Consumer Data Privacy
New technology has brought issues with data privacy. Corporations gain access to masses of information about us through our actions as consumers, or even just through our use of the internet. Companies are able to analyze the data to make predictions about us; they can sell our data for marketing purposes, and let’s just hope it’s all stored securely.
For example, large retailers with your purchase information compile unique “Guest IDs” containing information as specific as “your age, whether you are married and have kids, which part of town you live in, how long it takes you to drive to the store, your estimated salary, whether you’ve moved recently, what credit cards you carry in your wallet and what Web sites you visit.”
And then, in an entirely different ballpark are the technology giants which are ever-present on our computers and mobile devices (Facebook, Google, Apple and Microsoft), compiling even larger profiles about us and making plenty of money by sharing the information. While we may be able to cancel a credit card or get new social media accounts, we can’t easily change our facial structures, which means facial recognition technology can have especially sticky qualities.
The United States federal government has been trying to address these issues through regulatory bodies — especially as cases of large-scale data breaches have come out — but Congress has not passed a law specifically to address consumer data privacy since 1970. Europe, on the other hand, has enacted a major privacy protection law just recently (the General Data Protection Regulation, or GDPR), but that’s not to say the EU has the problem solved.
What types of regulation could help consumers keep the “right” degree of privacy? Of course, people have different conceptions of what the “right” degree is, which is why regulators have a big task at hand.
In the United States, two federal agencies can bring enforcement actions against companies that are using consumer information unfairly or deceptively. And consumers who are harmed by unfair uses of their data (and know it) may be able to bring lawsuits, often based on state laws. Other than that, states are finally coming through with some ground rules that restrict companies from the get-go (before the harm happens). Lastly, industry “best practices,” which aren’t even laws but can affect a company’s reputation, help out significantly.
Our infographic outlines a good way to think of the various types of regulation: based on the life cycle of a piece of consumer data. Data is first collected, then stored, then used. The graphic lists the types of rules that regulators can set in each stage.
Below the infographic you can view our legal landscape which describes in more detail the laws the U.S. has in place.
What laws does the U.S. have in place to protect consumer data privacy?
The Constitution does not specifically address privacy protections that individuals might have against private (e.g. corporate) interests.
However, the Constitution gives the Legislature power to create laws that regulate commerce across the states in the "Interstate Commerce Clause" of Article I. Within this power, Congress has made laws to control corporate interests relating to the spread of electronic data.
The First Amendment, which prohibits the government from interfering with free speech, has been cited by internet service providers that want to avoid regulation. See, e.g., Open Internet Order in the Executive column.
See the Legislative section for the laws designed to control corporate interests and see the Executive section to see how the federal agencies implement the laws.
The Legislative Branch (congress)
The Communications Act of 1934 created the Federal Communications Commission to regulate the telephone services market. The Act established guidelines for common carriers of communication services, for example that the carriers cannot “make any unjust or unreasonable discrimination in charges, practices, classifications, regulations, facilities, or services for or in connection with like communication service.”
The Telecommunications Act of 1996 amended the Communications Act of 1934. It added telecommunications providers to the classes of service providers subject to regulation under the Act, and it included the internet as a type of spectrum to be licensed. It also established a duty on telecommunications providers to keep confidential consumer proprietary information (Section 222 “Privacy of Consumer Information”). As under the 1934 Act, the FCC regulates communications services under this Act. As a result of FCC rule-making, internet providers are classified as telecommunications providers (see Net Neutrality Rule in the Executive column). This means internet service providers are governed by the FCC and obligated to maintain consumer privacy in the way the FCC defines it (see e.g. Privacy and Data Security Rule in the Executive column).
The Federal Trade Commission Act of 1914 established the Federal Trade Commission to promote consumer protection and to prevent anti-competitive market actions. The FTC was given authority to regulate on acts or practices that are “unfair or deceptive.” This encompasses the actions of all corporations or entities engaged in trade except for a few types of corporate actions which are governed by other acts. Specifically, “common carriers” of telecommunications services are excluded because they are governed by the Telecommunications Act (above) and subject to Federal Communications Commission regulation. Thus, the FTC governs “information providers” like Netflix, Facebook, and HBO (also called “edge providers"), while the FCC governs the service providers like Verizon, Comcast, and AT&T.
