Companies are creating a vast data sphere, inflating it with information about every single one of us, and it is exponentially expanding every day. At times, our data is being taken with little regard for personal data privacy rights and used in surreptitious ways, the least of which is for targeted advertising. Sometimes it’s used in harmful ways, such as in automated racial profiling for interest rate adjustments. As our data is collected and sold to numerous third parties, the risk of potentially devastating data theft from leaks and breaches increases exponentially, as well.1
The rapidly expanding data economy undergirding nearly every aspect of online activity is, however, invisible to the average internet user. In the U.S., a lack of clear, comprehensive legislation regulating how consumer and personal data is collected, stored, shared, and/or sold has led to a widespread belief that “privacy is dead.” Many of us are hopelessly resigned about our lost personal data privacy rights.2
Surveying successful data privacy laws may help mitigate American despair. Learning what is working elsewhere can help restore our confidence in personal data privacy rights. It may also help us craft equitable and sustainable legislation enshrining our personal data privacy rights and protecting us not only for today, but well into the future.
Keep reading to explore the current state of personal data protection and privacy rights in key U.S. federal and state privacy laws, and Europe’s General Data Protection Regulation (GDPR). We’ll also explore essential elements needed for future-proofing personal data privacy rights in a single overarching and equitable federal regulation.
The Current State of Personal Data Privacy Law
Germany’s Data Protection Law, the first in the world, passed in 1970, followed in 1974 by Sweden’s Data Act. Since the European Union (EU) adopted GDPR in 2016, personal data privacy laws began trending across the globe. Brazil, India, Japan, South Korea, Canada, and the state of California have used GDPR as a model for their regulations. Although these new laws have varying degrees of data protection, many share some of GDPR’s essential principles.3, 4
In the following sections, we’ll briefly explore the core principles of GDPR, as well as U.S. federal and state data privacy laws.
EU General Data Protection Regulation (GDPR)
As the gold standard for data privacy law, GDPR provisions regulate companies that process the personal data of EU citizens and residents, including companies located outside the EU.4 Penalties for violating GDPR can reach €20 million or 4 percent of global revenue, and individuals may seek compensation for damages, as well.
Personal privacy rights covered by the GDPR include5:
- The right of access
- The right to be informed
- The right to data portability
- The right to erasure
- The right to object
- The right to rectification
- The right to restrict processing
- Other rights related to automated profiling and decision-making
U.S. Federal Privacy Laws
Unlike the EU, the U.S. has a hodgepodge of federal laws covering very specific types of data, including1:
- Children’s Online Privacy Protection Rule (COPPA): Restricts data collection from children under 13 years old
- Electronic Communications Privacy Act (ECPA): Regulates employer-based monitoring of employee communications and limits government wiretaps on phone calls and other electronic signals
- Fair Credit Reporting Act (FCRA): Protects credit report information, limiting what data credit bureaus can collect, how it's collected and who is permitted to view it
- Family Educational Rights and Privacy Act (FERPA): Protects student education record requests, providing other schools, eligible students and parents the right to request and view student records maintained by schools
- Gramm-Leach-Bliley Act (GLBA): Requires companies offering consumer financial products to disclose how they share data and must allow customers the right to opt-out
- Health Insurance Portability and Accountability Act (HIPAA): Protects communications between patients and "covered entities," like doctors, hospitals, insurers, pharmacies, and similar businesses
U.S. State Data Privacy Laws
California, Colorado, Connecticut, Utah, and Virginia currently have enacted data privacy laws, giving residents of these states some degree of control over their data. In general, subject companies must disclose if they are selling data and residents have the right to access, correct, delete, and/or move their data or opt out altogether from data sharing.1, 6
California's Consumer Privacy Act (CCPA) was adopted in 2018 specifically to protect consumer rights. The California Privacy Rights Act (CPRA) amends and expands the CCPA, aligning it more closely with the EU's GDPR by adding greater emphasis on personal data privacy rights. The CPRA takes effect on Jan. 1, 2023.4, 7, 8
Massachusetts, Michigan, New Jersey, North Carolina, Ohio, and Pennsylvania have comprehensive data privacy proposals currently in committee. Other states have privacy bills that are currently inactive. Some data privacy experts believe many of these state proposals are watered-down “privacy” bills designed by Big Tech to preempt greater personal privacy protections.1, 6, 9
Future-Proofing Personal Data Privacy is Crucial
With such a confusing array of privacy laws, Americans are understandably unsure of their personal data privacy rights. Whitney Merrill, a data protection officer and privacy attorney, believes a federal law would ease the confusion. “We need a federal law that thinks about things in a much more consistent approach to make sure that consumers understand and have the right expectation over rights that they have in their data,” said Merrill.1
Kate Ruane, senior legislative counsel for the First Amendment and consumer privacy at the American Civil Liberties Union, agrees. “We can create a better internet—a better world—that is more privacy protective,” Ruane states.
