Welcome once again to the Data Connections Blog! Wow, is this Blog #10 already? I would like to say these Blogs virtually write themselves … but I also don’t like to lie.
We just spent a few weeks diving into the Artificial Intelligence leg of the four legged data stool that I talked about in Blog #6. One of the things we learned was how Europe is ahead of the US in enacting unified data regulations for Artificial Intelligence.
Now, I would like to move on to look at another leg of that data stool – data privacy. This is a topic that has been around much longer than AI, so surely the US has a cohesive plan for dealing with all the pieces of the data privacy puzzle… right? Well, let’s see!
In Europe, privacy is considered one of the most important and fundamental rights of a person [1]. Our relationship with privacy in the US is more, shall we say…complicated. While we care about privacy on the one hand, on the other hand we also value things that might be privacy trade-offs like discounts and convenience. Surveys regularly show that Americans are generally more willing that citizens of the EU to trade off some, and sometimes a lot, of privacy in return for these other benefits [2].
Before we get ahead of ourselves, let’s start to assemble the jigsaw puzzle of US Privacy laws and policy by first looking at the history of privacy in the US and how it has evolved.
In the mid-1500s in Europe, the printing press revolutionized distribution of the printed word. However, it wasn’t until the 1840’s that the “gossip column” came to the US press with an intense focus on the lives of the American social elites [3]. By the 1890s, the East Coast elite decried the “newspaperization” of society. They felt the constant coverage robbed them of their prized privacy and, quoting the Bible, feared: “what is whispered in the closet shall [now] be proclaimed from the house-tops.”[4].
Imagine how the late 19th century social elite might react to the nonstop invasion of privacy we see today on X (formerly Twitter) and other social media outlets (Hey, Charlotte - I just saw on X that you brushed your teeth AGAIN… what is that like 6 times today?).
How could this perceived forfeiture of privacy be addressed? There is no direct constitutional right to privacy in the US. Privacy rights have generally evolved from a loose combination of 5th Amendment rights against self-incrimination; 3rd Amendment protections against forced quartering of troops in your home; and 4thAmendment protections against unreasonable search and seizure. Not exactly a direct line to privacy and a far cry from the European basis for privacy protections – where the Right to Privacy is a fundamental personal right grounded in Article 12 of the Universal Declaration on Human Rights.
If anything, protection of privacy rights in the US conflicts with one of the rights Americans traditionally hold most dear: the 1st Amendment right to freedom of speech. If I can keep you from publishing the details of my personal life or retroactively force the deletion of such details, one might argue that I am aggressively impacting your right to free speech.
It was this very conflict between 1st Amendment rights and the desire for privacy -- led by the onslaught of media coverage of the personal lives of the social elite (hey, it sells papers!) in the late 1800s that inspired the first meaningful proposal for a right of privacy in the US.
American lawyer and businessman Samuel Warren, who was himself from the social elite class in Boston, teamed up with Louis Brandeis, also an American lawyer who was ultimately an Associate Justice on the Supreme Court, to write an influential article on privacy in the Harvard Law Review. This article, on The Right to Privacy [5], helped to popularize the tort-based [6] concept that individuals possess a redressable “right to be let alone” [7].
While this right of privacy did not immediately gain broad acceptance in the courts, it did gain steady support over time. By 1953, a case over the rights of a baseball player to sell, multiple times, his picture to baseball card makers solidified the fact that publicity rights are a property right that can be sold (or not) by a person [8]. That said, while state and federal courts struggled to address privacy rights in cases following the Right to Privacy article [9], no federal law was passed to help unify this right.
By 1960, it seemed time to take another scholarly look at privacy. William Prosser, Dean of the School of Law at UC Berkeley and prolific authority on Torts, proposed 4 causes of action related to protection of privacy: (a) unreasonable intrusion on the seclusion of another; (b) appropriation of the other’s name or likeness; (c) unreasonable publicity given to the other’s private life; or (d) publicity that unreasonably places the other in a false light before the public. These causes of action each made it into the influential Restatement (Second) of Torts and, as a result, gained acceptance in many courts [10].
I could spend a lot of time on each of Prosser’s causes of action for privacy, and legal scholars have, but I would like to fast forward a bit to the present. As it stands today in the US, we have no comprehensive privacy law at the federal level. We do have various sectoral privacy laws including the following: 1) use of data by the federal government [11]; 2) use of banking/financial information [12]; 3) protection of health data [13]; and 4) the protection of children on the Internet [14]. Each of these laws could lead to many pages of commentary. For our purposes, it is most important to note that the US sectoral laws on privacy are a patchwork of laws equivalent to a bunch of puzzle pieces that don’t quite fit together. There are similarities in requirements but there is not an over-arching framework guiding these laws. In fact, many of the US sectoral privacy laws seem to have been reactive to events rather than strategically positioned.
A classic example is the Video Privacy Protection Act of 1988, which protects an individual’s video viewing history/habits from disclosure. In the late 1980’s, videotapes were rented from brick and mortar stores like Blockbuster Video (Oh the hours we would spend strolling the aisles of Blockbuster looking for something to watch!). During congressional hearings for Supreme Court nominee Robert Bork in 1987, journalist Michael Dolan published an article listing 146 largely benign video rentals by the Bork household obtained from an assistant manager at the video store frequented by the Borks. This publication shocked members of Congress, whose video rental histories may have been even more enlightening. This singular concern led to the rapid enactment of the Video Privacy Protection Act, protecting people against such disclosures, barely a year later [15].
