US Private Sector Privacy Chapter 05 Federal and State Regulators PDF

Summary

This document is a chapter from a textbook on privacy and security regulations in the US private sector, focusing on the role of federal and state regulators. It examines proposed rules, workshops, and advice from the FTC, as well as state-level privacy protections and enforcement mechanisms.

Full Transcript

MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 5 – as of 01/29/2024 © IAPP Important guidance from the FTC on the future of privacy and security enforcement has recently come from proposed rules, workshops, reports, and advice, including: 2022 Proposed Rules concerning Commercial Surveillance, 2020 Workshop on Data Portability, 2022 Advice for Health App Developers, 2022 Staff Report on Dark Patterns, and 2022 Vision on Section 5 Authority to Address Unfair Methods of Competition. 5.5.1 FTC’s Proposed Rules concerning Commercial Surveillance In 2021, President Joe Biden issued Executive Order 14036 where he urged the FTC to exercise its rulemaking authority to address “unfair data collection and surveillance practices.” 67 In 2022, the FTC announced its intent to consider rules on surveillance practices and data security. The proposed rule focus on surveillance practices defined as “the collection, aggregation, analysis, retention, transfer, or monetization of commercial data and the direct derivatives of that information.” As of this writing, the FTC has started this rulemaking process under Magnuson-Moss, but it is unclear whether these rules will be enacted. Even if the rules are adopted, they would be further developed after this writing. 68 5.5.2 FTC Workshop on Data Portability In 2020, the FTC held a workshop concerning the benefits and challenges posed by data portability, which refers to the ability of individuals to obtain and reuse their personal data for their own purposes across different services. Attendees of the workshop included regulators, industry representatives, consumer advocates, and academics. Specific topics discussed at the FTC workshop included: 1) how data portability can empower consumers and promote competition without compromising data security; and 2) the tension between opening data flows to promote competition and to allow for user control and closing data flows to protect consumer privacy and prevent unauthorized access. 69 5.5.3 FTC Advice for Health App Developers In 2022, the FTC issued advice tailored to health app developers regarding data security, including data minimization, limiting access and permissions, focusing on authentication, considering the mobile ecosystem, and implementing security by design. The FTC suggested that health app developers consider the following questions, which are questions that may provide insights for companies in other sectors as they grapple with how to address security concerns: Do you need to collect and retain people’s information? Can you keep the data in a de-identified form? What permissions does your app really need? How does your app generate credentials? Are you relying on a mobile platform to protect sensitive data? Do you incorporate data security at every stage of your app’s life cycle: design, development, launch, and post-market? Do you use strong encryption at rest and in transit? Are you taking advantage of what experts have already learned about security? 70 These inquiries may help many companies, particularly those that deal with sensitive data, as they grapple with how to address security concerns. 5.5.4 FTC Staff Report on Dark Patterns Following an FTC workshop on the topic in 2021, the FTC issued its 2022 Staff Report on Dark Patterns, which are sophisticated design practices that can trick or manipulate consumers 12 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 5 – as of 01/29/2024 © IAPP into buying services/products or into giving up personal information. The report focuses on 4 common dark pattern practices: disguising ads and misleading consumers about content; making it difficult to cancel charges or subscriptions; hiding or obscuring key terms and bogus fees; and tricking consumers into sharing data. 71 5.5.5 FTC Vision on Section 5 Authority to Address Unfair Methods of Competition In 2022, the FTC issued a policy statement announcing its intent to broaden its vision of Section 5 FTC enforcement. Section 5 analysis focuses on “stopping unfair methods of competition in their incipiency based on their tendency to harm competitive conditions,” which is not focused only on whether the conduct caused actual harm. The FTC notes that the focus is on whether the company’s conduct has a tendency to create negative consequences, such as: raise prices; limit choices; lower quality; reduce innovation; impair other market participants; or reduce likelihood of competition. The 2022 statement by the FTC emphasized that Section 5 “does not require a separate showing of market power or market definition” when the evidence indicates a tendency of anticompetitive effects. Such a showing is required for virtually all other antitrust statutes. 72 5.6 State Enforcement There is a complex interplay of federal and state privacy protections. We dedicate two chapters of the book to examining state comprehensive privacy laws and state data breach notification laws. In this chapter, we provide an overview of the state-level framework for enforcing privacy protections. This section begins by examining the role of the State Attorneys General, the primary enforcer of these protections in most states. Next, we discuss the tradition in all 50 states of consumer protection laws known as Unfair and Deceptive Acts and Practices (UDAP) statutes. We then introduce the state comprehensive privacy laws recently enacted in a handful of states, and how these laws acknowledge protections provided at the federal level. These state laws will be examined in detail in Chapter 6. In this section, we next introduce state data breach notifications, which have been passed in all 50 states. These laws are further discussed in Chapter 7. This section concludes by providing an overview of additional privacy protections at the state level. 