VII. DATA PRIVACY PROTECTION LAWS

VII. DATA PRIVACY PROTECTION LAWS

VII. DATA PRIVACY PROTECTION LAWS

Existing federal data privacy laws are a patchwork of industry-specific laws varying in scope and purpose.¹⁶³ One of the very few pieces of federal data privacy policy is the Organization of Economic Cooperation and Development’s (OECD) Privacy Guideline, which inspired the European data privacy laws of the 1970s and 1980s and unwittingly paved the way for the General Data Protection Regulation (GDPR). ¹⁶⁴ The GDPR’s guidelines include principles on limiting data collection, data security safeguard, and accountability.¹⁶⁵ The OECD Privacy Guidelines did not have as much of an impact in the U.S. as they did in Europe because they were administrative in nature. Similarly, the Federal Trade Commission set out its Fair Information Practices guidelines as an attempt to regulate private information with little fanfare. ¹⁶⁶ However, no comprehensive federal data privacy law or regulations exist today.¹⁶⁷The lack of oversight and regulation, particularly over today’s tech behemoths, contributed to the data privacy problems we currently see. Congress has yet to successfully pass any federal privacy laws despite its continued shaming of corporations which participate in non-transparent user data sales. ¹⁶⁸ However, in its absence, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Washington Privacy Act (WPA) have provided working frameworks that strive to protect consumers’ data privacy.

A. General Data Protection Regulation

The General Data Protection Regulation (GDPR) attempted to regulate data privacy in the private sector by focusing on compliance law upon

¹⁶² Sadie Gurman, Across the US, Police Officers Abuse Confidential Databases, AP NEWS (Sep. 27, 2016), https://apnews.com/699236946e3140659fff8a2362e16f43/ap-across-us-police-officers-abuseconfidential-databases [https://perma.cc/7S25-DUUH].

¹⁶³ STEPHEN P. MULLIGAN & CHRIS D. LINEBAUGH, CONG. RESEARCH SERV., R45631, DATA PROTECTION LAW: AN OVERVIEW 7 (2019), https://crsreports.congress.gov/product/pdf/R/R45631 [https://perma.cc/6PQJ-QXLH].

¹⁶⁴ Daniel J. Solove, Chapter 1: A Brief History of Information Privacy Law, PROSKAUER ON PRIVACY 35 (2006).

¹⁶⁵ MULLIGAN & LINEBAUGH, supra note 163, at 42.

¹⁶⁶ Nuala O’Connor, Reforming the U.S. Approach to Data Protection and Privacy, COUNCIL ON FOREIGN RELATIONS (Jan. 30, 2018), https://www.cfr.org/report/reforming-us-approach-data-protection [https://perma.cc/525H-M67E].

¹⁶⁷ MULLIGAN & LINEBAUGH, supra note 163, at 54.

¹⁶⁸Romm, supra note 13.

its enactment in the European Union (EU) on May 25, 2018. ¹⁶⁹ The GDPR applies to companies that either monitor or offer goods or services to people in the EU and has provisions inspired by various European data protection and privacy guidelines. ¹⁷⁰ The GDPR explicitly recognizes an individual’s fundamental right to protection of personal data and is intended to safeguard this right.¹⁷¹ It further details procedures for businesses which ensure personal data are easily accessible, easy to understand, and presented in clear and plain language for consumers. ¹⁷² Consent to collect data must be expressed and unambiguous.¹⁷³ Both data collection and data use must be minimal.¹⁷⁴ Additionally, consumers have the right to access, change, and delete their data held by these companies.¹⁷⁵ The GDPR also sets standards for the way businesses store, maintain, and protect personal data.¹⁷⁶

Violations of the GDPR, such as collecting or selling consumer data without the consumer’s consent, include very large monetary fines; a data breach costs 4% annual worldwide turnover or 20 million euros, whichever is greater.¹⁷⁷ In 2019, the top ten biggest GDPR fines amounted to a combined total of $443.7 million. The biggest fine in 2019 came from British Airways at $225.16 million from a data hack of customers’ financial and personal information. ¹⁷⁸ Marriott International came in second with a $124 million fine for its breach of guest data. ¹⁷⁹ Outside of the private sector, schools throughout Europe have been fined thousands of dollars each for utilizing personal data without consent, such as using minor students’ fingerprint data to verify lunch payments or facial recognition software to track attendance.¹⁸⁰

¹⁶⁹ Jennifer Dumas, General Data Protection Regulation (GDPR): Prioritizing Resources, 42 SEATTLE U. L. REV. 1115, 1116 (2019).

