Last week, the chief executives of more than 50 mid- and large-sized companies urged Congress to pass a national data privacy law to regulate how companies collect, use, and share Americans’ data.
Buried deep within the chief executives’ recommendations for such a law, presented as a policy framework for guidance, was a convenient proposal: Private individuals should not be allowed to sue companies if those companies violate the data privacy law itself.
That idea is just one of a few from the CEOs’ framework that, if included in a federal data privacy law in the United States, would disenfranchise members of the public from asserting their data privacy rights. Other ideas offered by the CEOs include potential pay-for-privacy schemes and overriding the large number of state data privacy protections already signed into law in states including Vermont, Nevada, Maine, and California.
A representative for the CEO group did not respond to questions sent by Malwarebytes Labs.
The involved CEOs are all members of the corporate public policy group “Business Roundtable.” They include Amazon’s Jeff Bezos, Comcast’s Brian Roberts, AT&T’s Randall Stephenson, IBM’s Ginni Rometty, Accenture’s Julie Sweet, and Qualcomm’s Steve Mollenkopf, along with the chief executives for Target, Visa, FedEx, Bank of America, and Dell.
In a letter addressed to the Majority and Minority Leaders of both the US Senate and the House of Representatives, the Business Roundtable CEOs urged Congress to pass, “as soon as possible, a comprehensive consumer data privacy law that strengthens protections for consumers and establishes a national privacy framework to enable continued innovation and growth in the digital economy.”
As the country continues to grapple with how to appropriately codify data privacy into the law, here’s a look at what the Business Roundtable’s framework would allow in terms of data collection, use, and sharing.
No “private right of action”
The last item on the Business Roundtable’s framework is potentially the most important. The Roundtable does not want any federal data privacy law to include a “private right of action.”
That means that, should this proposal get worked into a national data privacy law, if a company violates that law, you, your neighbor, and your family would not have the right to sue the company.
This proposal goes directly against what Todd Weaver, founder and CEO of the company Purism, told Malwarebytes earlier this summer, when he described what should be included in a federal data privacy law. Without a private right of action, Weaver said, members of the public have no meaningful tools to defend their rights.
“If you can’t sue or do anything to go after these companies that are committing these atrocities, where does that leave us?” Weaver said.
The digital rights organization Electronic Frontier Foundation also supports a private right of action for any national consumer privacy law, as such a right would further enable members of the public to fight back against companies that violate the law.
“It is not enough for government to pass laws that protect consumers from corporations that harvest and monetize their personal data. It is also necessary for these laws to have bite, to ensure companies do not ignore them,” wrote EFF Associate Director of Reseach Gennie Gebhart and Senior Staff Attorney Adam Schwartz. “The best way to do so is to empower ordinary consumers to bring their own lawsuits against the companies that violate their privacy rights.”
In lieu of a private right of action, the Business Roundtable proposed that only state Attorneys General should be allowed to file lawsuits against companies on behalf of their state’s residents—a similar scheme visible in the lacking data privacy protections offered to consumers today.
The Business Roundtable also proposed that the US Federal Trade Commission serve as an enforcer, doling out fines to companies that violate the potential privacy law.
But, following the FTC’s recent slap-on-the-wrist fine issued against Facebook earlier this year—a fine that actually caused Facebook shares to increase in value—it is difficult to see how and why these enforcement measures would effectively curb would-be privacy violations. For instance, it didn't stop YouTube from violating COPPA regulations.
Pre-emption of state laws
The Business Roundtable framework recommends that a national consumer privacy law “should pre-empt any provision of a statute, regulation, rule, agreement, or equivalent of a state or local government for organizations with respect to the collection, use, or sharing of personal data.”
Here, the Business Roundtable is asking that Congress pass a national consumer privacy law that tosses aside and in fact overrides the current data privacy laws cropping up across the nation.
That means recent state efforts to improve residents’ data privacy would be nullified, including California’s landmark privacy law—the California Consumer Privacy Act (CCPA)—Maine’s ISP privacy bill, Nevada’s new K-12 student data protection law, and Montana’s recent law to allow residents to opt-out of the sale of their data to third parties.
Further, legislative efforts in Hawaii, Massachusetts, New York, Pennsylvania, Rhode Island, and Texas, which have all introduced statewide data privacy bills modeled after the CCPA, and similar privacy efforts in Illinois, Minnesota, Connecticut, New Jersey, South Carolina, Louisiana, Oregon, and Washington, could likely be washed away.
Johnny Ryan, chief policy officer at the privacy-forward browser Brave, told Malwarebytes this summer that he did not support a weak federal data privacy bill that pre-empted state laws.
