Bulletin

Haystack in a Hurricane: Mandated Disclosure and the Sectoral Approach to the Right to Privacy

Tyler J. Smith

Privacy law is an extremely complex and complicated problem. And, unfortunately, the United States remains one of the only Western countries without comprehensive consumer data protection laws. Until the federal government decides to address the ubiquitous collection and use of data by corporations with omnibus legislation similar to the EU’s GDPR—or until states take the lead on passing analogous legislation—the notion of privacy in personal information will continue to get lost in the hurricane.

Introduction

In 1956, Chief Judge Biggs of the U.S. Court of Appeals for the Third Circuit likened privacy law to “a haystack in a hurricane.”11.Ettore v. Philco Television Broadcasting Corp., 229 F.2d 481, 485 (3d Cir. 1956). His depiction of the chaotic state of privacy law has continuing relevance today as jurists, lawmakers, and commentators still struggle to find solid legal ground for the right to privacy. A dizzying array of state and federal privacy statutes, administrative guidelines and rules, court cases, and privacy policies all make for a vast privacy hurricane in which the only certainty is that consumers can (and are willing to) do very little to stop it.

In Part I, this Essay briefly demonstrates how and why privacy, as currently regulated in the United States, fails to adequately protect consumer information. The confusing “sectoral approach” to privacy regulation used by the United States is largely based on the faulty premise of “mandated disclosure,” which enables consumer exploitation by corporations.22.See George Leef, Mandated Disclosure – Another Policy Failure That Politicians Can’t Resist, FORBES (Sep. 8, 2014), https://www.forbes.com/sites/georgeleef/2014/09/08/mandated-disclosure-laws-another-policy-failure-that-politicians-cant-resist/#32555565580d (https://perma.cc/56FL-2S5P). Organizations can be subject to numerous regulators and to laws that mandate disclosure of information consumers rarely understand. Under the sectoral approach, sectors of the economy are covered by sector-specific regulations that mandate what they may do with consumer information. This Essay highlights an alternative approach, one favored by the European Union (EU), that protects consumer privacy through a unified framework. That route, the EU’s General Data Protection Regulation (GDPR), is a comprehensive “omnibus approach” to privacy regulation that puts large corporations who mishandle consumer data on notice via penalties for violations and closer oversight, and it provides consumers a greater degree of control over their data.33.See Operational Impacts of the General Data Protection Regulation (GDPR), PWC (Mar. 2017), https://www.pwc.com/us/en/services/consulting/cybersecurity/library/broader-perspectives/operational-impacts-of-gdpr.html (https://perma.cc/W9QS-PKC5). Part I concludes by arguing that, because of the low likelihood of federal omnibus legislation, the burden to take the lead on legislative reforms may fall on the states.

The rest of this Essay proceeds as follows. Part II canvasses current definitions of privacy and discusses the problems associated with attempting to define it. Part III describes the value data has to corporations, which often puts their interests in conflict with traditional notions of privacy. Part IV details the “mandated disclosure” lynchpin of the sectoral approach to privacy regulation which is inherent in federal and state statutes. Part V examines one prospective attempt by state lawmakers to protect biometric data from future misuse. Part VI describes how the overall sectoral approach to privacy regulation in the United States creates confusion through a tangled web of federal statutes. Part VII looks at the primary alternative to the sectoral approach: the EU’s GDPR. Finally, Part VIII highlights the California Consumer Privacy Act (CCPA) of 2018 as a state effort to regulate information privacy in the absence of federal privacy legislation.

I. The Struggle to Define Privacy

In order to regulate something effectively, it must first be defined. As Robert Post once said, “privacy is a value so complex, so entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that I sometimes despair whether it can be usefully addressed at all.”44.Robert C. Post, Three Concepts of Privacy, 89 GEO. L.J. 2087, 2087 (2001). Two central problems exist in attempting to pin down a definition of privacy. The first problem is the extent to which privacy matters to individuals and corporations. Different individuals or corporations may not all value privacy equally. Even if a corporation’s customers do value privacy, the corporation itself may not. Hence, while an individual may care deeply about privacy, a corporation that possesses that individual’s data may not necessarily be as careful with it.

