California’s sweeping new privacy law, the California Consumer Privacy Act, has forced Congress to seriously consider comprehensive federal privacy legislation for the first time. With House and Senate panels beginning to develop principles for privacy regulation, and tech companies embracing the possibility of federal privacy regulation after years of resistance, the battle to shape federal regulation is underway. If Congress wants to ensure that consumers are protected, though, it should take care not to repeat the mistakes of the past by stripping states of their power to protect privacy.
The support of Facebook, Google and others has come with a catch: The industry wants a federal law that would be based on voluntary and flexible standards instead of binding rules and that would overrule stronger laws enacted by the states. The companies argue that complying with a patchwork of 50 different state rules would be unworkable. The not-so-veiled goal is to ensure that states can’t enact strong privacy protections.{mosads}
We’ve been down this road before with other laws that try — and fail — to protect consumers on the Internet. Anti-spam laws are a good example. Two decades ago, as spam started to make up more and more email traffic, the federal government was slow to respond. Starting in 1997, Congress considered several anti-spam bills, but couldn’t come to a consensus. So states filled the gap, with 36 of them enacting anti-spam laws by 2003. Two of those laws, in California and Delaware, banned spam outright. And most of the rest provided strong remedies when spammers ignored unsubscribe requests or sent emails from fake addresses, with 33 states letting consumers sue spammers.
With California’s outright ban scheduled to go into effect in 2004 and Congress torn between competing bills, the marketing industry acted. In November 2003, the Direct Marketing Association, American Association of Advertising Agencies, and Association of National Advertisers published an open letter demanding that Congress “avert a crisis that will bring legitimate electronic commerce” — spam — “to a screeching halt.” The letter worked, and two weeks before California’s ban would have gone into effect, Congress agreed on a federal anti-spam law.
The federal law, the CAN-SPAM Act, has been a failure. It requires senders to let recipients unsubscribe from mailing lists and bans misleading subject lines and routing information in unsolicited commercial email. But it authorizes companies to send unsolicited emails in the first place and overrides state laws that would go further. Fifteen years after the law was enacted, spam still makes up more than half of all email traffic. And spammers routinely ignore the law, with few consequences.{mossecondads}
Today, Internet companies want the same thing the marketing industry did in 2003: protection from aggressive state lawmakers. The California law, scheduled to go into effect in 2020, shows just how big the threat might be. The law will force companies to disclose how and why they collect personal information about their users. It will let a user opt out of this collection and require companies to delete information they have about the user. It will force companies to disclose when they sell information about a user and let users opt out of these sales. And it will let users sue when companies fail to keep personal information secure and allow a data breach.
For the most part, these provisions don’t go as far as Europe’s General Data Protection Regulation. But they’re threatening nonetheless because they go to the heart of the Internet’s advertising-driven business model. Internet companies depend on building and monetizing detailed profiles of individual users. But if California lawmakers have their way, companies might be forced to find new business models that don’t depend on personal data
So it is not surprising that Internet companies see a threat. And they’re right that uniformity is important, just as the marketing industry was in 2003. Complying with 50 inconsistent state privacy laws — let alone dozens more around the world — would be a recipe for chaos.
But there is no reason that a uniform federal law must be one that guts privacy protections. Internet companies have many years of experience with voluntary privacy standards that do nothing to protect privacy. The failure of industry self-regulation is why policymakers are increasingly imposing meaningful limits. If Internet companies want the benefit of a uniform federal privacy law, then it’s time for them to respect user privacy and follow real, meaningful privacy rules, not more voluntary industry standards.
Roger Ford is an associate professor of law at the University of New Hampshire, where he teaches privacy and Internet law, and a visiting fellow at the Yale Information Society Project.