Editor’s Note: Jeff Sovern is a professor of law at St. John’s University School of Law and a coordinator of the Consumer Law & Policy Blog sponsored by the Public Citizen Litigation Group. The views expressed here are his. View more opinion articles on CNN.
Many aspects of privacy protection in our country are broken and Congress is not doing its part to fix them. For example, when hackers obtained the private information of 148 million Americans in the 2017 Equifax breach, Congress did virtually nothing – not even coming close to voting on bills, like the proposed Data Breach Prevention and Compensation Act, which would have done more to protect consumer information in the hands of credit bureaus.
Meanwhile, breaches such as the ones at Marriott – that affected about 500 million consumers – Quora, and Dunkin’ Donuts continue to afflict Americans. Those three happened all in less than one week at the end of 2018. And data breaches often lead to identity theft, which hit record highs in 2017, with 16.7 million victims.
If it were up to Congress we might never have learned of any of these breaches. No law required companies suffering data breaches to notify the public until California required breach disclosures in 2003. Other states followed, and that is why we know of the Equifax and other breaches. California has once more stepped into the privacy gap. It has enacted a new law which in 2020 will give Californians the ability to learn what companies know about them and direct that the information not be sold to others. Just as with its 2003 data breach law, the new California statute will change what we know about what businesses know about us, perhaps in ways we cannot now predict.
California passed its new law because, at present, consumers cannot ascertain what businesses know or have figured out about them. Sometimes it’s not obvious: for example, Target can tell from a woman’s purchases whether she is pregnant and tailor its marketing accordingly, according to a 2012 report by the New York Times. (In a statement, to the Times, Target declined to say what demographic information it buys or collects.)
But the California law may never take effect. Businesses are urging the Congress that did little after the Equifax breach to pass a federal privacy law to protect companies from state privacy laws. Businesses argue that complying with the laws of different states is expensive. It may indeed add to the expense of operating in multiple states, just as complying with many other different state laws does, but it is a cost worth incurring. If we hadn’t allowed states freedom to choose their own course on privacy, California might never have passed its 2003 data breach notification law, with the result that we might never have learned how prevalent data beaches are and businesses would have less of an incentive to protect data.
Not only has Congress stalled on passing important bills, it has failed Americans by not giving the Federal Trade Commission – the leading federal privacy protection agency – the tools it needs to protect consumers. The FTC staff is only two-thirds the size of what it was during the first year of Ronald Reagan’s administration, despite the more than 40% increase in the country’s population since then, and the fact that the Commission now polices internet privacy.
And the Commission’s budget – less in 2018 than in 2012, even without taking inflation into account – constrains its ability to bring cases against offenders, even though during FY 2018 the Commission returned $1.6 billion – more than five times its budget – to mistreated consumers.
The federal government has also made it so much harder for the FTC to issue most rules, including privacy rules, that rulemakings take more time than they used to, and often the Commission doesn’t even try to write rules (to make matters worse, the Commission has been largely shuttered by the partial government shutdown).
One reason consumers need help from the states and the FTC is that they can’t protect themselves. Obviously, consumers cannot prevent companies from suffering data breaches. But even when consumers theoretically have control to protect their privacy, many of them fail to do so.
When it comes to these varied privacy problems, Congress has somehow managed to be both comatose and angry. Given its inability to respond nimbly in the rapidly shifting privacy arena, Congress should avoid hamstringing those who can. Any federal privacy law should preserve the power of states to protect consumers so states can continue experimenting and respond quickly to privacy challenges. Congress should also increase the FTC’s budget and give the Commission the power to issue regulations. Congress should follow California’s lead in obliging companies to tell consumers upon request what they know about them and what they do with the information. If Congress cannot help, it at least should not make things worse.