The act set out to govern how federal agencies could use the personally identifiable information they held, requiring permission from the owner of the data in order for it to be shared with another agency. While exceptions were plentiful (i.e., statistical uses like the Census, routine government business, congressional investigations, law enforcement, etc.), the intention was to protect citizen privacy from government overreach. People also have the right under the law to review and ask for changes to information held about them by federal agencies.
There have been a couple of updates to these broad policies over the years that took into account database matching programs (1988) and added exemptions for the Department of Homeland Security (2007) related to travel. An executive order in 2017 eliminated Privacy Act protections for non-citizens.
What’s absent from these updates, however, is sweeping federal policy that acknowledges the added vulnerabilities unearthed in recent years by the data practices of private-sector players that trade in personal information on a massive scale. In light of the European Union’s General Data Protection Regulation (GDPR), companies operating in the U.S. feverishly updated their privacy policies to clarify their business practices to consumers. But it’s still the job of the individual to opt out. There’s a growing belief that this burden is misplaced, and that it should rest with the service provider who should have to secure an opt-in to data sharing from users of their services.
While we wait for the feds to act with some updated national rules, many states have stepped in with their own privacy solutions. According to legislative tracking website Quorum, more than 200 pieces of legislation on privacy have been debated in state legislatures so far this year alone.
I’ve written before in this column about the California Consumer Privacy Act, which empowers consumers with additional rights relative to the collection and use of their personal data. Gov. Gavin Newsom has further proposed a “Data Dividend” that would put a price on an individual consumer’s data and potentially allow them to profit from it.
Meanwhile in Maine, as we were preparing to publish this issue of the magazine, Gov. Janet Mills signed what has been called the strictest privacy law to date in the United States. The bill requires Internet service providers to get permission from consumers before they sell their personal information. The bill also says ISPs can’t make the sale of data a mandatory part of their service terms, nor can they punish those who opt out by charging them more or by any other means. While it only pertains to ISPs (for now), Maine has charted new territory with the country’s first “opt-in” bill.
Our cover story includes an interview with the author of Washington state’s much-debated attempt at a privacy law in its most recent legislative session. Ongoing back-and-forth with tech giants resulted in a bill that was ultimately stymied by privacy advocates who felt its protections didn’t go far enough. While stopping short of Maine’s “opt-in” approach, the bill by state Sen. Reuven Carlyle would have allowed consumers to know what data was being gathered and whether it was being sold. Further, consumers under the bill could correct inaccuracies, delete their information altogether and opt not to have their information sold.
Carlyle has vowed to try again in the next session. He won’t be the only one. We’ll continue to follow legislative efforts across the country, as well as when the issue makes sufficient headway to lead to a new federal privacy policy reflective of the Internet economy.
“From the standpoint of efficiency, it would be much easier to have a federal law that gave everyone exactly the same standards and the same road map for dealing with data and data protection,” said Maryland Secretary of Information Technology Michael Leahy (read his interview here). “But I think it’s a bit early to move in that direction.”
It promises to be a bumpy few years.