¹⁷⁰ MULLIGAN & LINEBAUGH, supra note 163, at 41.

¹⁷¹ Id. at 40.

¹⁷² Id. at 43-44.

¹⁷³ Id.

¹⁷⁴*Id. *

¹⁷⁵ Id. at 45-46.

¹⁷⁶ Id. at 46-47.

¹⁷⁷ Dumas, supra note 169, at 1119.

¹⁷⁸ Sead Fadilpasic, Top GDPR Breaches Caused Millions in Fines, IT PRO PORTAL (Nov. 27, 2019), https://www.itproportal.com/news/top-gdpr-breaches-caused-millions-in-fines/, [https://perma.cc/7H4G-B2ZL].

¹⁷⁹ Id.

¹⁸⁰ Paul Sawers, Polish School Hit with GDPR Fine for Using Fingerprints to Verify Students’ Lunch Payments, VENTURE BEAT (Mar. 6, 2020, 5:03 AM), https://venturebeat.com/2020/03/06/polishschool-hit-with-gdpr-fine-for-using-fingerprints-to-verify-students-lunch-payments [https://perma.cc/WV5X-BJFF].

The GDPR gives individuals greater control over their personal information by treating data as a quasi-property right rather than a commodity to be traded. For a domestic violence survivor in Europe, the GDPR provides a tangible method to prevent abusers from gaining access to their private information, gives survivors the ability to define what their private data looks like, and gives survivors control of who can access their data.

B. California Consumer Privacy Act (CCPA)

Inspired by the GDPR and its impatience with Congress’s lack of a comprehensive data privacy law, the California Legislature became the first state in the U.S. to pass its own consumer data privacy law in 2018: the California Consumer Privacy Act. The CCPA is expected to have a national impact on the way businesses manage data and on consumer relationships due to the size of the California economy and number of interstate technology companies that work with or make the majority of their revenue from selling consumer data. ¹⁸¹

The CCPA applies to any company that collects the personal information of Californians, regardless of how the collection is done or the type of industry in which the business operates.¹⁸² Both “collector” and “collection of personal information” are broadly defined.¹⁸³ The CCPA provides Californians: (1) the right to know their personal information that businesses have collected or sold; (2) the right to opt out of the sale of their information; and (3) the right to be forgotten.¹⁸⁴ Businesses are required to notify consumers about the kinds of information they have collected on them as well as how to opt out of the data collection.¹⁸⁵ Businesses are also required to delete consumers’ information upon request.¹⁸⁶ Penalties for CCPA violations include civil fines, a private cause of action for consumers against businesses, monetary damages, and injunctive relief.¹⁸⁷ However, unlike the GDPR, the CCPA defines “personal information” more expansively and offers more opt-out rights.188 The CCPA also gives businesses a one-year grace period to comply with consumers’ requests for

¹⁸¹ Devin Coldewey, California Passes Landmark Data Privacy Bill, TECH CRUNCH, (Jun. 28, 2018, 2:08 PM), https://techcrunch.com/2018/06/28/landmark-california-privacy-bill-heads-to-governorsdesk [https://perma.cc/A9SK-YGXG].

¹⁸² MULLIGAN & LINEBAUGH, supra note 163, at 38.

¹⁸³ *Id. *

¹⁸⁴ Id.

¹⁸⁵ Id.

¹⁸⁶ Id.

¹⁸⁷ Id. at 39.