5.6.1 State Attorneys General In all 50 states, State Attorneys General (State AGs) are constitutional officers, whose office is established under the applicable state constitutions. State AGs are popularly elected in nearly all states. State AGs are typically viewed as one of the most powerful officials in their respective states. 73 State AGs have traditionally enforced privacy protections at the state level. Although the State AGs often have sole enforcement authority related to state-level privacy protections, sometimes there is a private right of action, or the AGs share enforcement authority with another entity within the state. In addition, certain federal statutes allow State AGs to bring enforcement actions along with the relevant federal agency. These federal laws include HIPAA (Chapter 8), GLBA (Chapter 9), and CAN-SPAM (Chapter 10). 74 5.6.2 State UDAP Statutes The states have had a lengthy legal tradition of providing consumer protections, especially since the 1960s. Today, each of the 50 states has a law roughly similar to Section 5 of the FTC Act, commonly known as Unfair and Deceptive Acts and Practices (UDAP) statutes. The FTC Act does not preempt state laws on unfair and deceptive trade practices so long as they do not conflict with 13 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 5 – as of 01/29/2024 © IAPP the requirements of the federal law. Some statutes also allow enforcement against “unconscionable” practices, a contract law term for a range of harsh seller practices. 75 Several states allow private rights of action under their state UDAP laws so individuals can bring suit against violators. 76 UDAP laws are enforced by state attorneys general. 77 5.6.3 State Comprehensive Privacy Laws With the lack of a federal comprehensive privacy law, a number of states have recently enacted comprehensive privacy laws, and many other states are considering this type of legislation. Chapter 6 (State Comprehensive Privacy Laws) details the 5 state laws that have been enacted as of the writing of this book in early 2023. The definition of personal information found in these state comprehensive privacy laws, which is broader than the definition of personal information found in state data breach notification laws, typically applies to any data that can be associated or linked with a particular individual. These state comprehensive privacy laws acknowledge the various federal privacy laws by incorporating numerous references to these laws. This section examines the interaction with federal protections for children’s data as well as federal sectoral privacy laws. 5.6.3.1 Interaction with Federal Protection for Children’s Data Each of the state comprehensive privacy laws has special rules governing how companies address the data of children, although variation exists in the specific approach taken. Most of these state laws reference the Children’s Online Privacy Protection Act (COPPA) for procedures on how to obtain consent from parents for children’s data. COPPA is discussed in Section 3.4. 5.6.3.2 Interaction with Federal Sectoral Privacy Laws The state comprehensive privacy laws provide two types of exemptions in their laws related to the interplay with federal sectoral privacy laws. Some states exempt from compliance those entities that are subject to a specific federal law, referred to as entity-level exemptions. Other states exempt only that data that is protected by the federal law. This is known as data-based exemptions. HIPAA. The Health Insurance and Portability Act (HIPAA) focuses on protected health information (PHI) held by covered entities, such as healthcare providers seeking electronic reimbursement. Concerning the 5 state comprehensive privacy laws in place at the time of the writing of this book in early 2023, Connecticut, Utah, and Virginia exempt HIPAA entities. California, Colorado, Connecticut, Utah, and Virginia generally exempt data that is regulated under HIPAA. The specific requirements of HIPAA are discussed in Chapter 8 (Medical Privacy). GLBA. The Gramm-Leach-Bliley (GLBA) applies to the use of non-public personal information of financial institutions, a broad term including banks and securities firms. As to the 5 state comprehensive privacy laws in place at the time of the writing of this book in early 2023, Colorado, Connecticut, Utah, and Virginia exempt GLBA entities. California, Colorado, Connecticut, Utah, and Virginia generally exempt data that is regulated under GLBA. The specific requirements of GLBA are discussed in Chapter 9 (Financial Privacy). FCRA. The Fair Credit Reporting Act (FCRA) regulates consumer reporting agencies (CRAs) that furnish consumer reports. Concerning the 5 state comprehensive privacy laws in place at the time of the writing of this book in early 2023, California, Colorado, Connecticut, Utah, and Virginia exempt entities covered by the FCRA. These states generally exempt data that is regulated under this law. The requirements of the FCRA are discussed in Chapter 9 (Financial Privacy). DPPA. The Driver’s Privacy Protection Act of 1994 (DPPA) prohibits state departments of motor vehicles (DMVs) from releasing personal information of drivers without their express 14 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 5 – as of 01/29/2024 © IAPP permission, except in situations where a permissible use exists. 