“The federal law should be of equal or higher standard to state laws, and should not undermine state laws,” Ryan said.
EFF also opposes any national data privacy law that would pre-empt state privacy laws.
“Avoiding such preemption of state laws is our top priority when reviewing federal privacy bills,” the organization said. It continued:
“State legislatures have long been known as ‘laboratories of democracy’ and they are serving that role now for data privacy protections. In addition to passing strong laws, state legislation also allows for a more dynamic dialogue as technology and social norms continue to change.”
Privacy opt-in consequences
The Business Roundtable’s national consumer privacy law framework includes recommendations for what rights should be afforded to the public. The individual rights include “transparency,” “consumer control,” “access and correction,” and “deletion.”
At first blush, these rights mirror many of the rights championed by some of the small, privacy-focused companies we interviewed in July. Upon closer inspection, though, the Business Roundtable’s proposed rights leave much to be desired.
Under the umbrella term of “consumer control,” the Business Roundtable framework explains that consumers “should have opportunities to exert reasonable control with regard to the collection, use, and sharing of personal data.”
The framework then goes on to say that “consumers should understand under what circumstances their decision to opt-out (or not opt-in) may result in the organization no longer providing them certain goods and services (for example, free content).”
This individual consumer right focuses on the wrong issue. It recommends that consumers simply be made aware of unfair treatment and does nothing to address the actual unfair treatment.
Malwarebytes Labs previously reported on a similar issue in the federal data privacy law introduced by US Senator Ron Wyden of Oregon. The Senator’s proposal, for all its positive data protections, also includes a “pay-for-privacy” stipulation, in which companies could literally charge consumers a fee for opting out of data collection and sharing.
Though it does not include any mention of a fee, the Business Roundtable framework does present a hypothetical in which consumers can face “circumstances” for opting out of a company’s data collection, and those circumstances can include “no longer providing them certain goods and services.”
That’s not just bad. It’s wrong.
Malwarebytes pushed back against pay-for-privacy schemes earlier this year, and we continue our stance against any legislative scheme that would allow companies to punish consumers for choosing to protect their privacy.
Areas of agreement
Despite the few areas we covered above, the Business Roundtable framework includes several recommendations that echo others made by smaller companies we interviewed this year when asking them about what should be included in a federal data privacy law.
For one, the framework asks that any new national data privacy law achieve “global interoperability,” which the framework describes as “[supporting] consumer privacy while also respecting and bridging differences between US and foreign privacy regimes.”
When Malwarebytes spoke with Ryan from Brave, he emphasized the importance of the world’s most famous data privacy law today—the European Union’s General Data Protection Regulation (GDPR). A national US data privacy law, Ryan added, could benefit from being modeled after GDPR.
“The standard of protection in a federal privacy law, and the definition of key concepts and tools in it, should therefore be compatible and interoperable with the emerging GDPR de facto standard that is being adopted globally,” Ryan said.
The Business Roundtable framework also includes individual rights for consumers to access and correct data collected and stored on them, along with the right for consumers to require organizations to delete personal data collected on them.
Weaver, the CEO at Purism, spoke of similar concepts when describing a “digital bill of rights" that he would like to see codified into US law.
Purism’s implementation and interpretation of these concepts, however, goes much further, with recommendations that any federal data privacy law include a consumer right to change providers, a right to protect personal data—including the right to “own and control” the master keys to encrypt their data—and the right to not be tracked.
The Business Roundtable’s consumer privacy law framework is just the latest proposal for what data privacy should look like in the future US legal landscape. It is surrounded by other proposals, like the draft bill written by Center for Democracy and Technology, the current data privacy laws being considered in several states, and the no-less-than six data privacy bills introduced by US Senators this year.
Further, while the Business Roundtable may count some of the largest, most revenue-driving, marquee corporations in America as members, when it comes to data privacy legislation, big money does not always mean big success.
Earlier this year, the technology industry lobbying group TechNet, which includes some of the exact same companies as Business Roundtable members (Amazon, AT&T, Comcast, Dell, General Motors, Visa, and Accenture), failed to convince California lawmakers to pass two bills that would have weakened the CCPA before it goes into effect on January 1, 2020.
On September 13, TechNet released a statement by Executive Director Courtney Jensen about the fate of California’s data privacy law. In the statement, Jensen sounded like she was asking for pre-emption:
“While we hope the rulemaking process will allow for additional improvements [to CCPA], the importance of federal action to avoid a patchwork of privacy laws has never been clearer, and we urge Congress to act,” Jensen said.
A quick look at the US Senate’s upcoming calendar shows a different reality: No scheduled votes on data privacy. No scheduled hearings on any of the six current, submitted bills.
Instead, individual US states continue to press forward.