While this is not necessarily a bad result, it only serves to illustrate what can seem to be a “whack a mole” approach taken to federal privacy laws where privacy issues are addressed in response to current events or special needs rather than on a comprehensive basis and where all the puzzle pieces of privacy law would fit together nicely.
In addition to the federal laws, eighteen US states have privacy laws in place [16]. As with the federal sectoral laws, there are similarities among these laws (and with the federal laws), but they are also confusingly different at times.
As to similarities, state privacy laws generally include such things as a requirement to:
- ** Make information on incidents such as data breaches (involving personal information) available on the [state] Attorney General's website
- ** Allow minors to remove content or information posted on websites, online services, or mobile applications
- ** Prohibit marketing or advertising to minors of products or services that minors are legally prohibited from buying [17]
However, the timing and approach to even these common elements of the state and federal privacy laws can vary widely.
While we seem to want privacy protections in the US, we can’t seem to get consensus on a unified approach to privacy. This is not for lack of trying. Bills, even bipartisan bills like the American Data Privacy Protection Act, have been introduced in Congress [18]. While not perfect, these proposed bills could help to clarify enforcement priorities. Unfortunately, for various reasons, these bills have not been enacted to laws.
By contrast, there is an influential law unifying and governing data privacy obligations in the European Union: the General Data Protection Regulation (GDPR). Like the EU Artificial Intelligence Act we discussed in Blog #9, the GDPR is currently in place and is providing the de facto framework for privacy policies in the US because international companies standardize their approach to privacy. Even state laws, like the California Consumer Privacy Act and subsequent California Privacy Rights Act, are not only inspired by but also in some cases similar to the GDPR [19].
As an example of the influence of the GDPR in our everyday lives, how excited are you about all those privacy policy clicks that are now required just to view a website? See below the 1st 2 screens you must work through to view the Orange SA (Telecommunications) website. (Hang on a sec, I’ll get back to you on the phone plan I want after I complete the obligatory 3 years of law school required to understand how to navigate your website!)
We have to ask ourselves… even if we don’t value the fundamental right of privacy as much as Europe, what will it take for the US to pass comprehensive privacy laws? By not having our own laws, we have essentially decided to follow the EU’s lead. Are we happy with the EU setting the data law blueprint?
These are the times when my law students would ask me…what should we do? The answer is…it’s up to us to determine our own future. The US can be a leader in data law, or we can be a follower. My hope is that we would decide on the former course of action.
In any event, and as a “heads up” to the penguin in my illustration, there is a good chance that some of the pieces in the US data privacy jigsaw puzzle won’t quite fit together for some time!
We are far from done on our discussions of privacy and other parts of data law. I hope you’ll be back next time as we continue to explore these issues and learn more about data connections!
If you have questions about your data and your legal compliance programs for data, Mortinger & Mortinger LLC can help! Contact me directly at: steve@mortingerlaw.com
Mortinger & Mortinger LLC when experience is important and cost matters
[1] Importance of privacy in the EU: https://www.edps.europa.eu/data-protection/data-protection_en#:~:text=In%20the%20EU%2C%20human%20dignity,but%20also%20a%20social%20value.
[2] See, for example: https://www2.deloitte.com/us/en/insights/industry/public-sector/government-data-sharing-in-exchange-for-convenience.html
[3] Reportedly the first such column was published by James Gordon Bennett, in The New York Herald in the 1840s. His intent was “to prove that American upper-class life was just as dazzling as that of the European aristocracy.” https://www.nytimes.com/2015/10/04/nyregion/americas-first-gossip-column-and-eating-on-subways-and-buses.html
[4] Luke 12:3
[5]https://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html
[6] ] A tort is not, in this case, a sweet pastry but instead a civil law cause of action for causing harm to a person or their property. This cause of action may result in legal liability (typically requiring payment of financial damages) for the person who committed the act.
[7] See note 5 above.
[8] See: Haelan Laboratories vs. Topps Chewing Gum, Inc. 202 F.2d 866 (2d Cir. 1953).
[9] See, for example: Robertson vs. Rochester Folding Box Company (NY Ct Appeals 1902) and Pavesich vs. New England Life Ins. Co (SCt GA 1905).
[10] Daniel J. Solove & Neil M. Richards, Prosser's Privacy Law: A Mixed Legacy, 98 Cal. L. Rev. 1887 (2010).
[11] Federal Privacy Act.
[12] Fair Credit Reporting Act and Gramm-Leach-Bliley Act.
[13] Health Insurance Portability and Accountability Act (HIPAA).
[14] Children’s Online Privacy Protection Act (COPPA).
[16] States with privacy laws currently include California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia.
[17] https://www.lewisrice.com/u-s-state-privacy-laws/#:~:text=As%20of%20May%202024%2C%2018,consumers'%20personal%20data%2C%20provide%20consumers.
[18] https://www.congress.gov/bill/118th-congress/house-bill/1165#:~:text=Data%20Privacy%20Act%20of%202023,-This%20bill%20addresses&text=The%20bill%20expands%20the%20application,establishes%20data%20privacy%20standards%20nationwide.
[19] https://www.dataguidance.com/sites/default/files/gdpr_v_ccpa_and_cpra_v6.pdf.