In addition to its obvious health fallouts, the coronavirus pandemic has raised other issues, including data privacy-related ones. California has led the way with its state-level data privacy initiative, and various other states are considering similar legislation.
In addition to its obvious health fallouts, the coronavirus pandemic has raised umpteen other issues, including data privacy-related ones.
For one, some governments have put together digital crumbs obtained from sources such as cellphone geolocation information and credit card spending to track the trails of individuals. Such contact tracing enables governments to identify and isolate those that could be infected with the virus.
According to Sean O’Brien, founder of the Yale Privacy Lab and a lecturer in cybersecurity at Yale Law School, “The COVID-19 pandemic has created an unprecedented crisis for personal privacy. Proposed and implemented plans for digital contact tracing have largely downplayed or ignored privacy in the name of public health. However, the efficacy of digital contact tracing such as Google and Apple’s scheme is limited, and that’s being kind.”
Smartphones in the U.S. have been “forcefully updated” with Bluetooth surveillance developed and controlled by Google and Apple, O’Brien said, and with the pandemic heightening the use of “no touch” payment methods, those technologies will also be “abused” for the benefit of the companies that design and sell them.
Not only that, James E. Lee, chief operating officer at the Identity Theft Resource Center, pointed out, “Credentials and personally identifiable information stolen in past data breaches are fueling cyberattacks and phishing attacks that are resulting in massive amounts of unemployment benefit fraud – about $1 billion in just the states of Washington and Maryland – as well as other COVID-related scams that rely on identity information.”
See related: Credit card scams in the time of coronavirus
U.S. lags in data privacy legislation efforts
These sorts of issues have heightened concerns about data privacy that were already at the forefront prior to the pandemic. While all states have data breach notification laws, robust data privacy laws are lacking, both at the federal and state level.
Europe has been ahead when it comes to data privacy issues, passing its General Data Protection Regulation in 2018. In the U.S., California has led the way, with its California Consumer Privacy Act that went into effect in January and began to be enforced in the summer.
Two other states – Nevada and Maine – have also passed digital data privacy laws as of late 2020. The Maine law specifically applies to internet service providers, rather than all businesses that collect consumer data. A variety of other states – including New York, Pennsylvania and Illinois – have proposed data privacy protections that are in various stages of the legislative process.
A number of these state-level efforts (including in New York, Wisconsin, Washington and Virginia, according to Lee) have been stalled as legislative sessions have been impacted by the pandemic this year.
California’s data privacy law
California’s CCPA, which sets the model for most of the other state-level initiatives, gives the state’s consumers some basic privacy rights relating to how businesses use their personal data. Broadly, it confers the following protections relating to consumer personal information:
- Consumers have a right to know what sort of personal information a business collects about them, and how it will use and share this input.
- It gives consumers the right to erase certain information a business collects on them.
- It allows consumers to opt-out if they don’t want their information being sold.
- It forbids businesses from discriminating against consumers because they make use of the rights the CCPA gives them.
Brian Vecci, chief technology officer at Varonis Field, a data security firm, said that while the law gives consumers more rights, “The CCPA does not have the financial teeth that the GDPR (the European regulation) does. It’s not designed to punish companies that don’t comply.”
ITRC’s Lee believes that the consumer consent provisions and data breach notification provisions of the GDPR have been working well. However, he noted that critics point to a lack of significant action on the investigation and enforcement front.
According to Yale’s O’Brien, the European legislation has resulted in “high-profile lawsuits against major companies, which may have a small effect on specific surveillance practices in the private sector.” However, it has not impeded government surveillance efforts.
As for the CCPA, Lee says it’s too early to tell how it will turn out, though the California attorney general has started sending out enforcement letters to businesses to correct deficiencies.
Besides, he said, “There’s also the prospect of the CCPA being replaced by the voters in November by an even stricter privacy law – the California Privacy Rights Act. There is broad, strong opposition to the proposed CPRA, so it is not a slam dunk it will pass.”
O’Brien is not very optimistic about the impact of the CCPA because it has been influenced by Silicon Valley lobbying.
