June 24th, 2011
Why privacy legislation is hot now
More than at any time in the past decade, privacy hearings and proposed legislation are spreading across Capitol Hill. Until now, you could always make money betting against a privacy law passing in Congress. Today, many experts are saying that momentum is building for major legislation, although the shape of that legislation is still unclear.
This round of privacy action is driven by three historic trends, plus other factors that are coming together now.
First is location data. While Apple’s Steve Jobs called the Android a “probe in your pocket,” Apple itself has been brought before both the Senate Judiciary and Commerce committees to try to explain why it was collecting detailed location information on the iPhone. For the first time in history, most Americans are carrying a tracking device — a cell phone — with them in their daily lives. There is great uncertainty about who gets to see that tracking information, including for advertising and law enforcement purposes.
Second is social networking. Facebook has gone from nothing to half a billion users in only a few years. The social networks point out that users voluntarily put that incredible amount of material up on the sites. But this is all so new that the rules of the road are not yet clear.
Third is online behavioral advertising. The Wall Street Journal ran a major series showing the astonishing range of ways that companies can track your activity on the Web — even if you turn off cookies and try to stay anonymous. The companies say that this data is benign, because computers simply choose which ads to show you. Privacy advocates, though, say that these databases give unprecedented insight into what we read and how we think, leading to a scary potential of misuse down the road.
Along with these three mega-trends, Congress is seriously considering federal data-breach legislation, to harmonize state laws and address the Sony PlayStation and other high-profile recent breaches. Major cloud computing companies and civil liberties groups are supporting the Digital Due Process Coalition, which favors a judicial search warrant before law enforcement can gain access to the exabytes of data stored in the cloud. And, there is pressure on the international front, as the European Union considers tightening its own data privacy laws and as India, Mexico and other countries are in the process of putting EU-style privacy laws on the books.
A flashpoint for action could be children’s privacy, where family-values Republicans and consumer-protection Democrats can most easily come together politically. Mark Zuckerberg has publicly discussed bringing under-13s directly into Facebook, but no one knows with what rules. Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) have released a discussion draft of the “Do Not Track Kids Act of 2011” to offer the choice not to have behavioral advertising and related tracking for those under the age of 13. And no one knows who will get to see the location information of children — parents will and stalkers won’t, but there are still-to-be-developed rules for those in-between. On June 27, the Center for American Progress will host an event highlighting children’s privacy issues, called “Tracking: Where you are, what you see, and what you do.”
The biggest legislative question might be whether to go with general privacy principles or sector-specific rules. For the first time in history, the administration itself has come out in favor of broad-based privacy legislation for the private sector. The closest fit to the administration vision is the Kerry-McCain “Commercial Privacy Bill of Rights,” which notably would provide individuals with the legal right to opt out of having their information shared for marketing purposes. This sort of general legislation contrasts with sector-specific proposals, such as a recent bill by Sens. Al Franken (D-Minn.) and Richard Blumenthal (D-Conn.) that targets smartphone location information.
With the convergence of all of these technical changes, the current period most resembles the late 1990s. At that time, Congress approved sector-specific laws for medical privacy (HIPAA) and financial services (Gramm-Leach-Bliley), but held off on a general law to protect privacy on the Internet. With so many sectors having specific laws by now, however, the time may well be ripe for a bill that provides basic privacy protections more generally.