There's been a lot of talk about privacy legislation in the past, and it's ramping up again now. President Barack Obama mentioned the word privacy an unprecedented three (3!) times during the State of the Union. Congress is talking about national data breach legislation. And the White House has called for a Consumer Privacy Bill of Rights.
But consumers -- aka, regular people -- may remember that that that bill of rights was actually first announced nearly three years ago in 2012. Since then? No privacy legislation.
To be fair, privacy is a tricky thing. We all profess to want it, but then give it away all the time -- especially in a modern age when pieces of personal information are not only social currency but also more or less the basis for the entire world of online commerce. And even in cases where people agree on the principles of what should go into privacy legislation, the details are another matter entirely.
For example: On the Hill Tuesday, lawmakers from the House's Subcommittee on Commerce, Manufacturing and Trade held a hearing with industry representatives and experts about the best way to tackle the question of one aspect of data privacy -- data breach notification laws.
The witness panel included a law professor who specializes in privacy law, along with representatives from the retail industry, the technology industry and the data broker industry. Pretty much everyone agreed that consumers should be notified when a hacker steals customer data from a company -- particularly in light of major breaches at Target, Home Depot and Sony Pictures Entertainment.
But the details of when, how and by whom were all matters of debate. There was even questions hanging over how a federal law would work with the laws already on the books in forty-seven states (plus D.C., Guam and Puerto Rico). Businesses tend to say that they would like to see a broad federal law preempt all of those state laws, to provide one standard rather than just adding another law to the pack.
Many businesses "don't have resources to comply with all of those laws" said hearing witness Elizabeth Hyman, of the industry group TechAmerica. "We need a strong, appropriate federal standard to alleviate ambiguity."
But privacy experts and advocates say that doing so actually runs the risk of decreasing privacy for people across the country. States such as Massachusetts and Illinois, for example, have particularly strict rules about how quickly companies have to notify state authorities of a breach. Other states leave those disclosures to the company's discretion.
Hearing witness Woodrow Hartzog, an associate professor at the Cumberland School of Law, all but dismissed the claim that businesses can't comply with a federal standard in addition to state standards. "The differences can be overstated," he said. "I've heard it compared to apples to oranges -- I think it' s more like Fiji to Red Delicious apples."
And that's just on an aspect of data privacy law that has widespread -- even bipartisan -- agreement. Other parts of the consumer bill of rights include much more complicated questions, such as how much transparency and control regular people should have over how the data companies collect on them.
A notification law would be a start. But it won't "solve the problem of a lack of comprehensive federal privacy legislation," said Julia Horwitz, director of the consumer privacy project at the Electronic Privacy Information Center. "As we keep hearing, it’s the big data era. There are secondary and tertiary uses for data -- things that aren’t mentioned explicity in terms and conditions."