Second, while some individuals purport to value their privacy, their actions indicate otherwise. Indeed, they are often willing to sell it to eager marketers in exchange for slight conveniences. And convenience appears to be a main motivation for giving up personal information to corporations who are all too happy to accept it.55.See BRUCE SCHNEIER, DATA AND GOLIATH: THE HIDDEN BATTLES TO COLLECT YOUR DATA AND CONTROL YOUR WORLD 51 (2014).

Like many areas of the law, the concept of privacy has evolved over the past century. In 1890, when Samuel Warren and Louis Brandeis published their famous article The Right to Privacy, they recognized that the law as a whole was beginning to acknowledge psychological harms as distinct from physical harms.66.Samuel Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193 (1890). The law had only recently recognized the tort of assault, for example, by extending the tort of battery. While battery is limited to offensive physical contact, assault requires something else: a reasonable apprehension of offensive physical contact—in other words, a psychological injury.77.See, e.g., Carter v. Commonwealth, 606 S.E.2d 839, 841 (Va. 2005) (holding that assault occurs definition when an assailant engages in an overt act intended to place the victim in fear of apprehension of bodily harm and creates such reasonable fear or apprehension in the victim). Similarly, they argued that a violation of one’s privacy through the publication of humiliating information in a tabloid is a psychological injury.88.Warren & Brandeis, supra note 6, at 196.

In that way, Warren and Brandeis located the right to privacy in tort law due to the inadequacy or unavailability of traditional remedies in contract, property, and copyright law.

Though not the first to suggest the existence of a right to privacy, Warren and Brandeis did so without offering a precise definition of it. Instead, they relied on a well-known attempt by Chief Justice Thomas Cooley of the Supreme Court of Michigan: “the right to be let alone.”99.Id. at 195. Today, however, numerous other definitions have been offered. Some contend that privacy is a form of control over personal information.1010.See generally Post, supra note 4. Others argue that “intimacy” defines what matters or what data should be private.1111.JULIE C. INNESS, PRIVACY, INTIMACY, AND ISOLATION 56 (1992). Even the U.S. Supreme Court, while recognizing the right to privacy in a range of circumstances, avoids clearly defining the concept.1212.See, e.g., Lawrence v. Texas, 539 U.S. 558, 926 (2003) (“Throughout this century, this Court also has held that the fundamental right of privacy protects citizens against governmental intrusion.”); Katz v. United States, 389 U.S. 347, 350-51 (1967) (“(T)he protection of a person’s general right to privacy – his right to be let alone by other people is like the protection of his property and of his very life, left largely to the law of the states.”); Griswold v. Connecticut, 389 U.S. 479, 484 (1965) (“(S)pecific guarantees in the Bill of Rights have penumbras, formed by emanations from those guarantees that help give them life and substance.”). The “right to privacy” thus remains, over a century later, as amorphous as when academics first attempted to define it.

II. The Value of Data to Corporations

Despite the difficulty of precisely defining privacy, the antithesis of information privacy is fairly easy to define: ubiquitous surveillance. Surveillance on the internet is omnipresent.1313.See SCHNEIER, supra note 5, at 51. Internet surveillance is based primarily on the “persistent identifier,” colloquially known as the “cookie.” Originally intended to make surfing the web easier, cookies are an effective way for companies to track the websites users visit.1414.Id. at 47-48. They also enable advertisements to follow users from website to website and to personalize ads based on browser history.1515.Id. Though corporations are constantly collecting data for advertising purposes, data that is stored can prove to be valuable in other ways as well. For example, whether an individual prefers Coca-Cola over Pepsi, scented lotion over unscented, or a large purse over a small one, are not particularly valuable as single data points. But by combining data points, corporations can generate more individualized predictions.1616.See Ira Cohen, How Predictive Analytics is Transforming the Ad-Tech Industry, TDWI (Jan. 18, 2019), https://tdwi.org/articles/2019/01/18/adv-all-how-predictive-analytics-transforming-ad-tech-industry.aspx (https://perma.cc/4VPS-9A8F).

