American Data Privacy Laws Are a Matter of How, Not If

Following the (often acrimonious and still unresolved) enactment of the General Data Protection Regulation (GDPR) in the E.U., U.S. lawmakers are now following suit with the industry publicly pleading its case. This began in May when Vermont became the first state to pass a law regulating data brokers, and was soon followed by a California law in June that gave state residents the most sweeping online privacy rights in the nation.

The pressing need for such legislation is underlined by a recently published study with Pew Research Center detailing growing concern among the U.S. public. It found that almost three-quarters of participants believe that major tech companies don’t do enough to protect customers’ personal data.

Against this backdrop, the early seeds of a federal law are now being sown.

“A federal statute could include key concepts that are present in international legal regimes—for example, strong rights to access and challenge inaccurate data when an entity uses it to make important decisions about individuals,” said John Verdi, vp of policy at the Future of Privacy Forum, who suggested a standardized federal approach could benefit both consumers and business alike. “A law could make crucial distinctions between data that can identify an individual and information that has been de-identified and protected by technical and legal controls.”

Last month, a Senate committee heard testimony from privacy chiefs at some of the U.S. media sector’s biggest companies in proceedings that chairman Sen. John Thune (R-S.D.) described as the beginning of efforts to “develop a federal privacy law.” Sen. Brian Schatz (D-Hawaii), however, noted that the process would not replace “a progressive Californian law with a non-progressive federal one.”

Ameet Shah, senior director, publisher and data strategy at Prohaska Consulting, attended the hearings, and later said the U.S. government’s present policies are far behind California’s upcoming privacy law and GDPR.

He warned the likely impact for outfits in the ad- and mar-tech sector could be profound. Shah added, “With the growing number of data breaches, policies and protections need to be in place. In the future, business processes and controls will have to be far more robust.”

Some may view the federal hearings as an opportunity to avoid an unnavigable regulatory patchwork and prevent the sweeping California law becoming the national default. For instance, ahead of the proceedings, IAB public policy evp Dave Grimaldi penned an open letter reminding officials of the industry’s contribution to the economy and welcoming “sensible legislation.”

While the ad-tech industry has supported coast-to-coast rules, early hearings demonstrate differences will have to be resolved.

When Google’s chief privacy officer Keith Enright was quizzed on third-party access to user data and efforts to ensure data is handled responsibly throughout the industry, he argued that Google doesn’t grant third parties access to user data, although this did come with a caveat, in an exchange that augurs the potential semantic wrangling to come.

When further quizzed on the mechanics involved with retargeted advertising, he said Google helps publishers monetize content by placing ads targeted to a user’s interests subject to their privacy settings. “No information is passing from Google to the third party, so we can’t sell it nor share it—in that context,” Enright added.

Google classifies personal information as data “that would be identifiable to an individual user” such as their name, email account or “information that’s tied to you or your device.”

All parties want an agreed definition of personal information, with Twitter’s data protection chief Damien Kieran noting this will aid interoperability with global privacy frameworks.

However, a default opt-in to privacy controls, as suggested by Sen. Catherine Cortez Masto (D-Nev.), will face significant opposition from tech and telecom companies.

AT&T svp of global public policy Len Cali said such a move would hinder innovation, asserting it would restrict the use of “insensitive data.”

Apple svp of software technology Bud Tribble—normally a vociferous privacy advocate—also rejects a default opt-in, saying opt-ins are “appropriate in many circumstances” but not all. “Every time I turn around I’m getting asked to approve cookies, and so there is some risk of going overboard here and the consumer[’s] … eyes will glaze over,” he said. “That is an important consideration.”