78 The DPPA defines personal information to include the information used by the state department in connection with obtaining the driver’s license such as: name, address, telephone number, and driver identification number. 79 The DPPA further limits the permissible uses of highly restricted personal information, including Social Security numbers, photographs of individuals, and medical/disability information. 80 The DPPA has recently received attention because it is discussed in numerous state comprehensive privacy laws. With regard to the 5 state comprehensive privacy laws in place at the time of the writing of this book in early 2023, California, Colorado, Connecticut, Utah, and Virginia provide an exemption for personal data that is “collected, processed, sold, or disclosed” pursuant to DPPA. 81 5.6.4 State Data Breach Notification Laws State enforcement of information security lapses has been especially prominent, driven by data breach notifications. Since California enacted the first breach notification law in 2002, every state has passed a breach notification law. These laws are detailed in Chapter 7 (State Data Breach Notification Laws). 82 The definition of personal information found in state data breach notification laws is tailored to protecting individuals from identify theft and fraud. This means, in the majority of state data breach notification laws, the focus is on categories such as an individual’s first name or first initial and last name in combination with one, or more, of the following: (1) Social Security number; (2) driver’s license number or state identification card number; or (3) financial account number or credit or debit card number. Note that many of these laws require organizations to furnish State AGs with reports about breaches when they occur. These laws also often confer enforcement authority on State AGs if the breach notification reveals the implementation of inadequate security controls. Data breaches often involve the theft of identifiers unique to an individual, such as Social Security numbers, that can lead to identify theft. This subsection thus turns to state protections for Social Security numbers as well as state identity theft laws. 5.6.4.1 State Protections for Social Security Numbers In the U.S., a Social Security number is a nine-digit number issued to U.S. citizens, permanent residents, and certain other residents. The number is associated with retirement benefits under the federal law known as the Social Security Act of 1935. Under this act, states are permitted to require individuals to furnish this number to establish eligibility for unemployment compensation and various welfare programs. 83 The federal government places a variety of limits on disclosure of Social Security numbers, including a prohibition on having the numbers visible through the window of Treasury-disbursed check envelopes. 84 The DPPA, discussed in earlier in this subsection, curtailed the widespread use of Social Security numbers by state departments of motor vehicles (DMVs). 85 Over time, Social Security numbers became a de facto identifier requested, and often required, in government and business transactions. 86 Once this evolution in the use of Social Security numbers occurred, these numbers became key in successful identity theft schemes. In large part in response to concerns related to identity theft, state have enacted a variety of legal protections for Social Security numbers; these protections can be found in state comprehensive privacy laws, state data breach notification laws, and specific state laws limiting businesses’ right to use Social Security numbers. 87 California law, for example, prohibits businesses as well as state and local agencies from using Social Security numbers for a variety of purposes including public posting, printing on mailings (unless mandated by federal law), and printing on ID or membership cards. 88 15 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 5 – as of 01/29/2024 © IAPP Additionally, this law prohibits businesses from requiring that customers transmit their Social Security numbers over an unencrypted internet connection. 5.6.4.2 State Identity Theft Laws In 2003, Congress made substantial amendments to the Fair Credit Reporting Act (FCRA) when it passed the Fair and Accurate Credit Transactions Act (FACTA), discussed in Chapter 9 (Financial Privacy). 89 Although FACTA preempted many state laws related to consumer credit reports, states retained the power to enact laws addressing identity theft. 90 As of the writing of this book, all 50 states have enacted identity theft laws. More than half of the states permit restitution for victims of identity theft. 91 5.6.5 Additional Privacy Protections at the State Level States provide a variety of privacy protections in addition to the laws already detailed in this subsection. As discussed in Chapter 2 (U.S. Legal Framework), numerous state constitutions expressly recognize a right to privacy. State common law is an additional source of privacy enforcement. Plaintiffs can sue under the privacy torts, which traditionally have been categorized as intrusion upon seclusion, appropriation of name or likeness, publicity given to private life, and publicity placing a person in false light. 92 Plaintiffs may also sue under a contract theory in certain situations, such when a physician, financial institution, or other entity holding sensitive information breaches a promise of confidentiality and causes harm. States also have many other specialized statutes protecting privacy. These state laws exist for the medical, financial, workplace and other sectors, as discussed in the relevant chapters of this book. 93 As with federal law, new issues arise with changing technology. States, for instance, are examining the appropriate rules for personal information collected in connection with the smart cities. 