Take Target, for example. By using data points to uncover purchasing trends, Target developed an algorithm to predict which stage women were at in their pregnancy. When customers on the baby registry were buying large quantities of unscented lotion, for example, they were most likely at the beginning of their second trimester. Or when customers purchased prenatal supplements, they were usually within the first twenty weeks. When customers bought large amounts of soap and cotton balls, hand sanitizer, and washcloths, that signaled they could be approaching the delivery date.1717.Id. By estimating where a woman was at in her pregnancy, Target could send those customers coupons for products they might need in the near future.

Target’s strategy famously became the center of attention in 2011. A father, upset that his daughter had received advertisements targeted to pregnant women, went to a local Target branch to complain to the manager.1818.Kashmir Hill, How Target Figured Out a Teen Girl Was Pregnant Before Her Father Did, FORBES (Feb. 16, 2012), https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did (https://perma.cc/LD7E-A3MC); see also Charles Duhigg, How Companies Learn Your Secrets, N.Y. TIMES (Feb. 16, 2012), https://www.nytimes.com/2012/02/19/magazine/shopping-habits.html (https://perma.cc/XRJ3-ER9K) (describing how nearly every major retailer has a “predictive analytics” department devoted to understanding shopping and personal habits to more effectively market to them). The manager apologized to him.1919.Hill, supra note 18. Later, however, the father called the manager to say that he had been mistaken; Target’s algorithm had correctly predicted that his daughter was pregnant.2020.Id.

III. Mandated Disclosure

Certainly not everyone views privacy as cavalierly as some business leaders.2121.”The. Google certainly “remembers” things that we easily forget. And, Facebook CEO Mark Zuckerberg, whose entire empire is built on being “more open and connected,” takes credit for the evolution of sharing information as a social norm, and he has shown little regard for protecting data people willingly give from data harvesting by third parties, such as Cambridge Analytica.2222.See Anita Balakrishnan et al., Mark Zuckerberg Has Been Talking About Privacy For 15 Years — Here’s Almost Everything He’s Said, CNBC (Apr. 9, 2018), https://www.cnbc.com/2018/03/21/facebook-ceo-mark-zuckerbergs-statements-on-privacy-2003-2018.html (https://perma.cc/PWP4-SKL9). Lawmakers have tried for years to legislate privacy protections. Indeed, Congress has attempted to pass a federal privacy bill numerous times since the 1970s, only to have it defeated or gutted by corporate lobbyists.2323.Congress Is Trying to Create a Federal Privacy Law, ECONOMIST (Feb. 28, 2019), https://www.economist.com/united-states/2019/02/28/congress-is-trying-to-create-a-federal-privacy-law (https://perma.cc/K3VT-JBWB). The most recent effort, currently underway, came about as a result of the Cambridge Analytica scandal.2424.See Issie Lapowsky, How Cambridge Analytica Sparked the Great Privacy Awakening, WIRED (Mar. 17, 2019), https://www.wired.com/story/cambridge-analytica-facebook-privacy-awakening (https://perma.cc/DDU5-EQUX). Because the wheels of Congress turn very slowly, if at all, when it comes to complex problems, an easier and more politically palatable solution has been to write laws designed to give consumers more transparency as to what their data is used for in certain sectors.