The Fair Credit Reporting Act of 1970 imposed limits on sharing data specifically related to credit information. The Act created ways people could fix erroneous credit information, and it established a procedure for individuals to complain about wrongdoing in credit reporting. The Federal Trade Commission administers this complaint process. The Act defined the types of personal data that deserves protection, and it set boundaries on how the government could access that data.
The Driver’s Privacy Protection Act of 1994 banned states from selling motor vehicle records to private industry.
The Gramm-Leach-Bliley Act of 1999 allowed commercial banks, investment banks, securities firms, and insurance companies to merge. The Act allowed information sharing among financial services entities but put into place restrictions to protect consumer privacy. The banks are regulated by several federal agencies. See the FTC publication on the Act’s privacy requirements.
Other relevant federal legislation:
The Congressional Review Act of 1996 created a fast-track for the repeal of a federal agency rule. Under the Act, Congress can vote (each of the House and the Senate must agree) to disapprove of an agency rule. That resolution would then be sent to the President, who may sign and formally repeal the rule. The 2017 Republican-controlled Senate and President Trump invoked this provision to get rid of the Federal Communications Commission’s 2016 Privacy and Data Security Rule (described in Executive column). After invalidating the rule, the FCC can now make a new rule, but the new rules cannot be substantially similar to the repealed rule.
The Administrative Procedure Act (APA) is always relevant when there is a federal agency involved (in this case, the Federal Communications Commission and the Federal Trade Commission). The Administrative Procedure Act limits federal agencies (executive branch) from abuse of power. It makes sure that agencies act fairly. Agencies must follow proper procedures when they make rules or decisions, and they cannot overstep the boundaries of their power. This means, for example, the FCC is limited by provisions of the Communications Act and the FTC is limited by the Federal Trade Commission Act. When the agencies make rules, they must follow certain procedures (e.g. provide notice to the public that it plans to make rules and allow the public an opportunity to comment). When they make decisions, they must meet certain standards of fairness. The Administrative Procedure Act also gives citizens, companies, or other groups the right to sue if the procedures are not followed causing that citizen (or entity) harm. This is called a “private right of action” (right to sue).
The Executive Branch (president and agencies)
Early Acknowledgement of Privacy Concerns From Use of Technology (“Big Data”):
In 1973, the Department of Health, Education and Welfare (HEW) published an early report titled Computers and the Rights of Citizens bringing awareness to the potential harm from automated collection and use of personal data. The report created a Code of Fair Information Practices and suggested that all organizations with computer data systems should follow it.
Shortly thereafter, President Nixon raised awareness of the harms that could come of unchecked personal data collection by computers in an influential radio address in 1974. In 1974, the Code of Fair Information Practices from the HEW report became law (in the Privacy Act of 1974) but it only applied to federal government databases. Corporations managed to lobby their way out.
Private/Corporate Use of Data:
Federal agencies have been concerned with the practices of internet service providers (like Verizon or Comcast) in storing or using data about individuals. Internet service providers transmit masses of data revealing personal or proprietary information about individuals, and the government seeks to control the use of this data so it does not harm people. Two agencies primarily are responsible for controlling how this information is used: the Federal Trade Commission and the Federal Communications Commission.
Federal Communications Commission (FCC)
Under the Telecommunications Act of 1996, the FCC regulates internet service providers. In 2015, it brought internet service providers within its jurisdiction, and in 2016, it passed a rule limiting data sharing by these entities.
In 2015, the FCC passed the Open Internet Order (aka the Net Neutrality Rule). The rule prohibits internet service providers from discriminating against certain types of electronic content. Under the Rule, a broadband provider cannot speed up, slow down, or otherwise prioritize certain types of content over others. For example, Comcast cannot make a deal with Netflix to give Netflix content a faster connection. The importance of this rule in regards to data privacy is that, in order to make the rule, the FCC classified internet service providers as “telecommunications providers” under the Telecommunications Act of 1996. This made internet service providers subject to more strict “common carrier” regulations under the Communications Act of 1934. Internet service providers challenged the rule and lost. See US Telecom Association v. FCC in the Judicial column.
