Do you recall the words of the President in the State of the Union address on the need for a new set of standards to protect personal privacy? In case you forgot:
“One measure of a truly free society is the vigor with which it protects the liberties of its individual citizens. As technology has advanced in America, it has increasingly encroached on one of those liberties–what I term the right of personal privacy. Modern information systems, data banks, credit records, mailing list abuses, electronic snooping, the collection of personal data for one purpose that may be used for another–all these have left millions of Americans deeply concerned by the privacy they cherish.
And the time has come, therefore, for a major initiative to define the nature and extent of the basic rights of privacy and to erect new safeguards to ensure that those rights are respected.
I shall launch such an effort this year at the highest levels of the Administration, and I look forward again to working with this Congress in establishing a new set of standards that respect the legitimate needs of society, but that also recognize personal privacy as a cardinal principle of American liberty.”
The reason you may have forgotten is because those were not the words of Barack Obama, or even the words of his five predecessors. Those are the words of Richard M. Nixon in his 1974 State of the Union address. Ironically, seven months after that stirring tribute to personal privacy, Nixon was driven from office following gross violations of privacy committed in his name. And the only privacy legislation to result that year was the Privacy Act of 1974, restricted to government-created systems of records.
In the decades since Nixon’s call for new safeguards, Congress has enacted privacy laws to protect health records, financial information, information about children and even video rental records. But we are still without a comprehensive privacy law in the U.S.
In the meantime, new and challenging privacy issues have arisen with the advance of technology, including online tracking of our Internet activities, online financial transactions, geolocation tracking of our mobile devices, new ways for information to be collected about our kids, social media sharing, the collection, sharing and retention of sensitive medical information, facial recognition, cloud computing, mobile app collection of data, the Smart Grid and, of course, data breaches. Privacy has become front-page news, as the continuing Wall Street Journal series “What They Know” demonstrates. And while no new major legislation has come out of Capitol Hill, shine-the-light hearings on the privacy practices of various companies have been frequent in the House and Senate.
Earlier this year, the Obama administration proposed a “Privacy Bill of Rights.” Under the bill, consumers would have control over what personal data companies collect from them and how they use it. They would have understandable and accessible information about companies’ privacy and security practices. They would have a right to expect that companies will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data. They would be provided with secure and responsible handling of personal data. They would be given a right to access and correct personal data appropriate to its sensitivity and the risk of adverse consequences to consumers if the data is inaccurate. They would have a right to reasonable limits on the personal data that companies collect and retain. And companies would be required to have appropriate measures in place to assure they provide sufficient privacy protections.
The administration’s proposed vehicle for implementing the proposed Privacy Bill of Rights is baseline privacy legislation enforceable chiefly by the Federal Trade Commission (FTC), with a safe harbor for companies subscribing to binding privacy codes of conduct to be developed through a multi-stakeholder process. (Even before the enactment of such legislation, a multi-stakeholder group has begun meeting to develop a privacy code for mobile apps.)
Also this year, the FTC issued a report adding weight to the administration’s proposals and drawing particular attention to the largely unseen practices of data brokers. The FTC urged businesses to make privacy a “default setting.”
Despite the urgency of the privacy issue in this era of rapid technological change, there is virtually no chance a comprehensive privacy law will come from Congress in the few remaining legislative days in this election year (not to mention the difficulty of passing anything remotely complicated in a Congress characterized by chronic stalemate).
So does that mean that businesses can relax when it comes to privacy, and assume that, just as a comprehensive privacy law did not result during the nearly four decades since Nixon’s State of the Union exhortation, it is not likely to enter into force anytime soon?
It would be a mistake for any business to assume that the demand for greater privacy protections will subside, even if a new federal law is unlikely. Recent FTC enforcements under Section 5 of the FTC Act show the agency to be significantly more aggressive in the privacy arena. Privacy practices that deviate from stated policies or that are fundamentally unfair are subject to investigation and enforcement actions, regardless of a company’s intent. At the Department of Health and Human Services, enforcement of health privacy rights is a new priority. The National Association of Attorneys General has made privacy its major focus for the coming year. Civil actions that so far have been thwarted by the absence of financial harm sufficient to support standing to sue or to fulfill the elements of statutory or common law claims are being allowed to proceed under novel theories of harm and liability. Moreover, companies are seeing reputational harm in the marketplace from the glare of publicity when privacy or data security missteps occur.
It would be folly for a company to treat privacy in a business as a usual manner, because change is occurring in the U.S. privacy framework. The increased regulatory enforcement is one reflection. In addition, Americans are more aware and concerned about privacy than ever. Pressure is coming from the European Union (with its stricter privacy laws) and countries that follow the EU’s lead.
This period in the evolution of privacy regulation can be likened to the period just before the passage of major environmental laws in the 1970s. People are waking up to the significance of the issue; Congress, federal agencies and state attorneys general are focusing attention on it. It is only a matter of time before more comprehensive laws are passed. Companies that pay greater attention to privacy now and offer greater consumer protections will be ahead of the game when the inevitable stricter legal framework emerges.