American GDPR? The GAO’s Case For A Consolidated Internet Privacy Law

Remember Cambridge Analytica? You should, because they remember you! That particular breach spurred the US Government Accountability Office (GAO) to conduct a sixteen month review of the current state of Internet privacy in America. They concluded what we all knew but they were able to officially state on the record to Congress: that the US has no consolidated Internet privacy statute. Their recommendation: we need one!

The GAO publicly released their report (spurred by the loss of 87 million Facebook users’ personal data) two days ago on February 13th. If you happen to look at the publication date it reads January 15th but you’re not a month behind the power curve: the GAO gives some stakeholders a chance to digest the results and recommendations before it goes public.

The report’s main recommendation was that “Congress should consider developing comprehensive legislation on Internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving Internet environment.” Currently Federal Internet privacy is covered by a patchwork of regulations from the Children’s Online Privacy Protection Act (COPPA) overseen by the Federal Trade Commission (FTC) to the Health Insurance Portability and Accountability Act (HIPAA) which is overseen by the Department of Health and Human Services. The takeaway, the current state of affairs includes both gaps and limitations.

Taken directly from the report

The FTC has three major enforcement areas: unfair, deceptive, and COPPA. Deceptive is easy and seeks to answer the question, “Did the company break their own privacy policy?” If the company says they will not collect or use user data but then they do, they (probably) get a violation. “Unfair” is a harder standard to prove. COPPA applies to children under thirteen or, more broadly, to general audiences which can include children under thirteen. Violations presented in the report usually are for collecting children’s information without parental consent or location tracking. The HIPAA Privacy Rule covers healthcare data privacy and if you’re really want to read more about HIPAA, there’s plenty of great write ups out there. There are some other industry-specific privacy regulations but for most consumers, if their data is not healthcare-related and the company is operating within their privacy policy (the 300-page terms of service document you didn’t read but said you did), the company can pretty much do whatever they want. If you are interested in the terms of service bottom line, there are repositories like the Terms of Service Didn’t Read that have summaries and ratings of different websites.

Stakeholders interviewed by the GAO had some creative suggestions on how to solve the current gaps and problems. For example, the FTC is authorized to take action against companies that act under “unfair and deceptive” practices but some stakeholders suggested that Congress might develop an entirely new office to enforce privacy outside the of the FTC which would authorize a different standard. Stakeholders suggested that a consolidated framework would also allow either the FTC (or new entity) to take proactive action instead of waiting for a complaint to conduct a review. Most agreed that any new legislation should effectively balance the need to collect and use data with the consumer’s right for privacy. They expressed concerns that any new framework should be flexible and technology-neutral which would help continue to promote innovation.

Ultimately, the GAO suggested comprehensive legislation and posed three primary areas for consideration. First, they suggested Congress figure out who is in charge of Internet privacy. FTC, FCC, another office, or a new office. Second, they need to outline the specific authorities that the office in charge has. This include the ability to make rules similar to how OSHA develops workplace safety rules. Third, how to balance consumer’s Internet privacy needs with the industry’s need to innovate. I think it’s important to remember that the GAO can only make suggestions to Congress. It will be interesting to see where, if anywhere, Congress heads with the information and suggestions in the report.

The GAO was created in 1921, works directly for Congress, and aims to “improve accountability by alerting policymakers and the public to emerging problems throughout government.” Honestly, they write some really interesting reports like the one on the Equifax breach which I wrote about and its lessons learned and this one on building integrated information technology teams.