The concept of “mandated disclosure” has served as the lynchpin for legislation designed to give consumers control of their personal data.2525.OMRI BEN-SHAHAR & CARL E. SCHNEIDER, MORE THAN YOU WANTED TO KNOW: THE FAILURE OF MANDATED DISCLOSURE 3 (2014). Mandated-disclosure regimes require specified entities to provide consumers with information to help them make better, more informed decisions. When buying a house, for example, state and federal laws mandate a dizzying array of disclosures. When buying software online, consumers must click “I agree” on a box that contains pages and pages of fine print.2626.See, e.g., I. Lan Sys. v. Netscout Serv. Level Corp., 183 F. Supp. 2d 328 (D. Mass. 2002) (holding that the clickwrap agreement was enforceable under the Uniform Commercial Code because the plaintiff accepted the agreement by clicking the “I agree” box); see also BEN-SHAHAR & SCHNEIDER, supra note 24, at 24 (depicting the iTunes terms of service which amounted to thirty-two pages of eight-point font). When applying for a credit card, a “Schumer Box” provides the APR, the finance calculation method, the grace period, the variable interest rate, finance charges, and other information designed to give the consumer the ability to make an informed decision that can have long-term consequences on one’s financial health.2727.The “Schumer Box” is named after then-Representative Charles “Chuck” Schumer. See 12 C.F.R. § 1026.5 (2019); see also What is a Schumer Box?, DISCOVER, https://www.discover.com/credit-cards/resources/what-is-a-schumer-box (https://perma.cc/3554-H4NC).

There are problems with this approach though. Most importantly, it depends on information that is often extremely complex, and which may be difficult for large segments of consumers to understand.2828.See BEN-SHAHAR & SCHNEIDER, supra note 24, at 8. Even experts can struggle to comprehend them. Senator Elizabeth Warren, once a contract law professor at Harvard Law School, famously declared that she could not “understand half of what [] credit card companies say” in disclosures.2929.Id. If an Ivy League law professor could not understand credit card disclosures, how can lay members of the public be expected to understand them enough to make an informed decision? Therein lies the heart of the disclosure problem. Lawmakers can easily mandate disclosures in response to a perceived lack of information problem under the theory that consumers will be armed with information they did not have before.3030.Id. Yet, that does not actually solve the problem. Mandated disclosure rarely leads to good decisions. Indeed, empirical evidence on “federal and state information policies, including but not limited to disclosure policies, suggests that they have not made consumers significantly better informed and safer.”3131.Clifford Winston, The Efficacy of Information Policy: A Review of Archon Fung, Mary Graham, and David Weil’s Full Disclosure: The Perils and Promise of Transparency, 46 J. ECON. LITERATURE 704, 713-14 (2008); see also BEN-SHAHAR & SCHNEIDER, supra note 24, at 7

IV. Sectoral Confusion: HIPAA and FERPA

Even when privacy protections extend beyond mandated disclosure, the sectoral approach provides only piecemeal protection. The failure of the government to regulate can leave consumers vulnerable especially. For example, the use of biometric data—such as fingerprints, facial patterns, and voice cadence—seems to be on the rise across many industries.3232.Jayshree Pandya, Hacking Our Identity: The Emerging Threats From Biometric Technology, FORBES (Mar. 9, 2019), https://www.forbes.com/sites/cognitiveworld/2019/03/09/hacking-our-identity-the-emerging-threats-from-biometric-technology (https://perma.cc/39QP-RPT6). Banking, technology, security, and insurance firms are seeking ways to use the data to enable greater access to and use of their products. 3333.Gabriel Hauari, Biometrics on the Rise as Insurers Look for Smoother Experience, DIGITAL INS. (Aug. 1, 2017), https://www.munichre.com/site/marclife-mobile/get/documents_E2104338863/marclife/assset.marclife/Documents/Publications/DigitalInsurance_Biometrics_9.18.17.pdf (https://perma.cc/J4Y7-LP4N). With little national oversight of biometric and other types of data, consumers are largely at the mercy of corporations who are constantly seeking new ways to profit.3434.See Alan S. Wernick, Biometric Information – Permanent Personally Identifiable Information Risk, AM. BAR ASS’N (July 2, 2019), https://www.americanbar.org/groups/business_law/publications/committee_newsletters/bcl/2019/201902/fa_8/ (https://perma.cc/P37W-BQYT).