Amie Stepanovich of the Silicon Flatirons Center says, “You want that hopelessness to go away, and for people to know: You are being protected while you’re doing this activity.”1
Future-proofing our personal data privacy is clearly crucial. We need to start building that better world today. The following provisions offer a strong foundation upon which an equitable and sustainable federal privacy law should be constructed:1
- Privacy by Default: Prevent companies from collecting personal data unless consent is given
- Personal Privacy Rights to Data: Protect everyone's right to access, correct, delete and/or move their personal data
- Data Minimization: Restrict data collection to what's minimally necessary for providing products or services
- Civil Nondiscrimination: Protect civil rights by preventing automated profiling and discrimination based on data collected
- No Privacy Rights Discrimination: Prevent companies from incentivizing data collection consent and/or penalizing people who don't consent to data collecting
Repairing the ‘Privacy is Dead’ Despair
For most of us, navigating life without the internet is impossible. Avoiding risks by retreating to an offline existence is simply not an option. As Amie Stepanovich puts it, “Privacy isn’t about not using tech. It’s about being able to participate in society and knowing your data isn’t going to be abused, or you’re not going to have some harm down the road because of it."1
Future-proofing our personal data privacy by implementing an equitable and overarching federal law will help secure sustainable data privacy rights in the United States. It will also go a long way toward repairing Americans’ “privacy is dead” despair.
Both online programs at Yeshiva University address privacy laws in different ways. Whether you are an attorney looking to carve out a niche in intellectual property law, or a working professional ready for an impactful career as a leader in data and privacy law, consider Yeshiva University’s Cardozo School of Law online programs. Our online Master of Laws (LL.M.) in Intellectual Property Law is perfect for those who hold a J.D. and are looking to expand their skill set in this exciting area of law. Our online Master of Studies in Law (MSL) in Data and Privacy Law offers is designed for professionals to learn the law without the need for a traditional three-year J.D. program. Schedule a call with our knowledgeable Admissions Advisors today.
- Retrieved June 11, 2022, from nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/
- Retrieved June 11, 2022, from forbes.com/sites/neilsahota/2020/10/14/privacy-is-dead-and-most-people-really-dont-care/
- Retrieved June 11, 2022, from isaca.org/resources/isaca-journal/issues/2020/volume-3/practical-data-security-and-privacy-for-gdpr-and-ccpa
- Retrieved June 11, 2022, from tevora.com/blog/tevora-data-privacy-law-comparison-ccpa-cpra-gdpr-and-pipeda/
- Retrieved June 11, 2022, from gdpr.eu/what-is-gdpr/
- Retrieved June 11, 2022, from iapp.org/resources/article/us-state-privacy-legislation-tracker/
- Retrieved June 11, 2022, from oag.ca.gov/privacy/ccpa
- Retrieved June 11, 2022, from news.bloomberglaw.com/bloomberg-law-analysis/analysis-california-privacy-reboot-puts-rights-in-spotlight
- Retrieved June 11, 2022, from themarkup.org/privacy/2021/04/15/big-tech-is-pushing-states-to-pass-privacy-laws-and-yes-you-should-be-suspicious