What can and should we expect in terms of data-privacy regulations?

Recently, the Coalition for Healthcare Communication interviewed Alison Pepper, EVP of Government Relations with advertising trade association the 4A’s (American Association of Advertising Agencies), in a webcast called “Data Privacy: Federal Regulation or a State-By-State Maze of Rules?”

She updated and explained the current landscape – and we’ve got a summary for you!

Three Federal-Level Sticking Points
New federal privacy legislation keeps being introduced, but is logjammed, largely because of three fundamental partisan ideological differences.

While, Pepper points out, federal legislation has been needed for many years, and dozens and dozens of bills have been proposed, none has advanced.

Two ideological disagreements (which transcend privacy) she points to as causes of this logjam are private right of action (whether a law would give a private individual the right to sue; Democrats are in favor; Republicans are opposed); and federal pre-emption (when a federal law conflicts with a state law, it often [but not always] overrules the state law; Republicans prefer states’ rights; Democrats prefer federal laws).

A third ideological difference can be seen in the approach to reforming Section 230 (a small part of the 1996 telecoms Communication Decency Act, which protects platforms for being responsible for third-party content). Pepper notes that Congress is focused on Section 230 reform, with six bills presented recently, and on social networks and platforms (seven bills presented) – far more than on other facets of privacy like data privacy (two), data security and breach notification (one), financial privacy (one), health privacy (two), or location privacy (one). “These two issues are sucking the oxygen out of the room on Capitol Hill right now,” Pepper said.

While the Republican position is that social networks are limiting conservative freedom of speech, the Democrat position is that not enough is being done to rein in misinformation and disinformation. Pepper notes that while Section 230 began as an inconspicuous provision decades ago, it now plays a large part in the heated conversation about social networks’ role in society.

Greater Movement at the State Level
More meaningful recent progress in privacy legislation has been in at the individual state level.

Prior to the pandemic, states did continue to move privacy legislation forward, and in early 2021, many (24 states) have re-introduced, and some have already been approved, like Virginia. Pepper did point out that Florida’s legislation failed “at the eleventh hour, not only because of the private right of action, but also because of old-fashioned political horse trading”: the governor’s priorities were social media de-platforming and transgender sports legislation, so he was willing to give up privacy legislation.

The Privacy for America Framework
The Privacy for America framework, developed by a coalition of trade organizations including the 4A’s, is relaunching post-COVID-19.

The goal of this effort has been to develop and propose comprehensive privacy legislation that would be good for consumers, advertisers, and legislators, Pepper explained. As the coalition’s website states, “Privacy for America will support enactment of federal legislation that would clearly define prohibited data practices that make personal data vulnerable to breach or misuse, while preserving the benefits that come from responsible use of data.” It seeks to preserve existing laws, such as those that affect health or financial privacy, while crafting comprehensive legislation that covers marketing data uses not covered by those laws. Pepper noted that language from their draft legislation has begun to appear in some of the draft legislation being proposed.

Privacy Changes at the Browser and Operating-System Level
Pepper outlined the changes that Google and Apple are making, reflecting how other browsers have blocked third-party cookies, and called it the acceleration of a trend to act on privacy concerns. She noted, however, that there is question about whether the changes are in service of a privacy-first, consumer-centric goal, or instead are a way to advance the companies’ proprietary products by disproportionately advantaging them. For details on the “cookieless future” that we’re coming into, check out our blog post and whitepaper on the topic.

Pepper presented a graphic illustrating a way of thinking about how consumer identity could be handled. At the base of the pyramid is the set of Privacy Sandbox proposals from Google Chrome as an alternative to cookies. Segmentation data gathered from publishers’ first-party data is in the middle. And at the top is data gathered from situations in which logged-in users have a persistent identification tag.

The Antitrust Wild Card
Right now, the Federal Trade Commission, the Department of Justice, and state Attorneys General are all pursuing antitrust claims against Google and Facebook; the European Union is pursuing claims against Apple; private litigation is occurring; and new legislation is being proposed. Much is afoot. Pepper pointed out that while it’s admirable to want to guard against tech companies doing the wrong things, some say that some legislation, like GDPR, has had the ill effect of consolidating power with big tech companies and making it harder for new ones to come onto the playing field.

In Conclusion
The ecosystem is affecting itself. Private market changes are being made in reaction to antitrust legislation and its discussion. (Are legislators outsourcing to private companies? Pepper posits.) Conversely, changes in privacy legislation will be influenced by what browsers and operating systems do. Consumer advocacy groups will have a say. Antitrust legislation will have an effect. And we have a White House that, particularly with Vice President Harris’s previous experience as attorney general of California, has far more expertise on privacy than any previous administration.

Privacy isn’t the focus in a time of crisis, of course. But if, or as, the government is able to move away from pandemic emergency management, privacy will regain the spotlight it’s had on the Hill.