94 Examples of two state laws provide insight into the national implications that can result when a state addresses specific privacy concerns, particularly in the absence of federal legislation on the topic. In 2008, Illinois enacted the Biometric Information Privacy Act (BIPA) which requires companies, including employers, to notify individuals of their biometric practices and to obtain informed consent prior to using individuals’ biometric data as part of these practices. In 2015, the private right of action in BIPA gained national attention with the filing of a series of class-action lawsuits. Businesses continue to struggle with how to address the requirements of BIPA in their nationwide approaches to the use of biometric information. 95 In 2022, California enacted the Age-Appropriate Design Code Act, modeled on the UK’s act, which places legal obligations on businesses that provide online services or products that are likely to be accessed by children under the age of 18. As the name implies, the law requires covered businesses to make design choices with their services and products that protect children, such as configuring default privacy settings to provide a high level of privacy for children. The law also mandates restrictions on the use of children’s data by covered businesses and extends these requirements to situations which would negatively impact the children’s physical or mental wellbeing. 96 California’s actions in this area are particularly important and influential because of the size of the state’s economy and because California has jurisdiction over the country’s largest technology companies and platform providers. 5.7 Self-Regulation and Enforcement The term self-regulation refers to a variety of approaches to privacy protection. Self-regulation, similar to government regulation, can occur through the three separation-of-powers components: 16 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 5 – as of 01/29/2024 © IAPP legislation, enforcement and adjudication. 97 Legislation refers to the question of who should define appropriate rules for protecting privacy. Enforcement refers to the question of who should initiate enforcement actions. Adjudication refers to the question of who should decide whether a company has violated the privacy rules, and with what penalties. For enforcement under Section 5 of the FTC Act or state UDAP laws, self-regulation only occurs at the quasi-legislative stage (i.e., voluntary industry rule-making). A company writes its own privacy policy, or an industry group drafts a code of conduct that companies agree to follow. Under Section 5, the FTC can then decide whether to bring an enforcement action, and adjudication can occur in front of an ALJ, with appeal to federal court. Referring to this approach as self-regulation is somewhat confusing because a government agency is involved at the enforcement and adjudication stage. Other self-regulatory systems engage in all three roles without the involvement of a government agency. For example, the Payment Credit Card Industry Data Security Standard (PCI DSS) provides an enforceable security standard for payment card data. The rules were drafted by the PCI DSS Council, which built on previous rules written by the various credit card companies. 98 Except for small companies, compliance with the standard requires hiring a third party to conduct security assessments and detect violations. Failure to comply can lead to enforcement, decision-making, and penalties as set forth in the standard. Consequences can include cutting off the violator from being able to receive payments from Visa, MasterCard or payment card systems, as well as penalties of $5,000 to $100,000 per month. 99 Third-party privacy seal and certification programs play an important role in providing assurances that companies are complying with self-regulatory programs. Services offered by TrustArc, the Better Business Bureau, and others provide methods for third parties to oversee compliance. 100 Companies may demonstrate compliance and thus improve consumer confidence by displaying a trust mark in the form of a seal, logo or certification showing that the company is part of a certification program. It can serve as a way to comply with legal requirements. One prominent self-regulatory effort involves the Digital Advertising Alliance (DAA), a coalition of media and advertising organizations. The DAA helped develop an icon program intended to inform consumers about how they can exercise choice with respect to online behavioral advertising. The AdChoices system allows users to click on an icon near an ad or to visit the AdChoices website and choose to what extent the user will view behavioral ads from participating advertisers. 101 It is important to note that self-regulation is controversial. Privacy advocates and supporters of the European approach to data protection often express concern that industries are not strict enough when creating, adhering to, and enforcing privacy rules or codes of conduct. European regulators, for instance, say that privacy is a fundamental human right, and data protection authorities (DPAs) should be involved in defining and protecting that right. 102 Supporters of selfregulation tend to emphasize the fact that industry has greater expertise about how its systems operate and therefore should lead the creation, establishment and enforcement of those rules. 103 5.8 Conclusion In this chapter, we have examined the complex legal framework for providing privacy protections in the U.S., including the interplay between federal and state enforcement of privacy. In the absence of a federal law that provides comprehensive privacy protections, privacy practitioners need to understand how the different parts of this framework interact. 17 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.