And when legislation does exist, it typically only applies to certain sectors. For the past fifteen years, many organizations have favored this sectoral approach, as they themselves may not be regulated or might be regulated in a manner different than other industries.3535.Daniel Solove, The Growing Problems with the Sectoral Approach to Privacy Law, TEACH PRIVACY (Nov. 13, 2015), https://teachprivacy.com/problems-sectoral-approach-privacy-law (https://perma.cc/8EG7-6SDP).

One difficulty with the sectoral approach is the sheer complexity of statutes. They overlap in some areas, leave gaps in others, and do not make much sense in practice.3636.Id. For example, two federal laws, the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA),3737.Family Educational Rights and Privacy Act, Pub. L. No. 93-380, 88 Stat. 571 (1974) (codified as amended at 20 U.S.C. § 1232g). have generated significant amounts of confusion as to how they apply to schools based on what information is held and used. HIPAA prohibits covered entities from disclosing protected health information (PHI) to third parties without consent.3838.Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d-6. FERPA schools that receive federal funding cannot disclose personally identifiable information (PII) without consent.3939.Family Educational Rights and Privacy Act, 20 U.S.C. § 1232(g).

HIPAA does not generally apply to public elementary or secondary schools because even though the schools employ healthcare providers, they do not engage in “covered transactions,” including billing a health plan electronically for their services. 4040.Does the HIPAA Privacy Rule Apply to an Elementary or Secondary School?, U.S. DEP’T HEALTH & HUMAN SERVS. (Nov. 25, 2008), https://www.hhs.gov/hipaa/for-professionals/faq/513/does-hipaa-apply-to-an-elementary-school/index.html (https://perma.cc/LZJ5-DJCZ); see also Comparison of FERPA and HIPAA Privacy Rule for Accessing Student Health Data, ASSOC. STATE AND TERRITORIAL HEALTH OFFICIALS, http://www.astho.org/programs/preparedness/public-health-emergency-law/public-health-and-schools-toolkit/comparison-of-ferpa-and-hipaa-privacy-rule (https://perma.cc/FM7P-PL93). However, when school-employed health-care providers electronically transmit healthcare claims to a health plan, then the school must comply with HIPAA rules associated with those transactions.4141.U.S. DEP’T OF HEALTH & HUMAN SERVS., supra note 40 To further complicate matters, even if school health-care providers electronically transmit health-care claims to a health plan, many schools may not be required to comply with the rules associated with these transactions under HIPAA if they only maintain health information in “education records” under FERPA, which is not “protected health information” under HIPAA.4242.Id.

V. The Omnibus Approach of the General Data Protection Regulation

The underlying presumption that the public will understand (or care) about the myriad disclosure laws required by dozens of different statutes serves to undermine the purpose of the entire enterprise of protecting privacy in the first place. As an alternative to this approach, after four years of debate, in April 2016, the European Union Parliament approved the GDPR.4343.The EU General Data Protection Regulation (GDPR) is the Most Important Change in Data Privacy Regulation in 20 Years, EU GDPR, https://eugdpr.org (https://perma.cc/DJV2-HB64). This overarching uniform regulation epitomizes the omnibus approach to privacy protection. Under the GDPR, all companies that operate in the EU, no matter where they are based, must comply with one set of data-protection rules.4444.GDPR Key Changes, EU GDPR, https://eugdpr.org/the-regulation (https://perma.cc/A8CA-6HLG). The GDPR views personal data as the property of the individual rather than the property of those who control or process the data. 4545.Id. Thus, the default is that, in order for companies to use consumer information, they have to inform consumers in such a way that consumers “opt-in,” or give consent to companies using their data.4646.Id. If privacy means having control over what is disclosed—or the ability to keep certain things private—then this default seems to make the most sense.

