Only the Right Kind of State ‘Techlash’ Will Lead to Meaningful Privacy Protection
Ian Adams and Pasha Moore
Privacy concerns are at the forefront of the current so-called “Techlash.” Be it a social network, an insurance company, or a state, high-profile data breaches regularly lead to breathless headlines that dominate news cycles.
As a result, privacy is now unsurprisingly one of the largest public concerns. According to a recent Pew Research study, 61 percent of Americans would like to do more to protect their digital privacy and approximately two-thirds believe current privacy protection laws are not good enough. State and federal elected officials are taking note.
Given the public outcry for a legislative privacy solution, it is critical that policymakers, particularly those who value personal freedom and free enterprise, avoid rushing headlong into a quick — and damaging — fix. At the state level the ability to act is greatest, and the need for caution in these “laboratories of democracy” is most profound.
There are three major problems with current state legislative responses to the privacy question: objective/outcome mismatch, inconsistency and overbreadth.
First, legislation is tending to focus on regulating data collection without addressing any actual privacy harms, thereby mismatches objective and outcome. That approach does not actually protect privacy; instead it treats “privacy” and “data collection” as one and the same.
Recently, California, inspired by the European Union’s General Data Protection Regulation (GDPR), adopted the California Consumer Protection Act (CCPA). The CCPA purports to give California residents the right to control their own data. It does so by, among other things, requiring organizations to have a “business purpose” for their use of consumer personal information and requiring businesses to comply with consumer demands for “their” data within 60 days.