¹⁸⁸ Jon Swartz, California’s Landmark Privacy Law: What It Does, What Has Change and What It Means for Investors, MARKETWATCH (Oct. 6, 2019, 11:15 AM), https://www.marketwatch.com/story/californias-landmark-privacy-law-what-it-does-what-has-changed-and-what-itmeans-for-investors-2019-10-02 [https://perma.cc/FB87-HDH2].

access to or deletion of data. ¹⁸⁹ The absence of immediate or aggressive enforcement measures resulted in the CCPA receiving the nickname of “GDPR Lite.”¹⁹⁰

The CCPA may also influence other states to create their own consumer data privacy laws due to its reach over businesses that deal with the California economy. ¹⁹¹ For example, Microsoft responded to the enactment of the CCPA by changing its consumer privacy policy business-wide to be CCPA-compliant instead of creating a California-specific policy.¹⁹² Also, Microsoft’s leadership has urged its home state of Washington to enact even more rigorous sector- and state-specific data privacy laws. ¹⁹³ The impact of the CCPA on non-California states may create a nationwide domino effect to prompt other states to alter their own data privacy and compliance laws in order to participate in the national economy. In addition, the CCPA may have also inadvertently influenced the federal government to seriously consider a federal data privacy law, even as it comes in the form of tech industry lobbyists’ attempt for a lenient alternative that that would undermine the CCPA.¹⁹⁴ The CCPA is one of the very few–if not the only–laws that provide a legal remedy against the misuse of personal data by a private party. ¹⁹⁵

C. Washington Privacy Act

Despite having relatively progressive tech-crime laws, Washington has yet to pass a statewide data privacy law but not for a lack of trying. In 2019, the Washington State Legislature attempted to pass its own data privacy act modeled after the GDPR.¹⁹⁶ The bill, known as the Washington Privacy Act (WPA), did not become law because the House and Senate

¹⁸⁹ Id.

¹⁹⁰ *Id. *

¹⁹¹ Id.

¹⁹² Jedidiah Bracy, With the CCPA Now in Effect, Will Other States Follow?, INT’L ASS’N OF PRIVACY PROF’L (Jan. 2, 2020), https://iapp.org/news/a/with-the-ccpa-now-in-effect-will-other-states-follow/ [https://perma.cc/V8LV-NKEP].

¹⁹³ Id.

¹⁹⁴ Zack Whittaker,* Silicon Valley is Terrified of California’s Privacy Law. Good.*, TECH CRUNCH (Sept. 19, 2019, 9:00 AM), https://techcrunch.com/2019/09/19/silicon-valley-terrified-california-privacy-law [https://perma.cc/M5MD-6H36].

¹⁹⁵ Laura Hautala, CCPA is Here: California’s Privacy Law Gives You New Rights, CNET (Jan. 3, 2020, 9:48AM), https://www.cnet.com/news/ccpa-is-here-californias-privacy-law-gives-you-newrights [https://perma.cc/8FEZ-34AC]. Unfortunately, this remedy is only limited to private businesses rather than individuals and can only be brought by the comparatively under-resourced Attorney General’s Office.

¹⁹⁶ Lucas Ropek, Why Did Washington State’s Privacy Legislation Collapse?, GOV’T TECH. (Apr. 19, 2019), https://www.govtech.com/policy/Why-Did-Washington-States-Privacy-Legislation-Collapse.html [https://perma.cc/TQ5H-RZGC].

were unable to reach a consensus, ¹⁹⁷ with each side arguing that either the House draft of the WPA was too strict on private businesses or the Senate draft was too permissive to private businesses.¹⁹⁸

Specifically, the Senate bill would have exempted data that is “deidentified” from being protected, in spite of the fact that de-identified information can be easily discovered if linked with other information.¹⁹⁹ Provisions of the WPA would have allowed Washington residents to access their data from businesses, correct or delete their data, and opt out of data collection.²⁰⁰ The WPA also would have required businesses to conduct risk assessments of their data collection and maintenance process. ²⁰¹ Alternatively, the House version of the WPA included facial recognition technology and automated decision system restriction requirements.²⁰² Similar to one of the CCPA’s shortcomings, the WPA would only allow the Office of the Attorney General to sue businesses for violations instead of a true private right of action by consumers.²⁰³ Therefore, while the WPA would have been a step in the right direction, it would not have been the perfect solution to the problems articulated in this paper.