“There is some room for interpretation in CCPA around the definition of ‘sale’ and ‘operational purposes’ that is potentially problematic,” he said. “This may result in potential loopholes unless legal tests by regulators and legal scholars are taken seriously. It is quite possible that the efficacy of CCPA will be weakened over time by interpretation that favors Big Tech and adtech firms.”
New York data privacy legislation looks more robust
O’Brien noted that data privacy legislation efforts in other states are largely based on the California model and aim to work well with that initiative.
“This is both because industry power resides in Silicon Valley and because California is the first populous state to attempt implementing its own ‘GDPR Lite’ regulation,” he said.
At least one state is aiming for more far-reaching protection, though. New York’s pending New York Privacy Act would hold businesses to a fiduciary standard in dealing with consumer data. This would require them to keep in mind the consumer’s best interests, even holding it above their duties to shareholders, before sharing or using their data in any way.
The law also provides a broad definition of “privacy risks” to consumers from their processing of consumer data that businesses should be aware of, including financial harm, physical harm, psychological fallouts, inconvenience, price discrimination effects, stigmatization of the individual and anything that would limit their choices or alter their experiences.
Not only that, the New York legislation would allow consumers to individually sue businesses for lapses. In contrast, the California law only allows consumers to sue businesses for data breaches, and only in “limited circumstances.” For other violations of the law, only the state’s attorney general can sue businesses to broadly protect the state’s citizens.
Need remains for a comprehensive federal data privacy law
Even though states are attempting to take up the slack, it seems a federal data privacy law could provide more uniformity for consumers and businesses nationwide. According to Varonis’ Vecci, federal legislation would get the U.S. more in line with the European Union.
And Lee noted, “Ideally, we would have a uniform, holistic law similar to the GDPR that encompasses privacy, cybersecurity, physical security and identity under a federal act to cover the core issues of minimum standards.”
However, he still sees a need for state laws to address some aspects that states could handle better, such as issuing identity credentials.
“You may not want to clog the federal courts with enforcing civil penalties associated with violations of any federal privacy law, too,” Lee said.
Moreover, Lee sees state courts as “more accessible for citizens than federal courts when it comes to enforcing laws and civil actions.”
See related: Tech lobbying efforts likely to shape federal data privacy legislation outcomes
Federal data privacy law remains elusive
However desirable it might be, prospects for a uniform federal law remain elusive.
“I do not think we will see a federal regulatory framework any time soon and, therefore, each state will have to maintain broad CCPA compatibility in new laws they enact or those regulations risk being ignored by or cumbersome to commerce,” O’Brien said.
According to Lee, there are two schools of thought in Congress about the purpose of a federal data privacy law: One sees it as an overarching law that would take precedence over all state efforts, and not give individuals the right to file suits for violations of the law; the other sees a federal law as establishing a basic floor that state and local governments would adhere to while being free to establish higher standards. The latter approach would also give individuals the right to sue businesses for violations.
Lee noted, “Neither side today has the votes to pass any legislation. Attempts to find a compromise have failed despite mass data breaches that impacted members of Congress at Marriott, Equifax, Capital One and the government’s own Office of Personnel Management.”
The outcome of the upcoming presidential election will also influence the prospects for passage of a federal data privacy law, and Lee expects it will be difficult to pass such a law without a single party controlling the White House and Congress.
“COVID, economic concerns and the upcoming presidential election will probably keep efforts at establishing data privacy legislation at the federal level out of the picture for the near future,” Vecci said. “I do see a federal privacy law in the cards, but it’s not going to happen soon.”
COVID fallouts show need for robust data privacy laws
The cybersecurity and data privacy issues that COVID-19 has given rise to have only made clearer the need for data privacy legislation.
“That laws and regulation can approach such problems and roll back the loss of privacy that has been accelerated by COVID-19 is unlikely. It will take serious public outcry and activism for lasting change to happen,” O’Brien noted.
Vecci also observed that COVID-19 has shown that “more privacy protections are needed, not less.”
But ITRC’s Lee pointed out that the tech giants are not waiting for the government to force them to adopt stronger privacy practices when it comes to consent relating to consumer data collection, storage and use.
“Apple, Google, Mozilla and Microsoft have all added product features that give consumers more control over how they are tracked as they move around the internet,” Lee said. “That’s not a replacement for a government mandate with a penalty for violating a law, but it’s better than nothing.”