We have seen a significant evolution in data privacy compliance and enforcement. With the advances in technology, the public has become concerned about the collection, analysis and application of personal data.
For years, such concerns have been focused in the health care and financial sectors. As the Internet and cell phone use has advanced, consumers have become alarmed as social media companies, cell phone carriers and data miners have been using personal data to profile, target ads and seek consumer demand.
With the importance of personal data, companies have suffered serious data breaches resulting in the theft of large amounts of personal and sensitive data.
Companies are subject to a patchwork of regulation among the fifty (50) states with California and other states leading the way in data privacy enforcement. This patchwork, however, is unworkable in practice. In response to this federal vacuum, Europe and other countries have filled the field with the GDPR.
Data regulation and compliance needs to evolve. A federal statute and regulatory framework is desperately needed. Unfortunately, although there have been numerous attempts to enact federal law to govern this area, Congress has been unable to enact a solution. It is a perfect example of a governing failure.
The Federal Trade Commission has sought to fill this vacuum by stretching its statutory authority. The FTC’s effort, however, is by definition limited. The FTC does not have clear tools to use for enforcement purposes – it does not have a specific privacy law, civil penalty authority or the resources to enact an aggressive enforcement program.
To address data privacy concerns, the FTC relies on general consumer protection statutes. The FTC relies on Section 5 of its authorizing act and its ability to challenge “unfair and deceptive practices.” The FTC also lacks the resources needed to build a real and substantial data privacy enforcement program. Without such clear enforcement responsibilities and resources, the FTC’s ability to enforce basic data privacy requirements has been —and will remain — limited and ineffective.
Congress’ prior attempts to enact a data privacy law have been unsuccessful because of several difficult policy issues.
First, Congress has been divided over a requirement that companies notify law enforcement and the public when a data breach occurs. To ensure such a requirement, Congress has considered a criminal or civil penalty for failure to comply with such a requirement.
Second, Congress has sought to preempt state data privacy requirements in order to establish a federal uniform standard for data privacy standards. Some representatives oppose federal preemption and want to preserve state regulation of data privacy standards in tandem with a federal standard.
Third, Congress has been divided over whether to supplement federal enforcement with private, class action lawsuits based on violations of federal standards. This issue usually divides Republicans and Democrats over whether to create another class action liability for companies that usually benefit plaintiff lawyers in organizing and prosecuting class action cases.
These three issues are significant but while Congress remains stymied on data privacy, the states and foreign government continue to fill the gap in data privacy regulation and enforcement. Companies will continue to face a patchwork of requirements across the states and around the globe.