In January, the federal tea leaves foretold that 2019 would focus on consumer privacy legislation and regulatory action. Fast forward to early December, and there is but a partial fulfillment of this prophecy.
There are media series, protests, and polls but as far as the law goes, only the California Consumer Privacy Act (CCPA) made a national splash. However, as we race to the end of 2019, rumored drafts of federal legislation are finally seeing some daylight. As I write this, the Senate Commerce Committee is considering dueling bills– one draft bill authored by committee chair Sen. Roger Wicker (R-Miss.) and another already introduced by ranking member Sen. Maria Cantwell (D-Wash.).
It recently dawned on me that despite my years of technology public affairs, I am unfamiliar with some of the terms and concepts used in CCPA and the Commerce drafts. Much like Carrie Bradshaw, I couldn’t help but wonder, if I have a challenging time understanding this, how will the average consumer fare?
Below is a list of a few of the most vexing terms. Some of these include terms with definitions so vague no one knows what it really means in the law and some you’ll be hearing about in the news as narrow sticking points between lawmakers. This is also by no means legal advice or interpretation because, as mentioned above, I have no idea what I’m doing.
Personally Identifiable Information
Personally Identifiable Information, or “PII” in legal terms, is the linchpin of privacy. This is the data we all want protected. But what exactly is PII? There are obvious things used for decades to identify people such as your Social Security Number, banking data, or fingerprints. In more modern times, new categories of PII emerged such as retinal scans, DNA, and location. Today’s concerns about technology and PII center around who has access to it, what they do with it, and how they protect it. But are those really new concerns?
I am of the “used paper checks” generation, and by the time I had enough money to use them regularly, check fraud was a very big deal. If you wrote a check for groceries, you had to show one or two forms of ID to prove to the cashier it was your check. Eventually we all got tired of taking out our licenses for checks and enterprising financial institutions started recommending we list our license numbers on our checks to avoid the hassle. Honestly, I cannot tell you what happened to that personally identifiable check after it went in the register. I hope it was held for a set number of days to ensure the transaction happened properly and disposed of in a secure facility so no one could ever use that information. Technology certainly amplifies these risks thanks to billions of pieces of data, but trading our personal information for convenience isn’t necessarily going to end with state or federal laws.
Speaking of state or federal law, preemption is a big reason for the stalled process on a federal privacy bill. Preemption in legal terms refers to a situation where legislation enacted by Congress and signed by the President—after which it becomes federal law or “statute”—supersedes any state law on the matter. There are two main types of preemption: 1) field preemption and 2) express preemption. Field preemption happens when Congress has legislated so thoroughly on a topic that if an inferior state law also applies and says something different, a court will simply say that Congress now “occupies the field,” and the state law has no effect. Express preemption applies when Congress enacts a law that literally instructs a court that the provisions of the law supersede state laws on the same subject. Courts are notoriously finicky in interpreting both kinds of preemption. Advocates from the business community—including ACT | The App Association—are adamant that a federal privacy law should expressly preempt state laws because the idea that even a comprehensive federal privacy law is interpreted to “field preempt” state laws is unreliable. But this is a contentious issue because three states—California, Maine, and Nevada—signed privacy-related bills into law. California was the first state to do so, and it served as the flashpoint for the consumer data privacy movement among other states. CCPA is also the most comprehensive of the bills, so as Congress ponders “occupying the field” with a federal bill, many activists worry CCPA’s impact could lessen under a less restrictive federal bill.
But CCPA has one thing going for it that a federal bill doesn’t: time. CCPA goes into effect on January 1, 2020. So, for a little while, CCPA may be the privacy law of the land. The App Association is producing a guide to CCPA for members and will have more content about the law in early 2020.
Duty of Loyalty
The legal terms “duty of loyalty” and “private right of action” cover enforcement of a potential consumer privacy law, and in media speculation, seem to address the shortfalls from the Cambridge Analytica scandal. “Duty of loyalty” is a legal principle that states that executives and officers of a corporation must act without personal economic conflict in making all decisions in their capacities as corporate fiduciaries. Jack Balkin, a law professor at Yale, was first to adapt the duty of loyalty from the set of fiduciary responsibilities incumbent on corporate officers in the financial services context to one that applies in the privacy context. Senator Brian Schatz then brought it to Congress with legislation he introduced last year and has successfully seen included (albeit in very different forms) in the competing draft bills that emerged over the Thanksgiving break. Professor Balkin’s concept, the “information fiduciary,” essentially requires a company that processes a person’s PII to put itself in the shoes of the person to whom PII pertains. In simple scenarios, where a processing activity would benefit the company—but not the individual—the duty of loyalty would prohibit the company from engaging in that processing activity. Congressional negotiators are now discussing how the grayer areas should be dealt with. For example, should the Federal Trade Commission (FTC) be given general rulemaking authority to lay out and categorize legal and illegal conduct? Should there be a balancing test in statute? Or should there be a combination of these approaches? The concept is a bona fide new idea in the privacy debate, and it must pay its dues as a thoroughly and hotly disputed term.
Corporate Officer Accountability
One of the biggest complaints from Members of Congress regarding the Federal Trade Commission’s landmark fine of Facebook was it didn’t hold any executives responsible for data breaches. Some further alleged that Facebook executives knew of the breaches and did not act because they were protecting their personal financial interest in the company. Even FTC Commissioners Rohit Chopra and Rebecca Slaughter noted in their dissents on the matter the lack of true consequences for executives. Including duty of loyalty in a federal privacy statute could correct this, but questions will remain on who does the enforcement. Should it be the FTC, Department of Justice, or a whole new agency?
Private Right of Action
“Private right of action” allows a private party, in this case a consumer, to bring a lawsuit against an entity for a violation of a provision of the law. Generally, people sue companies as individuals for privacy and other wrongs under state common law “tort” (yes that’s the French word for “wrong”) theories. Courts are reluctant to allow people past the initial stages of a tort suit, however, where they are unable to show that a “wrong” caused them cognizable harm. Privacy torts are a notorious example of where private litigants have difficulty showing that the underlying conduct caused them articulable harm. A private right of action would skip some of those initial stages by simply stating in the law that an individual affected by the alleged violation has standing to sue. However, much like corporate officer accountability, the private right of action discussion in a federal privacy law may come from doubts that regulatory agencies will truly pursue actions against companies that violate the law. Some proponents say it would benefit consumers, especially marginalized groups, to join class action lawsuits because they have no means of recourse due to forced arbitration clauses.
Opponents note that private right of action could be a big fat gift to the plaintiff’s bar and lead to an explosion of class actions that stall out in courts and appeals without making real impact for consumers. The current Senate draft bills are stuck on whether or not to include a private right of action. Because this concept places the wants of consumers and industry in direct opposition, negotiating a comprehensive bill may come down to how narrow a private right of action to include.
Is this all confusing? Absolutely. As you can see, it is not just about what these terms mean but how lawmakers and regulators interpret them in order to formulate a federal law. Consumer privacy is a significant issue, and it is our duty as citizens to make sure we understand what protecting our Personally Identifiable Information really means.