Spate of pending U.S. privacy initiatives could significantly impact businesses

In the wake of the U.S. Supreme Court’s decision overturning Roe v. Wade, which will expose pregnant people in over half of U.S. states to a digital law enforcement surveillance environment, the Biden administration and Congress have kicked into gear to address a spate of privacy and digital protection threats that substantially broaden the scope of privacy and data security protections.

As each week passes, additional government efforts to address access to sensitive data by police, prosecutors, and the private sector continue to unfold and progress rapidly. These actions have significant implications for how IT, security, and privacy operations within organizations must manage the personal data collected and stored within their organizations and the policies under which the data can be shared.

American Data Privacy and Protection Act

The House Energy and Commerce Committee passed a bipartisan version of a landmark privacy bill, the American Data Privacy and Protection Act (ADPPA), a historic feat considered virtually impossible a few months ago. The ADPPA sets clear limits on how companies can collect and use data by setting data minimization rules, making privacy the default posture.

As currently amended, the bill establishes substantial restrictions on the collection and use of sensitive data, including precise geolocation, biometric, and health information, as well as data identifying an individual’s online activities over time and across third-party websites and online services. It also extends civil rights protections online, requires algorithmic impact assessments, and gives users the right to access, correct, and delete data collected about them. The ADPPA would also give all Americans the right to opt out of targeted advertising globally.

FTC commits to prosecuting companies that violate data protection laws

Earlier this month, the Federal Trade Commission (FTC) reiterated its commitment to using the full scope of its legal authorities to protect consumers’ privacy. “We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data,” Kristin Cohen, acting associate director, FTC Division of Privacy & Identity Protection, said in a statement.

She stressed that companies must consider several factors when collecting confidential consumer information, including location and health data. Among these factors are existing state and federal laws protecting sensitive data and the likelihood that the FTC will view any claims of “anonymized” data skeptically. Most importantly, companies that over-collect, indefinitely retain, or misuse consumer data will likely face legal action by the Commission.

Lawmakers seek to extend HIPAA privacy rule

On July 1, Senators Michael Bennet (D-CO) and Catherine Cortez Masto (D-NV) urged the Department of Health and Human Services (HHS) “to protect the privacy of Americans receiving reproductive health care services by updating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization (Dobbs).”

They urged HHS to “clarify that this information cannot be shared with law enforcement agencies who target individuals who have an abortion.” Moreover, they want HHS to determine that so-called pregnancy care centers (also known as crisis pregnancy centers) must follow the Privacy Rule requirements. Abortion advocates maintain that these centers are merely deceptive front operations run by anti-choice advocates to dissuade pregnant people from seeking abortions and are likely to turn over sensitive health and location data to authorities to prosecute people in states where abortion is outlawed.

FCC collects data on mobile data retention and privacy policies

The Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel wrote to the top 15 mobile providers requesting information about their data retention, privacy policies, and general practices. In the letter, she asks about their policies around geolocation data, including how long it is retained and why, and the current safeguards to protect this sensitive information.

She also asked the carriers to explain their processes for sharing subscriber geolocation data with law enforcement and other third parties’ data sharing agreements and whether and how consumers are notified when their geolocation information is shared with third parties. Rosenworcel said, “Mobile internet service providers are uniquely situated to capture a trove of data about their subscribers, including the subscriber’s identity and personal characteristics, geolocation data, app usage, and web browsing data and habits.” Mobile providers have until August 3, 2022, to reply and provide a response.

Digital dragnet bill gains a hearing

Last year, lawmakers in the House and Senate introduced a bill called the Fourth Amendment is Not for Sale Act (H.R. 2738 and S.1265) that prevents the government from purchasing data from third parties that it would otherwise need a warrant to obtain under the Fourth Amendment. The Fourth Amendment protects American from unreasonable searches and seizures by the government, although how it operates in the digital era is still an evolving question.

Earlier this week, in support of the legislation, the House Judiciary Committee held a hearing on “digital dragnets,” namely the increasing reliance of law enforcement on massive data sets produced by private third parties with little consideration for due process under the Fourth Amendment.

Committee Chairman Jerry Nadler (D-NY) made clear the nexus between the Supreme Court’s recent decision and the revived momentum of this legislation. “In the states where abortion is now a crime, law enforcement can use available data to keep track of who searches online for the words, miscarriage or abortion,” he said.

“They can purchase geolocation data to monitor which phones travel out of state to go to a medical provider. They can access the data from tracking apps or purchase integrated data profiles to see, or even predict if and when a woman may be pregnant or may be likely to seek an abortion.” The result of the federal government’s use of private third-party data, which goes largely unmonitored, “is that just by going about your daily life, your data may be swept up in and make you the subject of criminal investigations,” Nadler said.

Bob Goodlatte, senior policy advisor, Project for Privacy & Surveillance Accountability, and former chairman of the House Judiciary Committee, said as a witness at the hearing that the solution for the government overreach is the Fourth Amendment is Not for Sale Act. “This bill would close the loopholes in the law. It would forbid government agencies from buying personal data it would otherwise need a warrant or subpoena to obtain it. When the Fourth Amendment is Not for Sale Act passes, U.S. law enforcement and intelligence agencies will still have powerful legal tools at their fingertips with which to follow leads that can catch terrorists, spies, and dangerous criminals.”

Impact on organizations’ data management policies

Although the dust hasn’t settled on any of these rapidly emerging developments, it’s clear that IT, security, and privacy operations within organizations will have to quickly revamp how they collect, share and store data. John Wills, field CTO at Alation, tells CSO in an email that the string of recent efforts to protect individuals’ data privacy could majorly impact businesses.

Among the significant impacts, according to Wills, are:

• Increasingly complex rules, sometimes split across various jurisdictions, requiring additional investments to stay compliant
• An increased need for data cataloging and management software to help companies maintain accurate data logs
• Changes to customer loyalty plans and other data-intensive company programs
• A need for more advanced artificial intelligence and machine learning systems to help gather, sort, use, and report data

Corporate law firm Balch and Bingham produced a breakdown of the ADPPA, at least, and how it would impact businesses. The bill places “significant obligations on businesses, particularly those that are not currently subject to European privacy law or state comprehensive privacy laws such as the California Consumer Privacy Act, or CCPA, and the California Privacy Rights Act, or those soon to be in effect in states such as Colorado, Connecticut, Virginia, and Utah,” according to Balch’s attorneys.

Even those subject to these laws may have to add critical aspects to their privacy policies and procedures, such as requirements to publish annual impact assessments disclosing methods taken to minimize data risks, appoint a data security or privacy officer, modify privacy policies to ensure required information is disclosed and conduct audits to ensure reasonable internal controls related to individual’s data and compliance with the Act.