An aimless scroll through a maternity clothing catalog; a Facebook post of an ultrasound; an Amazon order for a breastfeeding pump.
These cookies leave crumbs, and this Internet user has now been deemed an “expectant parent” by a third-party data broker like
This market—perceptible only to those who pore over a near unreadable block of text describing terms and conditions when they download an app or create a web account—snakes its way through every aspect of our society, from political campaigns, to law enforcement, to what types of borrowers are targeted for loans. Global platforms that follow this data-driven business model must grapple with privacy regimes in Europe and elsewhere that limit information collection and give consumers more control over sharing their personal details.
No such standard exists in America, despite more than two decades of bipartisan policymaking efforts and even with a rare consensus among tech companies, advertisers, and consumer advocates on the need for a consistent nationwide approach.
Attention on the national security risks of
But lawmakers have yet to demonstrate how they’ll overcome persistent sticking points that, in the last session of Congress, foiled what was considered the best legislative chance yet to establish guardrails around consumer data.
Instead, US states led by California are adopting their own privacy laws, with Iowa the latest to join March 28. If 50 separate state laws came into effect, the cost to businesses navigating compliance could surpass $1 trillion over a decade, according to the Information Technology and Innovation Foundation, a nonpartisan tech policy think tank backed by companies including
“We must get this over the finish line,” Rep.
In the US, the current state of national privacy standards is an alphabet soup of niche and often outdated laws.
There’s the Family Educational Rights and Privacy Act (FERPA), which governs what schools can do with students’ educational records and predates an era of digital learning tools. The Health Insurance Portability and Accountability Act (HIPAA) protects health data shared with a doctor or a hospital, but not, for example, data collected by a fitness or period tracking app. The Gramm-Leach-Bliley Act (GLBA) requires banks to safeguard consumer information, though it’s less clear how the law applies to fintech apps.
These laws do little to protect against the aggregation, categorization, sale, and transfer of data from the phones, apps, social media accounts, smart speakers, and even security cameras, consumers interact with every day.
“That data is not being collected by my healthcare institution. It’s not being collected by my educational institution. It’s not being collected by my banking institution,” said Sarah Lamdan, a City University of New York School of Law professor and author of “Data Cartels.” “It’s being collected by these private companies. And our current privacy laws don’t apply to those companies.”
This piecemeal sectoral approach to regulation might have worked in a different era. FERPA, after all, was passed in 1974. But the players, sources, and incentives have all undergone a paradigm shift since the growth of a lucrative data broker industry, expected to reach over $462 billion at the turn of the next decade, according to Transparency Market Research.
“Consumers have felt out of control of their data,” said Jane Horvath, former chief privacy officer at Apple and current partner at law firm Gibson, Dunn & Crutcher LLP.
Apple introduced a feature in 2021 that gives consumers the ability to choose between letting apps track their activities, or asking apps not to. Google is working on its own framework for allowing a more private approach to advertising on apps.
Apple and Google didn’t return requests for comment.
Lobbying interest in a US privacy bill ramped up as the bipartisan draft emerged in 2022, according to a Bloomberg Government analysis of required disclosures. Lobbyists representing almost 300 different clients brought up a broad privacy bill during the most recent session of Congress, compared to about 100 clients in the prior session.
Some of the most frequent filers of lobbying reports include trade groups for internet and television providers, advertisers, and other businesses throughout the economy. Tech companies and advertisers would prefer a federal privacy law that overrides state laws to ease compliance for businesses with operations across states.
“If there’s anything that’s interstate commerce, it’s the internet economy,” said Lartease Tiffith, executive vice president for public policy at the Interactive Advertising Bureau, a trade association.
Distance to Consensus
Legislators neared a historic compromise on a federal privacy standard last Congress, but negotiations were torpedoed by objections from California’s representatives and a lack of support from Sen.
The House has already held a hearing earlier this month on reviving its privacy bill in hopes of cementing a rare bipartisan agreement.
That last proposal, the American Data Privacy and Protection Act, would have instructed companies to collect as little consumer data as possible and restrict data-sharing without permission. The bill would have established consumer data protections similar to those that exist in Europe, including the right to access, correct, and delete personal data.
Negotiators often tout that it was the first bipartisan, bicameral privacy measure to be introduced in decades.
“There was such unanimity if you listen today, it’s incredible,” Rep.
The bill has yet to be reintroduced in the current session, and its prognosis remains bleak. Its ability to override state laws, a sticking point from earlier negotiations, looms large. When asked about the federal proposal, Cantwell replied, “the one that basically eroded California’s law?”
Cantwell, whose agreement is necessary to advance the legislation, also disliked that the bill had an enforcement delay before consumers could sue tech companies for breaking the law.
“We still have a distance to go to reaching consensus,” Cruz said. He said a narrower bill focused on children’s privacy was likely a better target.
As senators weigh an outright ban on TikTok and other leaner privacy measures, Rodgers said a federal privacy bill represents the “strongest defense against TikTok and other Big Tech companies, data brokers, that are collecting unlimited data on Americans.”
TikTok’s CEO endorsed US privacy legislation during his appearance before Rodgers’ committee, saying he looks forward to working with lawmakers to set baseline standards.
Legislative efforts have taken on new urgency since 2018, when Europe enacted one of the world’s strongest data privacy laws. The General Data Protection Regulation limits what data a company can collect and grants consumers broad rights over their data.
US privacy law observers also cite as a catalyst the Cambridge Analytica scandal, in which
California’s privacy law limits the collection of consumer data, places guardrails on sensitive data, bars manipulative design tactics for obtaining data, and requires data brokers to register with the state and offer consumers an opt-out feature.
Iowa just became the latest state to adopt its own consumer data privacy law, following Virginia, Colorado, Utah, and Connecticut. About 20 states are considering similar bills in 2023.
“States will step in where Congress is not either able or willing to tread,” said Julie Brill,
Attempting to regulate data privacy amounts to regulating the free-in-exchange-for-data transaction.
“It’s not just about legislation,” said Jeff Chester, executive director of the nonprofit Center for Digital Democracy. “It’s really about regulating global capitalism, and that’s a tough thing to do.”
A tangled web of data standards, where how many cookies are stored or whether consumers can sue tech companies differ state to state, simply doesn’t make sense to many privacy experts. It’s imposing borders on a borderless internet, they said.
“Is that really the way we want our data privacy regime to work?” CUNY’s Lamdan said. “I would assume no.”