facebook noscript

Data Privacy Legislation: Washington is Behind the Curve

March 24, 2022
Data Privacy Legislation: Washington is Behind the Curve

It can be tough for the most progressive organizations to keep up with technology these days. The challenge is even harder for governments where politics, deliberation, and bureaucracy rule the day. Standards, norms, and regulation always lag behind the market curve, especially in IT. In the US, for example, there are no comprehensive, consent-based data privacy laws on the national level. Until that changes in the coming years businesses will continue to struggle with uncertainty and technological missteps

The fast evolution of IT is only part of the problem. Data privacy bills, and their inevitable amendments, are hard to pass because they touch on historically challenging areas of civil rights, law enforcement, and intelligence collection. Even if we confine our discussion to the world of commercial enterprise, lawmakers still have a hard time deciding where to focus their attention and pressure: on businesses, which need to find market opportunities, or individuals, who need protection from digital predation.

Data Privacy: a North Star

Ancient mariners used Polaris, or the bright northern star (which is actually a triple star system), as a reliable guide for navigation. In our current climate of regulatory uncertainty, we should use data privacy as a north star. In the hyperpartisan US political environment, data privacy is one of the few things that Democrats and Republicans agree on. Their most recent proposals showed “promising agreement” on significant issues, including data minimization, individual privacy rights, transparency, and discriminatory uses of personal data (despite “sharp differences” over federal vs. state jurisdiction).

Only time will tell whether this circle can be squared. Google has written that it is hard to imagine the Internet, as we know it today, “without advertising as its economic foundation.” As part of its strategy, Google is moving away from third-party relationships and promoting first-party relationships as it tries to sail closer to the north star of data privacy.

However, there is a delicate balance between enhancing data privacy and losing your competitive advantage. And it’s not just Big Tech, but also users, who are in a tricky position. Users want the benefits of IT, from online education to remote employment and digital democracy to web-enabled romance. But no one wants to be digitally tracked without their permission. And Big Tech loves your data and the profits it brings, but how long can that last without greater clarity from government?

Self-Regulation Falling Short

In the current climate of regulatory inaction, companies will absolutely fill the gaps on their own. Apple now requires a user’s permission, via its AppTrackingTransparency framework, to track a user or access their device’s advertising identifier. For Apple, “tracking” refers to the act of linking user or device data collected from an app with data collected from other companies’ apps, websites, or offline properties, for the purpose of targeted advertising, advertising measurement, or sharing data with brokers. Similarly, Twitter has a new Privacy Policy, which states that its users have “meaningful control” over what data Twitter collects and how it is used.

Self-regulation, however, is no substitute for meaningful government regulation. Big Tech is likely to take a liberal interpretation of broadly-crafted rules. Further, the complexity and rapid evolution of IT, and IT law, will give them cover for many missteps. One legitimate fear is that Big Tech will take a “what’s mine is mine, and what’s yours is mine” approach to data privacy. In other words, you are safe within my walled garden, where I do not share your data but simply spin it into gold for my shareholders. Regulators must take a close look at this business-friendly interpretation and ask whether users need just a little bit more protection.

A Better Strategy

Strategic challenges require strategic solutions. So far, government and Big Tech have fallen short of the mark. It is time for users to educate themselves and demand better with the help of non-governmental organizations that understand their needs and support their desires. Initiatives like the Partnership for Responsible Addressable Media (PRAM), the Digital Advertising Alliance (DAA), and the Network Advertising Initiative (NAI) are steps in the right direction. Good policies are based on reason, logic, and partnership, with strong standards and real penalties for cheating. To some degree, we will see companies – like VGS – create products that solve numerous data privacy challenges right out of the box.

Ultimately, the US needs to take a stand on data privacy and write comprehensive federal legislation. Congress must find creative solutions to “preemption” (i.e., when federal law supersedes state law), and the “private right of action” (when a citizen is legally entitled to enforce their rights). Privacy legislation in Florida failed to pass because businesses lobbied against the private right to action.

Every country is now considering new legislation, from China, to Saudi Arabia, India, Canada, Vietnam, South Korea, Japan, and Australia. And among US states, see California, Virginia, Colorado, etc. All of this is necessary, but how can online businesses address the unique aspects of legislation written in so many jurisdictions? At the very least, this will give an enormous advantage to Big Tech over smaller companies, which cannot afford so many lawyers. Further, such complexity will increase overall compliance costs and threaten the responsible use of data – at least for someone, somewhere!

For now, the European Union’s General Data Protection Regulation (GDPR) offers a comprehensive set of rules and penalties based on a privacy-by-default approach. And many countries are adopting GDPR-style regulations if for no other reason than their businesses need to be able to process EU data. US lawmakers may desire a more business-friendly, risk-based model, such as that currently under consideration by the Uniform Law Commission (ULC) in the form of the Uniform Personal Data Protection Act (UPDPA). But the US ignores GDPR strictures at some risk to its future business model.

Whichever direction the US takes, we know a few things for sure:

  1. IT is not becoming less complex over time.
  2. Intrusive methods to gather, process, and manipulate personal data are growing like mushrooms after a good rain.
  3. Due to data breaches and loss, the business risks for non-compliant organizations are rising every year.
  4. As we navigate these treacherous waters, we should remember our north stars.

Want to learn more about how VGS can protect your data? Let us know!

Ken Geers Kenneth Geers, PhD

Information Security Analyst at VGS


You Might also be interested in...

Secure Your Data to Build Customer Engagement

Secure Your Data to Build Customer Engagement

Khyati Srivastava September 30, 2021


Let Go of Data Risk without Losing Data Value


The Privacy Paradox: Securing Data To Build Customer Engagement