Written by: Kaitlyn Mundy '23
Edited by: Kathleen Meininger '24
In the age of social media, online banking, and cryptocurrency, the concept of cybersecurity and debate over the vulnerability of cyber services is by no means a new point of discussion. Recently, the question of foreign data collection has become a hot topic in the media and public forums. Is TikTok a national security threat? Does the banning of WeChat actually impact the amount of data that is available for collection? These are important questions to consider in regard to national security and protecting citizens from foreign entities.
But through all of this discourse, there is one particular question that remains under-analyzed: what guidelines regulate data collection and protection among domestic entities?
If we’re concerned about the information foreign governments might glean from our videos, why aren’t we worried about supermarkets selling our phone numbers and addresses for a quick profit? Why can they sell our data with impunity, and just who are they selling it to? The national cybersecurity debate has historically focused on protecting American companies from foreign corporations, hackers, and data theft. Very little effort has been dedicated to limiting the data these corporations are allowed to collect from consumers and what they’re allowed to do with that data.
As a result, data security regulations in the U.S. are woefully inadequate in the modern digital age. Domestic cybersecurity law is nothing more than a rotting wooden fence propped up by outdated federal laws. To address the gaps, state regulations and industry-specific guidelines have been tacked on to the crumbling infrastructure over the years, resulting in a patchy mess with plywood. It’s not enough — a graveyard of failed privacy bills has left holes large enough for a truck.
What Does Federal Law Actually Cover?
Answer: the bare minimum.
Laws passed in the 1980s and 1990s govern information like Driver’s License data, child data protection, cable subscription, telephone communication, and video reproduction and streaming (think of the FBI warning that pops up before the movie starts). They have not been significantly amended since their enactment, despite the rapid development of technology and evolution of information exploitation.
For information where the wide variety of state protection levels is unacceptable, industry-focused federal laws try to address the gaps (1). Credit card companies, financial corporations, educational institutions, and healthcare providers are all examples of industries subject to specific regulations regarding data protection and distribution.
Why Aren’t State Laws Enough?
California is widely considered to have the strictest and most encompassing state cybersecurity laws. In 2018, the California Consumer Privacy Act (CCPA) mandated that businesses disclose to their consumers the types of personal information collected (2). Businesses are also required to allow consumers to opt out of data collection and delete any personal information already stored in the company database upon customer request.
In this case, “personal information” refers not only to the data collected, but also the inferences the company makes from this data. This distinction is important because physical and mental health conditions and predictions of future intent are just some of the inferential information that can be derived from something as innocuous as a status update or Instagram post (3-5).
This law can be compared to the General Data Protection Regulation (GDPR), which has covered the European Union since May of 2019. Both give consumers basic rights and control over their own personal information (6).
Let me restate that: the strictest and most broadly-applicable cybersecurity law currently implemented in the U.S. is only applicable to companies that deal with California residents, and the most it does is give people control over their own personal data.
So what about legislation in other states?
In 2018, only 18% of proposed cybersecurity laws were passed (7). In 2019, nearly every cyber-privacy regulation bill proposed in Arizona, Connecticut, Florida, Kentucky, Maryland, Mississippi, Montana, New Mexico, Utah, and other states failed to pass, despite a number of them proposing only basic data protection such as informing consumers about what kinds of data are being collected (8).
What’s in the Works?
Proposed this March by the Senate Commerce Subcommittee on Consumer Protection, the Consumer Data Privacy and Security Act of 2020 (CDPSA) is a legislative act based on the ideas behind the CCPA and the GDPR that attempts to address the same issues regarding consumer privacy and data control (9). It provides guidelines for consumer data collection, control, and distribution, as well as the minimum levels of protection companies will be required to provide. Additional sections address individuals’ rights to be aware of and in control of what data is collected.
One notable critique of the CCPA and GDPR is that they limit employer access to necessary and relevant information regarding an employee’s personal background. The CDPSA addresses this concern by limiting its scope of protection to exclude employees, allowing companies to continue as they have under state laws in regards to internal data collection (9). To that end, this proposed law also has a clause specifying that it will not attempt to supersede state laws if they provide better protection for individuals, meaning that existing state-provided protections will continue.
The CDPSA has yet to be approved by either the Senate or House, but as our world becomes increasingly digital it is clear that our laws must evolve with the times. Private citizens deserve rights to their own personal information. Companies have a duty to safeguard the data they collect. A federal law mandating the protection of data and consumer privacy is long overdue.