By Jerri-Lynn Scofield, who has worked as a securities lawyer and a derivatives trader. She is currently writing a book about textile artisans.
The Wall Street Journal reported yesterday that the Association of National Advertisers (ANA) – an industry trade association – is pushing the Federal Trade Commission (FTC) to adopt a new federal law to regulate how advertisers and others collect and use consumer data.
Have the people who run the ANA suddenly and collectively developed a conscience amidst recent revelations of misuse of customer data- such as the explosive NY Times allegations from earlier this week concerning Facebook’s preferential sharing of customer data with tech giants?
Hardly.
Instead, the ANA effort is an attempted end run around state-level efforts to regulate data broadly – an area where the federal government has thus far opted not to tread. In an ANA blog post announcing its “new privacy paradigm” – paradigm being one of those tell words that always makes me check that no one’s swiped my wallet – the organization emphasises that the legislation it envisions should be “preemptive of state laws.”
As a bit of background: at the federal level, the US lags in its data protection policies, especially compared to the EU’s new General Data Protection Regulation (GDPR) – although California has recently enacted the California Consumer Privacy Act (CCPA), which is scheduled to come into effect in 2020.
According to the WSJ, the ANA argues that state-level regulation creates “costly compliance challenges and confusion for consumers”:
“The biggest problem is that these laws are not identical,” said Dan Jaffe, group executive vice president for government relations at the ANA, referring to CCPA and data privacy regulatory proposals in states beyond California. “That creates a very substantial number of problems for advertisers to effectively gather the data they need and reach consumers.”
The ANA prefers a single national standard enforced by the FTC that determines when a data collection or use practice is reasonable under the law.
Or, as expressed in the ANA blog post:
Our data-driven economy, which provides tremendous value to both businesses and consumers, is under unwarranted threat by international and state laws that, while well-meaning, are proliferating and splintering the regulatory structure. Our comments describe the serious defects with both the EU’s [GDPR] and the new [CCPA]. Both have potentially seriously damaging implications for U.S. businesses and consumers. The combined impacts of the GDPR and the CCPA are undermining the competitive marketplace and are particularly harmful to new market entrants and smaller entities.
This overly restrictive approach threatens the free flow of information that is vital to delivering the products and services that consumers value and expect. Unfortunately, numerous other states are considering additional and potentially inconsistent privacy and data security laws. We specifically urged the FTC to carry out a detailed review of the effects of the GDPR and the CCPA on competition and consumers.
Undoubtedly a huge unmentioned motivating factor, as far as data procurers, users, and brokers are concerned, is that the governments of some states – including California – have not been captured to the same extent as the federal regulatory apparatus. So on occasion, states may either enact meaningful consumer protections, and in some instances, state legal officers actually attempt to enforce them.
I am of course well aware that a certain amount of grandstanding occurs at the state level, but nonetheless, the situation is not nearly as dire as the federal state of play — where the deterioration, I should point out, in public policies even remotely reflecting popular opinion and majority needs, occurred well before Trump was inaugurated.
Although Democrats have recaptured the House, the slim Republican majority in the Senate will ensure that consumer protection initiatives continue to be thwarted – and if they somehow were to prevail, Trump would likely veto such legislation.
So, in proposing a new privacy paradigm, the ANA understands there’s little real risk the FTC would come up with a national standard that either mirrors or extends the GDPR or the CCPA. Instead, the blog post recognizes:
There is growing interest in Congress to develop broad federal privacy and data security legislation, and we expect considerable activity in this area next year. We have been meeting with key policymakers to describe the “New Paradigm” and urging them to consider this approach as a better alternative to the sweeping restrictions of the GDPR and the CCPA.
FTC to Consider Consumer Privacy
The FTC has scheduled a hearing on consumer privacy in February. In formal comments responding to an FTC request, the ANA asks the FTC to define “reasonable” and “unreasonable” data practices precisely..
The ANA’s website is a fount of information. I’m aways amazed when I look at such sites just how much information industry trade associations are willing to disclose – although I’m certainly not naive enough to think this disclosure is necessarily complete or fully accurate.
Click, for example, on the Industry Initiatives link, and one pulls up a list of a dozen initiatives “championing causes to make the industry stronger and more knowledgeable.” Or look instead at the public policy initiatives link, to see examples where “[o]ur Washington, D.C., team provides a rigorous legislative and regulatory defense of marketers on the national and state levels.”
