Right now, privacy in the U.S. consists of a patchwork of state and federal laws that make it extremely difficult for an American to know his or her rights. Federal laws cover some specific aspects of privacy today. States may or may not have laws that apply to privacy, and even if they do they tend to define protected data differently and apply it to different entities in various ways. It is, therefore, very encouraging to see Members of Congress from both parties in recent privacy hearings support the idea of comprehensive national privacy legislation.
Let’s take a very simple example. You are an inn-keeper in Maine. You are more than busy keeping the rooms immaculate, cooking delicious breakfasts and baking scrumptious treats to set out in the afternoon. You are used to complying with state and local health and safety regulations, so it does not occur to you that you may need to comply with privacy laws enacted in states other than Maine.
But your lovely inn has attracted guests from all over the U.S. The states in which your guests reside have privacy laws to protect their citizens’ data, regardless of where that data happens to be held. You probably have some combinations of your guests’ names, home addresses, credit card information, email addresses, or other personal information. The requirements for protecting that data are likely to vary depending on your guests’ home states and breaching those laws can carry hefty fines. How do you understand, much less comply with, so many different legal requirements?
Let’s take another example. You are not very happy with the job you have held in Oklahoma and are now applying out of state. Oklahoma has a law that prohibits employers from requiring employees to give them access to the employees’ social media accounts, so you have not been very careful about what you’ve said on social media about your current employer and you’ve not been too discreet in describing some of your partying. When potential out-of-state employers to whom you have applied demand access to your social media, it comes as a shock. You didn’t know that only twenty-six states have a law that protects employees’ and applicants’ social media accounts and that even those states’ laws vary widely.
The medical information held by your health-care professionals and institutions such as hospitals is protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). But data and inferences about your health that have been collected by search engines, email providers, and social media platforms is not. If your employer finds out that you are ill before you are ready to share that information, aren’t you just as harmed if the news came via one of these platforms as if it came from your doctor? Shouldn’t you be assured of protection no matter where in the U.S. you reside?
Americans should not have to struggle to protect their privacy rights or to fulfill their privacy obligations in a legal environment that varies from state to state and is too complex to be easily understood by a lay-person. It is time for Congress to pass a comprehensive national privacy law that protects Americans uniformly throughout the U.S. and across the entire Internet ecosystem.
Anna-Maria Kovacs, Ph.D., CFA, is a Visiting Senior Policy Scholar at the Georgetown Center for Business and Public Policy. She has covered the communications industry for more than three decades as a financial analyst and consultant.