Of course, some organizations have expressed concerns with GDPR compliance. Those concerns generally take one of five forms. 4747.Top Five Concerns with GDPR Compliance, REUTERS, https://legal.thomsonreuters.com/en/insights/articles/top-five-concerns-gdpr-compliance (https://perma.cc/6ZU3-L8WR). First, organizations are required to implement changes with respect to accountability, transparency, and governance in order to minimize breaches.4848.Id. Organizations not only have to carry out the changes, but they have to be prepared to demonstrate to regulators that their measures are enough to ensure compliance.4949.Id. And it often takes some time for them to adapt to such changes.

Second, the GDPR imposes specific processes organizations must implement that they may not otherwise do, such as keeping internal records of data-protection activities, notifying regulators of data breaches within in seventy-two hours, and, for some organizations, appointing an official Data Protection Officer (DPO).5050.Id. The GDPR imposes the requirement of a DPO based on whether that organization processes or stores personal data. The size of the organization itself does not dictate the requirement, “rather the size and scope of its data handling” does.5151.Nate Lord, What Is a Data Protection Officer (DPO)? Learn About the New Role Required for GDPR Compliance in 2019, DATA INSIDER (July 15, 2019), https://digitalguardian.com/blog/what-data-protection-officer-dpo-learn-about-new-role-required-gdpr-compliance (https://perma.cc/LG8C-VTL4). Again, compliance requires time and resources.

The third concern is that regulators can handle noncompliance by issuing a warning, by imposing a ban on processing personal data, and/or by imposing a fine up to €10 million or 2% of the total worldwide turnover, whichever is higher.5252.Id. Data-protection regulators for each European country have the authority to impose fines for GDPR violations. In 2019, the United Kingdom’s data-protection authority, the Information Commissioner’s Office (ICO), fined British Airways €204.6 million and Marriott International €110 million.5353.GDPR Enforcement Tracker, CMS, http://www.enforcementtracker.com (https://perma.cc/KWU5-ZDKF). In January 2019, the French Data Protection Authority fined Google €50 million.5454.Id. The GDPR gives data protection regulators ten criteria to use when determining whether to assess a fine and in what amount: gravity and nature, intention, mitigation, precautionary measures, history, cooperation, data category, notification, certification, and any aggravating/mitigation factors.5555.What are the GDPR Fines?, GDPR EU, https://gdpr.eu/fines (https://perma.cc/P8RP-LU7L).

The fourth concern centers around certain undefined terms, including “undue delay,” “disproportionate effort,” and “likelihood of (high) risk to rights and freedoms.”5656.Top Five Concerns, supra note 47. When faced with compliance issues, lawyers must do their due diligence in consulting the text itself and relevant case law, especially since the GDPR is new with little in the way legal guidance from the EU.

The final concern deals with the GDPR’s extraterritorial reach.5757.Id. Article 3 of the GDPR provides, “This Regulation applies to the processing of personal data in the context of activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”5858.Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1, art. 3. Due to the very broad interpretation of “establishment” by the Court of Justice of the European Union, the GDPR can apply to businesses that do not have formal establishments within the EU.5959.The Extra-Territorial Scope of the EU’s GDPR, FRESHFIELDS BRUCKHAUS DERINGER, https://www.freshfields.com/en-us/our-thinking/campaigns/digital/data/general-data-protection-regulation (https://perma.cc/666U-DRKA).

Additionally, smaller entities with fewer resources may never be able to fully comply with the vast number of requirements, and only the largest companies with the most amount of resources available can be fully compliant.6060.Pavol Magic, How Small Businesses Can Survive in the Age of GDPR, ENTREPRENEUR EUR. (June 27, 2018), https://www.entrepreneur.com/article/315366 (https://perma.cc/ZE3M-ZF5C). That is the argument at least.

According to the European Data Protection Board, the entity created for the application and enforcement of the GDPR, 144,376 complaints and queries, and 89,271 data breach notifications were logged by the supervisory authorities of European nations in the first year of the GDPR.6161.1 Year GDPR – Taking Stock, EUR. DATA PROT. BOARD (May 22, 2019), https://edpb.europa.eu/news/news/2019/1-year-gdpr-taking-stock_en (https://perma.cc/N679-AHYG). The number of complaints and queries marks an increase since 2017, confirming “the perceived rise in awareness about data protection rights among individuals shown in the Eurobarometer of March 2019.”6262.Id. At the time of this writing, the GDPR has been in effect for 1 year. The increasing number of complaints may indicate that small companies struggle to comply with the GDPR.