I suppose one reason why some information is disclosed is that the intended reader isn’t me – nor, sad to say, other concerned members of the public – but rather industry members of the ANA.
What Framework Would the ANA Like to See?
The ANA distinguishes between two types of uses of data, unreasonable, such as data that would discriminate based on employment, credit eligibility, health care and other similar factors. Another example of this unreasonable category would be pricing a product or service based on race, religion or sexual orientation.
Okay, that’s a starting point. You’ll get no argument from me that using data to discriminate, or set prices on a discriminatory basis, should be banned.
But, the group favors a free-wheeling approach to “reasonable” practices, which Jaffe explained to the WSJ “might include the collection and use of many kinds of sales data, but not “sensitive” data that is protected under existing laws, such as those protecting children and personal health information {Jerri-Lynn here: my emphasis.]
To translate this into plain English, I’m reading this as essentially codifying the status quo, where wild West attitudes and practices allow the sharing, brokering, and manipulation of all sorts of information we willingly but often unknowingly share about ourselves, when we make on-line purchases, access a website, use social media, or visit certain places or follow certain routes.
Calling these practices “reasonable”, I would say stretches my plain English reading of what I think that word means.
How Much of a Threat to Freewheeling Data Sharing Does the California Consumer Privacy Act – and Other Potential State Frameworks – Represent?
California passed a flagship data protection statute during the past summer. According to a June WSJ account:
California lawmakers gave consumers unprecedented protections for their data and imposed tough restrictions on the tech industry, potentially establishing a privacy template for the rest of the nation.
The law, which was rushed through the legislature this week and signed by Gov. Jerry Brown on Thursday, broadens the definition of what constitutes personal information and gives California consumers the right to prohibit the sale of personal data to third parties and opt out of sharing it altogether. The bill applies to internet giants such as Facebook Inc. and Alphabet Inc.’s Google but also will affect businesses of any size that collect data on their customers.
Ashkan Soltani, a digital researcher and former chief technologist for the Federal Trade Commission, said the regulations are the first of their kind in the U.S.
While the law only applies to consumers in California, tech companies will likely shift their policies to conform to the new law given the complexity of carving out conflicting standards. It may also spur Congress to consider federal legislation, coming after multiple hearings in which legislators peppered industry executives with questions about whether they were taking data privacy seriously enough.
Since the bill doesn’t go into effect until 2020, there is ample opportunity for tech groups and all sorts of business and other interests to lobby to get the detailed, final framework to reflect their preferences.
Jerri-Lynn here. The purpose of this short post isn’t to parse details about the pending California framework. Yet I do want to emphasize that California is setting the boundaries for creating state regulatory frameworks that go well beyond anything Washington will likely consider to implement on a national level – especially given the current cast of characters in charge in DC, and their responsiveness to lobbying interests.
And I’ll instead remind readers that in the past, California’s adoption of tough emissions standards de facto led to their implementation nationwide, as automakers were unwilling to create two product lines: one for sale in California, and one for sale elsewhere. (I leave it for readers to weigh in on the ways in which the data privacy universe is distinct, in which it might be possible for companies to conform to the California standards for their California-based customers only, while following looser standards for residents of states that don’t adopt similar restrictions.)
Other states have also started to expand data protection provisions, according to an October Fortune piece:
Data privacy regulation in America is about to become seriously confusing. Since the GDPR came into effect, only some states have expanded their data protection regulations to include breach notification requirements. And state laws governing data breaches vary significantly: Texas imposes civil fines of up to $50,000 per violation, while Georgia imposes no penalty at all.
It’s likely that other states will soon pass their own data privacy legislation. Just over half the public (51%) thinks technology companies should be regulated more than they are now, according to a June 2018 report from the Pew Research Center. As security breaches and privacy concerns continue to make headlines, public awareness of and demand for stronger data protection practices are likely to increase.
The Bottom Line
The ANA effort should therefore be read for what it is: an attempt to replace the burgeoning California and whatever other state regulatory frameworks may emerge with a national standard. The stalking horse is a call for uniformity and consistency, with the preferred outcome being an environment where minimal regulation prevails, the whole thing obscured by noble sounding rhetorical word salad.