The Devil is in the Details for Data Privacy
In a rather unusual move, the Committee on House Administration (CHA) — whose primary jurisdiction is oversight and “the day-to-day operations of the House of Representatives” — recently held a hearing to discuss data privacy. While the first tranche of witness testimony was centered around the Government Publishing Office’s treatment of personally identifiable information, the real meat of the hearing focused on consumer data privacy.
Ranking Member Rodney Davis (R-IL) poignantly observed that the CHA is not the committee with primary jurisdiction over consumer data privacy, has held “exactly zero markups”, and has only formally discussed a single substantive policy issue this session. This odd turn of events begs the question: Why did the CHA spend its valuable time on the issue of consumer data privacy?
The short answer is that the CHA is chaired by Rep. Zoe Lofgren (D-CA) who, in conjunction with Rep. Anna G. Eshoo (D-CA), recently reintroduced sweeping data privacy legislation known as the Online Privacy Act.
More Americans than ever are concerned about the privacy and security of their personal information as they surf the web. Polling from Morning Consult found that 56 percent of Americans would support “a federal data privacy law”. It is rare that a singular (and relatively wonky) issue like data privacy receives such broad-reaching public support. Taking it one step further, a 2019 poll from Pew Research Center showed that 81 percent of Americans feel “they have very little/no control over the data companies collect”, and 79 percent “are very/somewhat concerned about how companies use the data collected”.
Clearly, federal data privacy legislation is something that the American people want. But, as with most polling on public policy issues, these numbers disguise the reality that people can deeply desire change in the abstract and just as deeply despise it in the concrete. I imagine that this would be the case if the Online Privacy Act were to be enacted as drafted.
The Online Privacy Act would establish various new rights and obligations related to data privacy and security. Most notably, the bill would allow individuals the right to access and request deletion of their data and demand human review of automated decisions. On the platform side, the bill would require opt-in consent for using personal data, ban the selling of personal information without express consent, and mandate certain data minimization procedures. It would also create a new federal agency, dubbed the Digital Privacy Agency, to enforce the new law.
Certain provisions of the Online Privacy Act could benefit consumers. Changes related to data minimization — limiting the collection, processing, and disclosure of personal information to reasonable, articulated uses — could benefit users and bolster our nation’s cybersecurity. Requiring companies to issue their privacy policies in plain language rather than complicated legalese could allow users to be much better informed about what is being done with their personal information.
Unfortunately, when it comes to the Online Privacy Act, the bad far outweighs the good. For example, granting individuals the right to human review of any automated decisions sounds good in theory, but is practically and technically impossible. Internet platforms rely heavily on automation to deliver their product to consumers, and requiring human review would impose incredible compliance costs.
How would companies even begin to comply with this provision? They could certainly look at “what personal information is being or may be used for such decision”. But if the algorithm is a black box, all the company could do is confirm that the data being used in the decision is accurate. Are we to expect companies to allow individuals to review the source code for their algorithms?
The creation of a new Digital Privacy Agency is also problematic. With an already opaque and bloated federal bureaucracy, there is little need to authorize $550 million to stand up a new agency with little oversight beyond biannual reports. The Federal Trade Commission — which already has broad authority over privacy and security enforcement — could just as easily manage the implementation of the Online Privacy Act.
Perhaps the least reasonable portion of the bill is the enforcement provisions. The Online Privacy Act would grant a private right of action that allows for injunctive relief, civil action for damages, and class action representation. The civil monetary penalties for violating the Online Privacy Act would be up to $43,792 per individual per violation (for continuing violations). Multiply that by millions or billions of users and, to paraphrase Sen. Everett Dirksen, soon you’re talking about real money. Add on to this the potential for criminal proceedings and it becomes clear that this bill is seeking to extract a pound of flesh from Big Tech.
Regardless of whether or not the primary committees of jurisdiction decide to take up the Online Privacy Act, the issue of data privacy isn’t going away. However, the devil is always in the details and Congress should be wary of proposals that mix a disdain for Big Tech with prescriptive solutions for data privacy. As it moves forward on data privacy, Congress must ensure that any proposal put up for a vote is technologically feasible and does not impose undue compliance costs on smaller firms which would hamper innovation.
Americans deserve a federal data privacy regime. But the Online Privacy Act isn’t it.