In 2016, the FCC passed the Privacy and Data Security Rule (In the Matter of Protecting the Privacy of Customers of Broadband and other Telephonic Services), but the rule was repealed early in the Trump administration through use of the Congressional Review Act (see Legislative column). The rule would have regulated internet service providers (like Verizon and Comcast), making it harder for them to sell consumer data for financial gain (e.g. to marketers). The rule classified certain types of consumer “proprietary information” (e.g. IP addresses, consumer service and traffic data, and other personally identifying information) for which internet service providers would have had to get consumer consent before sharing.
The FCC enforces its rules through its Enforcement Bureau. Here is a sample of the actions the FCC Enforcement Bureau has taken.
The Federal Trade Commission (FTC)
The FTC regulates against unfair or deceptive use of consumer data by companies involved in internet communications that are not service providers (because service providers are covered by the FCC). Most relevantly, the FTC regulates “edge providers” (like Google, Netflix, and HBO). The FTC often takes action by investigating and suing companies.
Examples of FTC enforcement actions relating to internet privacy can be found here.
Potential Future Data Privacy Rules
The FCC and the FTC in the Trump administration said they intend to make new rules that will control with consistency internet service providers (like Verizon and Comcast) and “edge providers” (like Google, Facebook and Netflix). Currently, internet service providers are under FCC jurisdiction while edge providers are under FTC jurisdiction. “Consistency” was one of the main arguments that cable providers cited against the 2016 FCC rules, which regulated them more harshly than the edge networks.
The Judicial Branch (federal courts)
The Federal Trade Commission uses federal courts to sue companies for unfair or deceptive practices. See a list of recent enforcement actions here.
The Federal Communications Commission enforces its regulatory scheme through its own adjudicatory system. However it has faced several lawsuits challenging its rules, in which plaintiffs have argued the agency does not have the authority to issue the rules.
The first example is a challenge by internet service providers arguing that the FCC did not have the authority to regulate them as it did in the 2016 Privacy and Data Security Rule.
In US Telecom Association v. FCC (2016), the D.C. Circuit Court of Appeals ruled that the Federal Communications Commission was allowed to classify broadband as a telecommunications service (as opposed to an “information” service). This allows the FCC to regulate broadband providers with stricter “common carrier” rules. The case was brought by broadband service providers who argued the FCC had violated its authority in issuing the FCC’s 2015 Open Internet Order (see Executive column).
This next example is a challenge by state governments arguing the FCC did not have the authority to overrule the states' laws restricting their local towns in providing internet service.
In State of Tennessee v. FCC. (2016), the Sixth Circuit Court of Appeals ruled that the Federal Communications Commission did not have the authority to “preempt” (overrule) certain state laws relating to internet service. Towns in North Carolina and Tennessee wanted to provide internet services, but their state laws would not allow it. The FCC made a rule that states could not ban towns from providing internet services because it would interfere with the FCC’s federal mandate to ensure competition for broadband services. The Sixth Circuit Court ruled the FCC did not have the authority to overrule state law on this issue, and the court invalidated the FCC rule.
See the State section below for more information on the states' roles in protecting consumer privacy.
States can make more stringent regulations to protect consumers, on top of the federal laws and regulations, as long as they do not interfere with the federal regulatory scheme (“preemption”). The extent to which the federal government limits state action is not always clear (see, e.g. State of Tennessee vs. FCC in Judicial section), but states generally can enact laws protecting consumers from corporate use of data.
States have their own laws regulating Unfair or Deceptive Acts and Practices, which the states may update to address emerging technologies. See this page which discusses various measures states are taking to protect consumer data privacy. State laws address such topics as: consent to mobile GPS tracking, social media privacy, security breach protection, and laws enabling consumers to control their data in the hands of companies.
For example, California’s “Consumer Privacy Act” allows consumers to find out the information that companies have about them and also to request for the data to be deleted.
Illinois has a law restricting companies’ access to biometric information. The law enables people to sue for violating the act, even if the consumer has not proven harm from the violation.
For state-by-state information on data breach laws, see here.