and current legal frameworks support this foundation. While this has led to a flourishing of the Internet, it has also led to a situation for US consumers described rather well in 1999 by Scott McNealy, founder of Sun Microsystems: “you have no privacy. Get over it.”
One party control of Washington, international pressure, and increasing state regulatory action may signal a new era of change. But it will likely be slow to materialize – the world of data privacy is complex and the group of well-funded actors that benefit most from the current legal framework in the U.S. is large. Nonetheless, to take stock of the current state of affairs, it’s worthwhile to review where we stand in terms of data privacy law as we begin 2021.
You may be surprised by some of the above, and you might well ask “how can this be legal”? The answer lies within the patchwork that is data privacy law in the U.S. At present, meaningful protection is extended only to consumers dealing with companies in certain sectors (banking, healthcare, telecommunications, to name a few), that engage in certain regulated activities (texting/robocalling, targeting websites to children, etc.), and where the consumer’s data falls within the narrow categories of highly sensitive data. Most states have laws protecting Social Security Numbers from wrongful use, and credit card companies have done a good job of ensuring that your credit card data is encrypted in processing and storage (In this article, I’m going to refer to the more regulated areas described in this paragraph above, and the specific laws mentioned below, as “Limited-Scope Privacy Laws”). However, an ocean of data identifying you and tracking your activities lies completely open for exploitation under current U.S. law.
Below is a rundown of gaps in U.S. privacy law that have led to this situation:
- Many companies can do whatever they want with your data that they obtain legally from third parties. In addition to the two flavors noted above, there is one more here: hidden players in the data world who may or may not have published privacy notices. If a company hasn’t agreed to restrictions on its use of data in its contract with a third party from whom it obtains personal data, and it or the third party has a permissive or no privacy notice, the only limits on the use of that data by the company are Limited-Scope Privacy Laws, plus one new but growing area of state law regarding “data brokers.” In 2019, Vermont passed a law specifically applicable to these companies who have no direct relationship with consumers but whose business model consists of compiling and selling data about those consumers. This law, again protecting only Vermont residents, includes privacy notice publication requirements and opt-out rights similar to that of California’s CCPA, but only two states have these laws at present. On this front, I’ll relate one personal story: when I first obtained a copy of my own credit report in 2002, I was surprised to see that it contained accurate salary information. I asked someone who had been employed by a one of the large credit reporting agencies about this, and he didn’t even blink, going on to explain that that information was part of the “consumer file” that anyone could purchase from the agency. As it turned out, there was nothing preventing my former employer’s paycheck processing company from selling this information. A few years ago, I negotiated a data processing agreement for a client with the same large paycheck processing company, and even then, their “take it or leave it” language didn’t restrict their sale of the salary data.
Data about you, obtained and sold, powers the “information economy” in the US. The degree to which federal lawmakers are willing to limit or cut off the data fuel is unclear. In the meantime, the patchwork continues, with some states, like California, marching forward in emulation of the EU by passing strong data privacy laws, but the majority of states have failed to take action like this to date. The patchwork of laws benefits neither companies, who struggle to identify and comply with what very well could be conflicting laws, nor consumers, who are largely unaware of any rights they may have but understandably concerned about their privacy. Continuing along the present path quite likely will result in a scenario where only the biggest companies survive and thrive and only a small number of consumers – namely those who are both data-savvy and have time to spare — achieve good protection for their data. 2021 is a new year, and here’s hoping that lawmakers will be able to thread the needle and provide a good baseline of protection for all consumers’ data privacy while still preserving the dynamism of the U.S. economy.
The downloadable PDF version of this article can be found here.
About Culhane Meadows – Big Law for the New Economy®
The largest woman-owned national full-service business law firm in the U.S., Culhane Meadows fields over 70 partners in ten major markets across the country. Uniquely structured, the firm’s Disruptive Law® business model gives attorneys greater work-life flexibility while delivering outstanding, partner-level legal services to major corporations and emerging companies across industry sectors more efficiently and cost-effectively than conventional law firms. Clients enjoy exceptional and highly-efficient legal services provided exclusively by partner-level attorneys with significant experience and training from large law firms or in-house legal departments of respected corporations. U.S. News & World Report has named Culhane Meadows among the country’s “Best Law Firms” in its 2014 through 2020 rankings and many of the firm’s partners are regularly recognized in Chambers, Super Lawyers, Best Lawyers and Martindale-Hubbell Peer Reviews.
The foregoing content is for informational purposes only and should not be relied upon as legal advice. Federal, state, and local laws can change rapidly and, therefore, this content may become obsolete or outdated. Please consult with an attorney of your choice to ensure you obtain the most current and accurate counsel about your particular situation.