VI. State Regulation

While no omnibus federal privacy legislation currently exists, some states have implemented laws specifically addressing data collection and data privacy.6363.See Victoria Finkle, The States at the Forefront of Consumer Privacy Legislation, AM. BANKER (Mar. 3, 2019), https://www.americanbanker.com/list/the-states-at-the-forefront-of-consumer-privacy-legislation (https://perma.cc/HTS6-B3AB). Though arguably weakened by its emphasis on mandated disclosure, California’s most recent legislation represents an important first step towards state leadership in the information privacy space.6464.See Kristen J. Mathews & Courtney M. Bowman, The California Consumer Privacy Act of 2018, PRIVACY L. BLOG (July 13, 2018), https://privacylaw.proskauer.com/2018/07/articles/data-privacy-laws/the-california-consumer-privacy-act-of-2018 (https://perma.cc/8AJB-QM8U).

The California Consumer Privacy Act of 2018 takes effect in 2020.6565.California Consumer Privacy Act, AB-375, 2018 Cal. Legis. Serv. 55 (West), https://leginfo.legislature.ca.gov/faces/billCompareClient.xhtml?bill_id=201720180AB375 (https://perma.cc/3LNQ-ZW2P). In enacting the CCPA, the California Legislature made clear that it intends to give consumers an effective way to control their personal information through ensuring the following rights:

  1. The right of Californians to know what personal information is being collected about them.
  2. The right of Californians to know whether their personal information is sold or disclosed and to whom.
  3. The right of Californians to say no to the sale of personal information.
  4. The right of Californians to access their personal information.
  5. The right of Californians to equal service and price, even if they exercise their privacy rights.6666.Id.

The Act continues, “a business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which categories of personal information shall be used.”6767.Id.

Despite the sweeping declaration of rights that Californians are to have with respect to their personal information, the law is fundamentally another disclosure regime.6868.See Natasha Singer, The Week in Tech: Countdown to the California Consumer Privacy Act, N.Y TIMES (Dec. 13, 2019), https://www.nytimes.com/2019/12/13/technology/california-consumer-privacy-act-ccpa.html (https://perma.cc/9M5J-3384). Rather than giving consumers control of their information as a default and requiring the business to get permission to access and use that information, the default in the Act allows businesses to collect and use consumer information so long as they tell consumers ahead of time.6969.Id. In other words, the default for the Act is that consumers may “opt-out” of the practice of businesses using their information. That is the opposite of the GDPR, which sets the default as consumers must “opt-in” to allow businesses to collect and use their information. Time will tell as to the effectiveness the disclosure requirement has on fulfilling the rights outlined in the Act. But despite this weakness, the CCPA is an important first step in states taking the privacy of their citizens into their own hands.

VII. Conclusion

In what is an extremely complex and complicated problem, the United States remains one of the only Western countries without comprehensive consumer data protection laws.7070.Nuala O’Connor, Reforming the U.S. Approach to Data Protection and Privacy, COUNCIL ON FOREIGN REL. (Jan. 30, 2018), https://www.cfr.org/report/reforming-us-approach-data-protection (https://perma.cc/T4HX-PJ8V). And the isolated sectors that privacy laws do touch rely on mandated disclosures. Until the federal government decides to address the ubiquitous collection and use of data by corporations with omnibus legislation similar to the GDPR—or until states take the lead on passing analogous legislation—the notion of privacy in personal information will continue to get lost in the hurricane.

†  Assistant Professor of Entrepreneurship, Technology, and Law, Bradley University. J.D., Indiana University McKinney School of Law, LL.M., Notre Dame Law School.