Warm Up: Learn a New Term
For our warm up this week, let’s talk about what strong enforcement mechanisms look like. An enforcement mechanism is the part of a privacy law that ensures that companies actually comply, whether that be through oversight, fines, or criminal charges. A strong enforcement mechanism is one that provides consumers adequate redress when they have been harmed by a business and deters companies from breaking the law in the first place. A weak enforcement mechanism can be ignored, typically either because the law cannot be effectively policed by those responsible for overseeing it or the consequences for breaking the law are so low that they are considered just another cost of doing business.
CR believes that comprehensive privacy laws need strong enforcement provisions in order to incentivize compliance and deter harmful data abuses!
- The State Problem. Many state privacy laws and proposals only allow the Attorney General to enforce the law, which is problematic, considering they usually lack the resources and expertise to take on more than a handful of cases per year.
- Even worse, many state laws and proposals include a “right to cure” which allows the business to break the law, so long as they fix the issue after the AG notifies them.
- A Potential Solution. CR advocates for privacy laws that include a Private Right of Action (PRA), which allows individuals (like you!) to bring legal action against businesses that do not comply with the law.
- PRAs have led to some of the most significant privacy breakthroughs in recent memory, such as the successful case brought against Clearview AI in Illinois under BIPA. That case led to Clearview ceasing to sell its facial recognition database to private entities nationwide.
- The National Problem. The lack of a federal privacy law also deprives the FTC of specific enforcement authority over such a law – leaving them with general Section 5 authority to enforce against unfair or deceptive practices (which is much narrower than a privacy law that grants them enforcement authority). In the meantime, the FTC is seeking to create more specific privacy rules through its Commercial Surveillance and Data Security Rulemaking, though that is likely years away from reaching fruition.
- The U.S. Gold Standard of Privacy Enforcement. Unfortunately, we do not yet have a comprehensive privacy law that allows for the type of rigorous enforcement consumers need. By contrast, CRs’ Model State Privacy Act’s enforcement provisions (section 5 & 6) combine government enforcement and statutory damages with a private right of action that applies to all provisions of the law. Other strong enforcement provisions to look for in privacy laws include: the creation of a specific privacy regulator (as was done through the CCPA, which created the California Privacy Protection Agency), a ban on binding pre-dispute arbitration clauses, and no so-called “right to cure” periods that give businesses a get-out-of-jail-free card.
Workout: Start by Identifying Privacy Legislation in Your State
The goal here is to better understand your privacy rights in your state. It may well be that you have very few. It all starts with awareness. This week’s workout includes a pop quiz to help you better understand your state’s privacy legislation. You can use resources like the IAPP US State Privacy Legislation Tracker for guidance, plus we’ve created this study card for you and included an answer key to the pop quiz in case you get lost.
Stretch Goals: Learn More About Statewide Legislation
Alright. You may be feeling relieved after that research… or maybe you are feeling motivated to push for the fight to privacy for you! Don’t worry, there’s more you can read and more you can do. There is a lot of cool new privacy work coming out of California that shows us all what strong legislation and regulation looks like, and what it means for consumers. Continue reading below.
- Volunteer: Are you in a state that does not have strong and comprehensive privacy legislation on the horizon? Do you want to be the privacy champion in your state? Write us an email (Community@cr.consumer.org) and let us know, and we’ll work with you to figure out how to introduce strong, comprehensive privacy legislation to your state.
- Continued Reading:
- Read More on California’s new data broker law, the Delete Act, from CR Policy Analyst, Matt Schwartz
- Read More on the CCPA’s new draft rules from CR Policy Analyst, Grace Gedye
- Read More on Big Tech is influencing privacy legislation in many states
- Read NYT Reporter Kashmir Hill’s buzzy new book on facial recognition/Clearview AI