State of privacy: a deep dive into U.S. data protection lawsOct 22, 2020
Originally published on October 22nd 2020. Updated on April 7th, 2021
Around the world, from living rooms to boardrooms to legislatures, data privacy is a salient and growing concern. As more and more aspects of life have shifted online in recent years, people and governments have begun to recognize that our digital actions leave behind footprints. Corporations have long made use of this data to target ads and refine newsfeeds. There is growing recognition -- now accelerated by the covid-19 pandemic -- of the risk we face if we do not establish proper safeguards around data privacy. The widespread nature of data collection, and the perceived risk of having so much information about the daily activities of anyone who uses the Internet, has led lawmakers to begin to intervene.
The United States is the birthplace of the Internet and maintains tremendous leverage over it. Alongside the European Union, it is usually considered one of the key bellwethers of Internet regulation in the Western world. But unlike the E.U., whose General Data Protection Rule (GDPR) applies some of the world's strongest privacy standards across the entire 27-nation bloc, the U.S. has no federal statute addressing data collection. Instead, it is governed by a patchwork of laws and regulations promulgated by its various states, with diverse implications for Internet users in different parts of the country (and the world).
Here we take a detailed look at the various privacy laws and regulations in effect or under consideration across the United States.
The California Consumer Privacy Act (CCPA) and Proposition 24
In the absence of any purpose-made privacy law at the federal level, guidance and clarity around the subject falls to the states, which have begun to spell out legal protections for people's online privacy. The first and most noteworthy of these is the California Consumer Privacy Act -- more commonly known as CCPA. The law -- which passed in 2018 and took effect at the start of 2020 -- is the first of its kind in the United States and, alongside the E.U.'s GDPR, one of the first globally. The rules, parameters, and concepts it lays out have, in addition to offering new data privacy protections for those in California and beyond, set out a framework for similar legislation in other parts of the country and the world.
CCPA is often compared to GDPR -- for good reason. The law's passage was partly spurred by the E.U.'s perceived leadership in tackling online privacy, and the two laws have largely overlapping provisions. Both cover similar concepts and practices, including imposing restrictions around the tracking and collecting of people's data, requiring businesses to inform users of their data collection practices, and safeguards around data security.
But the two laws also have important differences, the biggest of which is geographic scope. GDPR does not take people's residency or citizenship into consideration -- any data that passes through the E.U. or concerns E.U. citizens anywhere is covered. By contrast, CCPA specifies that consumers must be California residents in order to qualify for the law's data protection -- though it is already becoming clear that many businesses are nevertheless likely to extend these benefits to many people outside the state.
CCPA is important in the context of the U.S. for a number of reasons. California is the nation's most populous state as well as its largest economic engine. Its GDP is the world's fifth-largest, greater than that of India, the United Kingdom, or France. Moreover, there is already precedent for lawmakers in Sacramento establishing standards that are adopted nationwide. The state has long had the right to establish more stringent emissions standards for vehicles, for instance -- and these standards are followed by other states and often adopted by automakers throughout the country. Since businesses often build to the strictest regulations, CCPA may have a similar effect, with Internet companies instituting privacy policies that align with the rule for their users throughout the United States.
And because so many of the world's tech titans have their headquarters and major offices in California -- Facebook, Apple, Netflix, Google, Uber, Twitter, and many more -- a law promulgated there is likely to have an outsize impact on the industry, just as financial regulations and enforcement activities in New York have national and global implications for that industry.
For example, Google has published guidance around CCPA for businesses using its software: "[Businesses] should work with their legal advisors to determine whether and how they should comply with CCPA. This includes making a decision about whether to place a "Do Not Sell My Personal Information" link on their site or in their app and whether to enable restricted data processing in the Google products they plan to use." It seems likely that many businesses, wary of falling afoul of CCPA, will implement its regulations such that they encompass all users, whether in California or not.
Moreover, states including New York and Nevada as well as the District of Columbia are following California's lead, writing provisions identical or similar to those contained in CCPA directly into their own state laws. Since these jurisdictions are home to many of the nation's most important functions and power centers -- tech and media in California, finance and media in New York, and the federal government in Washington, D.C. -- a great deal of U.S. Internet activity is soon likely to fall under a data privacy regime similar to CCPA's.
And the 2018 law is not the final word on digital privacy -- either in California or in the U.S. more broadly. Less than a year after CCPA took effect, voters in the golden state passed Proposition 24, which expands and strengthens privacy protections in a number of important ways. It prevents businesses from sharing personal details, requires them to correct inaccurate information, and severely restricts their ability to use or retain sensitive data such as exact location, health and biometric information, and more. Proposition 24 also establishes the California Privacy Protection Agency, charged with enforcing and implementing consumer privacy laws and imposing administrative fines.
How other states are following California with stronger data privacy laws
CCPA and "Prop 24" are by far the most well-known privacy initiatives in the U.S. -- but they're not the only story. Other states, from the Atlantic coast to the Pacific Ocean, have begun to advance their own privacy laws. These naturally have some overlap with CCPA, but their provisions are specific to their respective states and they contain important points of divergence both from the California law and from one another.
