Last week, United States lawmakers in the House of Representatives proposed awarding the Federal Trade Commission (FTC) $1 billion USD to set up a bureau dedicated to improving data security and privacy and fighting identity theft.
The proposal, which Democrats plan to include in a $3.5 trillion USD spending measure, would fund a new bureau over 10 years to address "unfair or deceptive acts or practices relating to privacy, data security, identity theft, data abuses, and related matters."
According to congress members, it is "long past time that the FTC have the tools it needs to keep pace with the online marketplace and those who would undermine it."
The FTC, which enforces antitrust law, has picked up the job of pushing corporations to better protect consumer data and privacy as it enforces rules against deceptive practices.
For example, in 2020, it settled with Zoom over allegations that the company misled consumers about the level of security it provided.
There exists no single set of privacy requirements or data privacy management across the U.S.
In the European Union, the General Data Protection Regulation (GDPR) provides the strongest protections for consumer data, all within a single piece of legislation.
By contrast, the U.S. has no fewer than eight different federal privacy laws, and even more current and planned state ones:
The Fair Credit Reporting Act (FCRA) covers information in your credit report. It limits who is allowed to see a credit report, what the credit bureaus can collect, and how information is obtained.
The Family Educational Rights and Privacy Act (FERPA) details who can request student education records. This includes giving parents, eligible students, and other schools the right to inspect education records maintained by a school.
The Gramm-Leach-Bliley Act (GLBA) requires consumer financial products, such as loan services or investment-advice services, to explain how they share data, as well as the customer’s right to opt out. The law doesn’t restrict how companies use the data they collect if they disclose such usage beforehand. It does at least attempt to put guardrails on the security of some personal data.
The Electronic Communications Privacy Act (ECPA) restricts government wiretaps on telephone calls and other electronic signals (though the USA Patriot Act redefined much of this). It also sets broad rules concerning how employers can monitor employee communications. But ECPA doesn’t protect against modern surveillance tactics such as law enforcement access of older data stored on servers, in cloud storage documents, and in search queries.
The Children’s Online Privacy Protection Rule (COPPA) imposes certain limits on a company’s data collection for children under 13 years old.
The Video Privacy Protection Act (VPPA) prevents the disclosure of VHS rental records. VPPA hasn’t held against streaming companies, though.
Additionally, three states in the U.S. that have three different comprehensive consumer privacy laws: California, and its California Consumer Privacy Act (CCPA), Virginia's Consumer Data Protection Act, and a privacy act in Colorado. And regardless of which state a company is located in, the rights the laws provide apply only to people who live in these states.
At least four other states — Massachusetts, New York, North Carolina, and Pennsylvania — have serious comprehensive consumer data privacy proposals in committee right now.
And 20 other states have their own proposed laws at various stages of development.
All the data privacy laws make it complicated for consumers — giving them widely different privacy rights depending on where in the country they happen to live — and tedious for companies, who will eventually have to comply with more than 50 different privacy laws, with much of that compliance on a state-by-state basis.
AmChamUS supports federal legislators implementing a well-written data privacy law that could be enforced from a single bureau, which would make it easier for consumers to buy many of the products they are already curious about without needing to worry about the privacy concerns of doing so.
The consumer and economic benefits for growth — which help the U.S. in job creation and business — far outweigh the current ad-hoc and state-level reactionary approaches that have thus far been introduced.
AmChamUS will continue to work with lawmakers on data privacy issues that strengthen data not being abused or be used in a harmful manner to consumers further down the road as technology continues to advance.