A Step Forward? DATA and Privacy Legislation in the US

We all do it: click “accept” on a website’s terms and conditions without so much as a glance at the fine print or ignore that email with an update to a website’s privacy policy. These policies are often long and wordy, and since most people use many data-collecting websites, it would take a significant amount of time to thoroughly read through all these policies. Yet, accepting that a corporation collects one’s data through their website can have significant privacy implications for the user. Still, the internet is an indispensable and for many an unavoidable tool in today's world. Who is, or should be, responsible for the protection of people’s privacy online?

In the United States, legislators have attempted to enact privacy protections in the largely unregulated field of internet privacy law without much success since the advent of the world wide web. On June 18, 2020, Sen. Sherrod Brown (D-Ohio) continued the effort with the introduction of the Data Accountability and Transparency Act (“DATA”) which, if passed, would be the first comprehensive consumer privacy law in the United States directed at the internet.

In announcing his proposal, Brown said this legislation is needed to empower Americans to control their personal information. Technology and social media companies often use complicated terms and conditions and privacy policies that can be hard to understand. DATA would ban the collection, use, or sharing of personal data unless specifically allowed by law.

The proposal is a departure from other privacy laws that look to regulate using a consent model. In many privacy regimes, organizations can use the data received from users so long as consumers have consented to or accepted the terms and conditions and privacy policies on those sites. Acceptance for these purposes can range from having to check a box to simply logging on to a website.

Brown’s proposal, on the other hand, would require that accountability be established from the top-down. CEOs of certain corporations would be required to obtain a certificate of compliance or risk sanction. The proposal would also require organizations and agencies to disclose reasons for data collection and provide a description of the data to users upon request.

Moreover, DATA would create a federal agency charged with implementing and enforcing the Act. The enforcement mechanisms would include civil penalties and, where the CEO and Board of Directors violate parts of the act, criminal sanctions would also be made available.

In Canada, under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), meaningful consent is required for the collection, use, and disclosure of personal information. Consent can only be considered meaningful when individuals are provided clear language describing what organizations are doing with their information. While this applies for data routed through Canada, once information transitions though servers located elsewhere, the destiny (and usage) of that information can be less clear.

Though the proposed legislation is in the American context, DATA could lead to changes for Canadians and Americans alike. As much of Canadian internet usage is channelled through U.S. servers, under DATA, Canadians would experience the stricter data protection in the United States without being citizens of that country. Such asymmetry would also be likely to force Canada to reexamine its privacy regime.

It remains to be seen whether legislation like DATA could pass. Nonetheless, proposals like DATA could gain support amongst the public. A PEW research poll shows that around 80% of Americans occasionally or never read privacy policies before using websites and 75% of US adults believe that there should be greater government regulation concerning what companies can do with the data they acquire from users online. Every country should be engaging in ongoing debate about whether current privacy regimes are appropriate given current technologies.