violetkaipa - Fotolia
In part one of this feature, panelists at a recent privacy forum hosted by the Massachusetts Attorney General's Office discussed the challenges of implementing privacy regulation and how a consumer privacy bill of rights can help address these obstacles. Here in part two, read about how state governments could help fill the gaps remaining in consumer privacy regulation.
As the digital marketplace continues to evolve in the big data era, the challenge for many companies is navigating the patchwork set of consumer privacy rules that target specific types of data or industries. Broad, comprehensive rules would provide more flexibility to keep up with data growth, as well as allow companies the freedom to innovate.
The federal government is in the ideal position to create these comprehensive rules, but the current legislation stalemate makes it too slow for the process to keep pace with the Internet, said panelists at the privacy forum hosted at MIT.
The gaps in consumer privacy regulation in the U.S. does not necessarily mean there aren't already existing laws, usually on the state level, that law enforcement agencies can consult to regulate and enforce consumer data protection. In Massachusetts, for example, the general law Chapter 93A: Regulation of Business Practices for Consumers' Protection, provides the Massachusetts Attorney General's office substantive guidance to enforce consumer privacy, said Sara Cable, assistant attorney general and director of data privacy and security for its consumer protection division.
The law states that that unfair, deceptive acts or practices in commerce and trade are prohibited, Cable said. It also provides procedural enforcement tools that allow her department to sue companies in civil court to stop violations; and offers pre-litigation discovery that provides the ability to subpoena a company's records to potentially uncover wrongdoing, Cable said.
But while 93A can be a useful tool when applied to the consumer data protection space, Cable said it should be used with caution.
"The law is not particularly helpful at defining what is unfair or deceptive; it could mean to different people different things. I heard this morning that one effective way to use it was to [use one enforcement action as an example] and say, 'Beware, these practices are really going to get you in trouble,'" Cable said.
The right way to use 93A and other already-available tools remains an open question, according to Cable.
John Dohertyvice president of state policy and politics and general counsel, TechNet
"Do we say this info is hands-off and you can't use it ever? Is that the right approach? Or, if you use this information, is this the disclosure you give to consumers? Or is this information that can't be used for certain purposes?" she said.
Quentin Palfrey, former senior advisor at the White House Office of Science and Technology Policy, agreed that states should take a more active role in consumer privacy regulation. While the slow speed of the command-and-control rule-making process, which is the direct regulation of activities that dictate what is allowed and what is illegal, is a problem for both states and the federal government, Palfrey said that it is not realistic to expect Congress to act on this area anytime soon -- despite it being in the best position to do so.
"This leads us to a situation where the best tools for dealing with a rapidly evolving, very complex and hard-to-regulate environment are not available to us, are not likely to be available to us anytime soon," he said. State policymaking is the next-best option to fill this gap in consumer privacy regulation, Palfrey said, adding that it "may create some momentum for a more comprehensive solution."
State attorneys general, in particular, can play a key role. Cable suggested that they can use enforcement actions to send clear signals to law enforcement and the community that certain behavior is not tolerated.
In addition, Palfrey agreed with Cable that states could use existing laws like 93A to define unacceptable behaviors.
"When they start profiling you on the basis of race and targeting products to you on the basis of your surname or your zip code; when they start learning about your pregnancy or your other intimate health status from the information they collect from targeting products at you -- these are the types of things that I think there should be some rules around," he said.
Existing privacy regulations
Cameron Kerry, a distinguished visiting fellow at the Brookings Institution Governance Studies Program and Center for Technology and Innovation, agreed that this broad, iterative approach to policy and law creation is the first step to regulate consumer privacy and define unfair and discriminatory practices. He pointed to the Massachusetts Data Breach Notification Law, as well as the European Union's General Data Protection Regulation, as examples of laws with a broader focus that state legislatures can use as an example.
"The Massachusetts data breach law is very detailed and focuses on certain kinds of personal and identifiable information. It's clear that in this day and age, almost any data can be used to ID a person and to learn things about them," Kerry said. "We see that [broad focus] in the European Union, where they are in the process of finishing up legislation that in some effect doubles down on consent and requires implicit consent in many situations."
Fellow panelist John Doherty agreed that state legislatures would do well to start with areas that are their strong suit.
"Traditional areas of public safety and security, of fraud prevention -- that's where states are traditionally strongest; they already have laws on the books that can be adopted," said Doherty, who is vice president of state policy and politics and general counsel for TechNet, a technology policy lobbying organization. He added that states should also examine whether existing codes could be updated for the digital age, such as applying stalking laws to drones.
The next step then would be for lawmakers to ask where the potential harm is to consumers, which requires segmenting the different types of data that could be abused.
"My potential healthcare diagnosis or my genetic predisposition is a much more sensitive piece of information than how long the length of my stride is. Those are both different pieces of physical information about me," Doherty said.
Fostering consumer transparency
State attorneys general are also in a position to play a major role in consumer transparency, the panelists said. For example, forums like the one the panelists spoke at last month encourage digital literacy, said Sarah Holland, senior analyst of public policy and government relations at Google.
"Attorneys general are incredibly respected, and they're ingrained in the community. They can go out to users and say, 'This is how you can control your data; this is how you can protect it; this is how you can secure it; these are the fraudsters that we're seeing ... and this is what you can do about it.' And I think attorneys general are really helpful in reaching out to businesses as well," she said.
Palfrey concurred, saying that until the federal government passes comprehensive privacy legislation, companies will rely on state laws and engagement with state representatives to figure out how to give users control over their data and what practices could be considered intrusive.
"[State lawmakers need to try] to make sure that there's a clear set of expectations about what's allowed and not allowed, and that consumers share that, that law enforcement enforces against it, and that businesses all understand it," he said.
While the slow speed of the command-and-control rule-making process, which is the direct regulation of activities that dictate what is allowed and what is illegal, is a problem for both states and the federal government, Palfrey said that it is not realistic to expect Congress to act on this area anytime soon -- despite it being in the best position to do so.
FTC: Big data analytics could harm consumer privacy
Accountability is key to privacy law reform
The impact of EU data protection law on U.S. industries