The State of New York, home to the world's largest financial hub and the nation's largest city, is poised to go even further than California if its legislature passes the New York Privacy Act (NYPA), which is currently making its way through the state legislature. NYPA incorporates many of the provisions of CCPA, but expands on them by requiring businesses to act as "data fiduciaries," with strict legal responsibility toward their customers' data -- similar to that of financial institutions toward their investors' capital. Additionally, NYPA imposes an "opt-in" requirement on data collection. Whereas CCPA allows web services to default to collecting data, from which users can opt-out, NYPA would forbid the collection of data unless people actively give their consent. This would represent a significant tightening of data collection standards.
Other states also have privacy bills in various stages of the legislative process. In Massachusetts, a bill that would have adopted many of the same provisions as NYPA is currently tabled, but may be poised to advance during the 2021 legislative session. Notably, this bill also requires companies who suffer a data breach to offer free credit freezes and credit monitoring to those affected -- a potentially significant financial burden.
Maryland and Hawaii also have pending legislation that broadly follows the precedents set by GDPR and CCPA. Like many of the other laws that have been enacted or that are being considered, these bills would require businesses to disclose details of their data collection practices and provide their residents with forms of recourse. The Hawaii bill appears to go farther, as it gives customers the right to demand information on the type of data that is being collected, and for that data to be deleted. It also includes an "opt-out" provision for adult residents. The bill would make it illegal to collect data pertaining to anyone under the age of 16 unless the person actively opts-in.
What about the rest of the states?
In addition to the states discussed so far, many other states also have some form of online privacy legislation in various stages of the legislative process. Many of these appear likely to follow the path charted by California with CCPA. Some may adopt legislation that closely parallels what has been done elsewhere; others may follow New York in adding their own, stronger provisions. Still, other states may adopt entirely unique privacy regulations based on their own politics, culture, and economies.
It must also be noted that not all of the momentum in the U.S. at the state level is in the direction of strong online privacy protections. Certain states -- in particular, those with "pro-business" legislatures that favor a light touch when regulating industry -- may enact laws that limit the degree to which the government can mandate online privacy practices. This is already beginning to happen. For example, in North Dakota a far-reaching privacy bill was recently abandoned. In its place, the legislature passed a law directing a comprehensive study of consumer personal data disclosures.
The current state of online privacy laws in the U.S. is rapidly evolving
The U.S. is in many ways a decentralized nation, with its many diverse and far-flung states entrusted with the job of legislating for anything federal law is silent on. This is no less true in the realm of online privacy, where it has been the states themselves that have taken the first steps toward establishing a legal framework governing how people's online data can be used, when, and by whom.
California is clearly leading the way with CCPA, which is comparable to GDPR in ambition and may have nearly as large a reach. Given the state's status as the largest in the country, as well as its wealth and the number of tech companies headquartered there, it has the effective ability to legislate for many more people and businesses than are actually located within its boundaries. The state's soft power is underscored by the number of states that have, or are currently in the process of, incorporating versions of CCPA into their own legal codes -- which will have the effect of making something similar to CCPA the official law of the land for a large proportion of Americans.
But CCPA isn't the last word on online privacy in the U.S. Unique legislative efforts are underway in many states. Some of these, if passed, would mandate even stronger protections for people's data. Others, though, look to chart a different course: one of low regulation intended as part of a pro-business platform.
At the federal level, it remains to be seen whether, or when, comprehensive action will be taken around data privacy. State laws have often served as templates for an eventual nationwide rule -- it is possible that eventually, this will also be the case for data collection and online privacy. For the time being, however, the U.S. remains a patchwork.
Moreover, it is unclear what form any federal data collection rule might take. It's likely that some states will favor loose regulation in order to make it as easy as possible for businesses to operate. It therefore cannot be ruled out that any eventual nationwide legislation could adopt a "light-touch" approach that makes it relatively easy for online businesses to collect user data. The federal government (in line with other governments around the world) is already moving to effectively ban end-to-end encryption with the "Lawful Access to Encrypted Data Act of 2020."
At the federal level, there has also recently been a great deal of discussion around the law known as Section 230. Part of the 1993 Telecommunications Act, Section 230 stipulates that online platforms are not responsible for the content their users post -- meaning services like Twitter and YouTube cannot be held accountable for their users' actions and activities. The rule has come under attack from multiple sides and for different reasons; there are roughly two dozen bills currently pending in Congress that would abolish the law, reduce its scope, or establish new requirements for businesses that wish to enlist its protection.
With so much activity at both the state and federal level, it is impossible to know what the legal landscape will look like for online privacy. Pressure is being exerted from different directions -- sometimes with regard to the same laws and issues. And while nothing is certain yet, it's possible to envision a future in which the Internet is regulated in a highly centralized way, with the government mandating certain protections for users while reserving ultimate jurisdiction to monitor web activity for itself.
The best way to stay safe online, regardless of local regulations, is to combine high-quality tools such as privacy-oriented web browsers and VPNs. Orchid, a decentralized privacy marketplace, brings together the services of many of the top VPN providers, allowing users to configure multiple "hops" between them. This makes it more difficult for any third party to see someone's web traffic, since the journey is split across many different servers. By combining the best tools in a decentralized solution like Orchid, it's possible to reclaim the Internet as a place to explore freely.
Download the Orchid app to start exploring the Internet freely.
If you enjoyed this blog, subscribe here for privacy news, commentary, and product updates from Orchid.