Corban Rhodes and Ross Kamhi, Labaton Sucharow ()
We are at a pivotal moment with respect to how the law protects consumer personal information. The public, however, is largely unaware of the concerted opposition protection legislation faces from technology giants.
As information technology expands at a blistering pace, questions about how companies may go about gathering, using, distributing, and safeguarding their customers’ information loom large. Legislators and regulators have struggled not only to keep pace with these changes, but also to establish who will lead the conversation.
While the federal government has taken a backseat role in passing legislation that protects consumer privacy rights, many state legislatures have stepped up to fill the void, introducing laws aimed at regulating the types of information companies can collect and what companies must do before they can disclose such information. But states have experienced challenges passing such legislation, often facing pushback from large technology companies that depend on the collection of user data to generate revenue. This has produced an ongoing battle at the state level between privacy advocates and technology companies over the appropriate breadth of such regulations.
The Federal Government Rolls Back Privacy Protections. The federal government under the Trump administration and current Republican-controlled congress has begun pulling back on the regulation of consumer data.
On Dec. 2, 2016, during the final weeks of the Obama administration, the Federal Communications Commission (FCC) issued a regulation, known as the “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services,” aimed at requiring Internet service providers, such as Comcast, Verizon, and AT&T, to protect the confidentiality of customer proprietary information.
The rules would have required that Internet service providers, among other things, (1) obtain affirmative consent and opt-in customer approval to use and share customer proprietary information, including financial information, geo-location information, and web-browsing history; (2) take reasonable measures to secure this customer information; and (3) provide notification to customers, the FCC, and law enforcement in the event of data breaches that could result in harm.
However, before these rules had even gone into effect, Congress passed legislation in March 2017 nullifying these rules, and that legislation was signed into law the following month. As a result, Internet service providers can freely share customers’ sensitive confidential information, including browsing data, app usage, and personally identifiable information, without providing notice to consumers or obtaining their consent.
State Legislators Have Stepped Up to Fill the Void, But Big Business is Pushing Back. While the federal government has rolled back efforts to secure customer data, states have taken matters into their own hands, introducing new legislation aimed at protecting consumer privacy rights. But these efforts have faced significant hurdles thus far because large technology companies have so far successfully lobbied against the passage of sweeping regulations.
The battle between privacy advocates and the technology industry has been most active in Illinois, where, during 2017, state legislators introduced a number of laws aimed at protecting consumer privacy, including the Geolocation Privacy Protection Act (GPPA), which aims to prevent companies from collecting, using, storing, or disclosing a smartphone user’s geolocation information unless the entity provides notice and receives affirmative express consent. Despite the bill’s narrow focus, business groups pushed back, and were largely successful at limiting its scope.
Indeed, early drafts of the GPPA specifically provided a private right of action, entitling a person whose rights are violated to recover liquidated damages of $1,000 or actual damages, whichever is greater, as well as attorney fees and costs, and other relief a court may deem appropriate, such as an injunction. While the bill was up for debate in the Illinois legislature, it underwent significant changes, including removal of the private-right-of-action provision, which many privacy advocates view as an important safeguard against a company’s violation of privacy laws. Certain crucial groups were also provided exemptions from the law, including Internet, wireless, and telecommunications service providers.
On June 28, 2017, the Illinois legislature passed this narrowed version of the bill. While the passage of the GPPA was a notable success for privacy advocates, the limited focus of the version that ultimately passed in the Illinois legislature reflected the strength of the technology industries’ lobbying efforts. Ultimately, the bill never became law, as Illinois Governor Bruce Rauner vetoed the bill on Sept. 22, 2017.
A similar battle is currently playing out in Illinois with respect to the Right to Know Act, also introduced in 2017, which would require websites or apps to inform consumers about certain information-sharing practices. Many websites and social-media services collect vast amounts of detailed personal information about consumers, and rely on sharing this valuable information with third parties to generate revenue. The Right to Know Act aims to provide consumers with greater transparency about these information-sharing processes, requiring commercial websites and online services that collect or disclose personal information of Illinois residents to (i) identify all categories of personal information that is collected or disclosed; (ii) identify the third parties with whom that information is shared; and (iii) provide a description of a customer’s rights, as specified in the statute.
An early draft of the Right to Know Act provided a private right of action, but, as with the GPPA, this provision was later removed, and is not in the version of the bill that is currently pending before the Illinois legislature. Still, even this narrowed version of the proposed law appears unlikely to pass the Illinois House, where it is currently stalled, as it has seen a number of co-sponsors rescind their support following significant pushback from the business community.
Attempts in other states to protect consumers’ privacy rights have faced similar fates. Earlier this year, a number of states, including Alaska, Connecticut, Montana, New Hampshire, and Washington, debated laws that aimed to protect consumers’ biometric information (that is, biological-identifying information, such as fingerprints and face scans) from collection, requiring companies to provide notice and obtain consent before collecting such information. These proposed laws were largely modeled after an existing Illinois statute, the Illinois Biometric Information Privacy Act of 2008 (BIPA), which requires companies to obtain informed, written consent before collecting biometric data and provides aggrieved consumers a private right of action and statutory damages.
These states’ efforts to pass biometric-information-privacy laws have all largely failed, in part because the technology industry has successfully pushed back against the proposed statutes. As the use of facial recognition technology has become more widespread in the technology industry, a number of companies have faced lawsuits under BIPA for their alleged collection of biometric information from users. Passage of similar laws in other states would potentially expose these companies to additional legal liability.
The proposed bills in Alaska, Connecticut, Montana, and New Hampshire all failed to pass, and only in Washington did the proposed bill become law. But that bill was significantly narrowed in ways that reflect the successful lobbying efforts of the technology industry. For example, the Washington law’s definition of “biometric identifier” is far narrower than how it is defined under the Illinois law, and specifically carves out biometric identifiers generated from photos, which will likely limit the law’s application to social media companies that use facial-recognition technology. The Washington law also does not provide a private right of action.
What’s Next? As the legal system struggles to keep pace with rapid technological innovation and the privacy issues that come along with it, certain states have taken the lead, proposing laws that seek to protect consumers’ privacy rights without stifling innovation. Not surprisingly, this has produced an ongoing battle between privacy advocates and the business community about the appropriate breadth of such regulations. Recent court decisions have added further fuel to the fire, including the Ninth Circuit’s August 2017 decision on remand from the Supreme Court in Robins v. Spokeo, — F.3d —, 2017 WL 3480695 (9th Cir. Aug. 15, 2017), which found that the harm stemming from a violation of the Fair Credit Reporting Act—which provides statutory damages for a violation—was concrete enough to establish standing. This decision will likely make it easier for consumers to demonstrate standing in cases involving statutes that provide statutory damages for violations of certain privacy rights.
While large technology companies so far have been successful at limiting the passage of sweeping legislation, increasing scrutiny from consumers and regulators alike suggest that the battles have only begun.