The report, “Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace,” steps into a little bit of advocacy, as the title suggests, but generally provides a succinct and reliable summary of U.S. privacy laws, what they cover, what they don’t cover, and what various parties are proposing should be covered.
The report was prepared in conjunction with the inquiry by Sen. Rockefeller’s committee into data collection for marketing purposes. Both the December 19, 2013, committee hearing and the committee’s staff report focus on that issue. The GAO report, with its broader focus, provides a useful overview of the circumstances that make data privacy such a bedeviling policy concern.
First, most of our current federal privacy laws predate the technologies that raise data privacy issues. As shown by the GAO’s timeline illustration, reproduced below, all major current privacy statutes predate key developments like behavioral advertising, location-based services, social media, mobile apps, and mobile payments. And even for technologies that have been around for a while, like the World Wide Web, we’re handling them under older statutes like the 1914 FTC Act and the landline telephone-era Electronic Communications Privacy Act of 1986.
Second, the newest technologies, especially mobile technologies, are driving the data privacy debate. The move of commerce and content to the Internet has led to new abilities to collect, collate, use and sell data, and new opportunities to use that data for innovative marketing and other services. Issues involving mobile apps, location tracking, and mobile payments are front and center. Technology truly has created a new data environment.
Third, there are serious concerns on all sides, and we need to be wary of simplistic, broad-brush solutions. While many privacy advocates seek comprehensive one-size-fits-all privacy laws, our history has favored more conservative sector-by-sector approaches, and a broad new law could seriously inhibit innovation and the beneficial uses of data. And while the business community generally favors self-regulatory approaches, the unprecedented technological developments, and the increasing recognition that old privacy laws are unsuited for modern issues, may force some new federal action — in which case businesses need to be involved in the debate so that their concerns are addressed. As just one example, different privacy rules should apply to business-to-business and business-to-consumer communications, as I advocated in an article in the National Law Journal earlier this year.
Finally, the report suggests that even the U.S. data privacy debate will increasingly look to international standards and privacy concepts. The report points to the Fair Information Practice Principles (FIPPs), which enjoy the endorsement of the Organisation for Economic Co-operation and Development, as the de facto international standard. And, in a lapse into advocacy, it suggests that “gaps exist” in U.S. privacy laws simply because our laws don’t embody all FIPPs. FIPPs are, and ought to be, debatable, but it is increasingly clear that they will be regular reference points in the debate. Similarly, notions like users’ ability to access, control and correct their personal data — rights recognized in Europe but not generally in the U.S. — will be discussed more and more here.
If you are interested in data privacy, the GAO report is a good start. Take advantage of it — as this debate continues, even a summary is going to take a lot more than 18 pages.