The attorneys general of 15 states are telling the Federal Trade Commission (FTC) “Don’t Tread on Me” when it comes to writing rules to protect consumer privacy rights online and in mobile software applications and services. These states have warned the FTC not to pre-empt state privacy rules as it develops a federal Privacy Framework for protecting digital privacy.
The comments from the state AGs are among the 442 public comments filed with the FTC concerning the Policy Framework, all of which were recently combed over and analyzed by the Information Law Group. In recent posts, I’ve discussed what Microsoft’s position on the rules is and how various interest groups for and against the proposal have responded. But the privacy rules debate follows the same rules of every other debate about state versus federal regulation. The industries being regulated don’t want to have to sort through 50 different state regulations and would prefer one federal law, though they probably don’t want that either. On the other hand, states that don’t want to have to wait for the lethargic federal government to act have taken the initiative to pass their own rules.
Besides defending the state laws they’ve already enacted, the AGs also urged the FTC to determine whether “specific geolocation information” is in fact “sensitive information” under law and, thus, subject to privacy protection regulation. Geolocation is an element of certain mobile applications on smartphones and tablets that give the end user information based on knowing the person’s location, such as navigation apps, coupons for nearby stores or restaurants, or the location of nearby Facebook friends using the app Foursquare. But the FTC says it will take up geolocation issues in its next Policy Framework, not this one.
The AGs’ letter points to Massachusetts and California as enacting model legislation to protect consumer privacy, including in the digital arena. California law requires businesses that have data on consumers to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure." California also enacted the nation’s first notification law that requires businesses to disclose data breaches if consumer data may have been compromised. The Massachusetts law also requires companies to reasonably assess the risk of a data breach, take specific steps to prevent terminated employees from accessing sensitive data (the insider attack is actually quite common) and require third party service providers to secure sensitive data they might be given access to.
If you have any doubt about whether a combination of state and federal consumer privacy protection is needed, pay a visit to the web site of the Privacy Rights Clearinghouse (PRC) Web site. The PRC has been keeping a database of data breaches since 2005, be they computer system hacks, lost laptops or paper files haphazardly tossed in a Dumpster. Since the PRC began its tracking, close to 517 million records have been breached, close to 5 million of them just so far in 2011.
We’ve figured this out before and we can do it again: enact effective consumer protection on either the state or federal lever, reconcile the two as needed, and develop a solution that provides the protection consumers need as well as the opportunity businesses need to operate.