At a hearing last year, then Senate Commerce Committee Chairman John Thune of South Dakota said that “the question is no longer whether we need a federal law to protect consumers’ privacy. The question is what shape it should take.”
We agree. The time is now for Congress to step up to the plate, and work with industry and privacy advocates to craft a balanced law that protects the right to consumer privacy in the 21st Century while promoting continued innovation. Industry will do its part to work hard to reach the compromises needed to make this happen.
As part of this legislative effort, policymakers must balance the legitimate interest in privacy against another policy interest – the right to disseminate public domain information, which is guaranteed by the First Amendment. A healthy democracy requires both, and we need a full and open conversation about how to resolve any tensions between these two.{mosads}
This resolution has to be consistent with our nation’s fundamental values and traditions. Under existing First Amendment jurisprudence, that means privacy laws must be structured to accomplish their important purpose in a way that is the least restrictive of speech.
This is not a theoretical issue. The 2018 California Consumer Privacy Act got it wrong by imposing restrictions on the use of public records that almost certainly violate the First Amendment.
Under the new law, California residents will be able to block businesses from using information that relates to them that is publicly available, often [typically] because it has been released publicly by government agencies. When the Act goes into effect, therefore, people will be able to veto the inclusion of information about themselves in commercial databases and publications, even if this information is already in the public domain.
This is a terrible policy that would cripple the achievement of vital public purposes including detecting terrorist financing, fraud and money laundering. It would hamper the ability of companies to manage political and economic risk and comply with crucial government regulations such as the Treasury Department’s Know Your Customer rules which enable businesses to verify the identity of clients and assess potential risks of illegal intentions.
If these public records restrictions were needed to protect consumer privacy, these downsides might be worth considering. But they do not increase privacy, since the information is already in the public domain. Furthermore, the government agencies that release this data have already screened it to remove sensitive details such as specific medical or financial information.
This lack of focus on a compelling public purpose means that the measure also violates the First Amendment. These limitations on the dissemination of publicly available information impose a heavy burden on protected speech without advancing a compelling governmental interest, or even a substantial one. These provisions therefore violate the First Amendment rights of the businesses whose speech is burdened by them, as well as of potential users of the information that the businesses provide.
In addition, the Act discriminates among speakers and on the basis of speech content, which separately violates the First Amendment. It prevents large businesses from distributing publicly available information, but not small businesses. It stops a business risk management company from disclosing a person’s criminal record, but allows a newspaper to put the same information on its front pages. Consumers are able to authorize companies to distribute positive information but block negative information and direct one business not to use their personal information while allowing another business to use the very same information.
If not rectified during the reconsideration underway in California right now, the public records part of the new law and potentially the entire Act is at risk of failing a constitutional challenge in court.
None of this is to question the very real need for stronger consumer privacy protections in today’s digital world. But it does mean that policymakers must find a way to balance competing values as we construct a legal framework for privacy. Our Constitution requires such a balance, and it makes for good public policy.
Jeff Joseph is President and CEO of the Software & Information Industry Association. Follow him on Twitter @jajoseph.