States lead Washington on consumer privacy laws

When I was leading the Obama administration’s work on consumer privacy, I spent time trawling Capitol Hill in search of champions to codify the privacy principles of the Consumer Privacy Bill of Rights, which establishes a set of baseline consumer and business expectations.

I got two recurring responses from Republicans and some Democrats: What’s the harm that needs to be addressed? And don’t we have enough regulation; why should we add more?

It has been striking since then to watch the number and variety of laws regulating differing aspects of privacy that have passed state legislatures around the country. Evidently local legislators and their constituents perceive a need for legislation that Washington does not reciprocate.

Laboratories of privacy

California has always been the most active state when it comes to privacy legislation and enforcement, but it is no outlier: since California first adopted laws requiring notification of data breaches in 2003, 47 states and the District of Columbia, Puerto Rico, Guam, and the Virgin Islands all have adopted similar laws.

Numerous other states have become “laboratories of privacy,” and many recent privacy laws have come in some states that are very red on the political map:

• As online education expands student records far beyond grades and attendance records, parents’ concern has mushroomed over who is using data about their children, and for what purpose. The first state to respond was Oklahoma, leading to what the National Conference of State Legislatures describes as “a wave of measures addressing how states, districts, schools and online service providers use, manage and dispose of student data.” At least 21 states have joined this wave; they include Georgia, Idaho, Indiana, Kansas, Kentucky, Missouri, North Dakota, South Carolina, South Dakota, Tennessee, Texas, Utah, West Virginia, and Wyoming, a large swathe of the red state map.
• Protecting access to social media is another popular target of state legislation. 25 states, including Montana, have enacted laws limiting employers and others from requiring access to information on social media that is not public.
• Drones are another popular subject, with some 31 states adopting laws. These mostly deal with where drones can fly or their use for hunting, but Utah also bans use of a drone to collect data where a person has a reasonable expectation of privacy.
• Utah also passed a law limiting law enforcement access to location data and email content.
• Twelve states, including Arkansas, North Carolina, Tennessee, and Utah, have laws that govern the use of automated license plate readers and limit the data they collect.

This wave of state legislation suggests that when expanding data collection hits close to home, concerns run much deeper than legislators in Washington realize. Privacy can seem like an abstract concern, but once it involves collecting data on your own child’s attentiveness to homework, recording daily comings and goings in your car, or drones hovering over your own backyard, people care.

Consumers are getting restless

These deep-seated concerns show up in surveys by the Pew Research Center, which has been exploring American attitudes about privacy and personal information since 2013. Pew found that 91 percent of adults agree that consumers have lost control of how personal information is collected and used, and a majority lack confidence that personal information will remain secure and private.

Pew’s in-depth report on the state of privacy, combining survey research with focus on a variety of data use scenarios, explained this unease as follows: “While many Americans are willing to share personal information in exchange for tangible benefits, they are often cautious about disclosing their information and frequently unhappy about what happens to that information once companies have collected it.” The result of this uncertainty, the report describes, is that focus groups are “downcast about the future of privacy” with many of them falling into a category Pew calls the “uncertain, resigned, or annoyed.”

Pew’s data is hardly a description of a well-functioning marketplace.  Pew found that willingness to share data “depends on the company or organization with which they are bargaining and how trustworthy or safe they perceive the firm to be.” Caution, uncertainty, and annoyance threaten to erode that trust. And if, as Pew reports, “[o]ne of the most unsettling aspects of privacy to many of the focus group participants is how hard they feel it is to get information about what is collected and uncertainty about who is collecting the data,” that reflects inequality in the bargaining.

This unease is impacting consumer behavior. In a large study conducted this year by the Census Bureau for the National Telecommunications & Information Administration (NTIA), 45 percent of households reported refraining from some financial transactions, buying goods or services, posting on social networks, or expressing opinions because of concerns about privacy and security.

A comprehensive baseline for consumer trust

This brings me back to the Obama administration’s Consumer Privacy Bill of Rights. In an age when ways of generating and using data are expanding at an accelerating rate, new uses blur old boundaries, and legislation and regulation cannot keep pace. Take fitness bands: the data they generate is covered by medical records privacy law, the Health Insurance Portability and Accountability Act or HIPAA, if you send it to a doctor, but not if you send the same data to a fitness app or an insurance company.

In today’s digital world, trying to sustain trust and fairness state-by-state, sector-by-sector, issue-by-issue, and agency-by-agency is like that classic “I Love Lucy” episode where Lucy goes to work wrapping chocolates on an assembly line–and gets further and further behind as the line gets faster and faster. “I think we’re fighting a losing game,” she says.

The facts on the ground—the grassroots support for a wide array of laws to protect individual privacy and the uneasy marketplace shown in the Pew and NTIA studies—show an underlying need for a more comprehensive and consistent solution. Individual Americans should have a baseline of trust in how data about them is used, who it is shared with, and how long it is retained regardless of the state they live in or the sector of the business or organization collecting the data.