Politicizing User Information: How Partisan Divisions in Congress Affect Personal Liberties Online

Published on in Government/Public Policy/Technology/Volume I

By Jonathan Kwortek

Recently, scandal involving Cambridge Analytica, a political data firm, dominated the news cycle for weeks on end. Cambridge Analytica’s misuse of personal information from Facebook to target individuals with political advertisements[1] compelled Congress to invite Facebook’s CEO Mark Zuckerberg to testify. While Republicans’ questioning displayed an interest in the social network’s handling of conservative views, Democrats focused on the timeliness of Facebook’s intervention after discovering election meddling efforts.[2] Zuckerberg’s Congressional testimony, however, does not adequately represent the extent of legislative efforts to remedy these concerns with social media. Despite Facebook’s intense scrutiny, on September 28, 2018, the social media company announced a data breach that compromised the information of 50 million accounts. This breach was the largest in the company’s 14-year history, and the hackers found a weak link in Facebook’s code to gain control of user information.[3]

Social media has transformed from an entertaining way to maintain personal connections to an integral facet of American life, but the legal structures in place to protect user’s information ­– the profit source of social media companies – has not expanded as rapidly as the technology. Data privacy laws do not appear within one large statute under the United States Code[4]; instead, a variety of administrative agencies and a patchwork of statutes form the basis of the regulatory structure for social media companies.[5] These statues range from the Federal Trade Commission Act[6] (FTC Act) broadly to individual sectors like the Gramm-Leach-Bliley Act[7] (GLBA) for financial institutions and the Health Insurance Portability and Accountability Act[8] (HIPAA) for healthcare.

Although data security is a rapidly growing legal sector, this area of law is outpaced by the expansion of technology and the ways in which social media companies use our data.[9] While California has created a remedy for this problem, Congress has failed to act in a commensurate manner. California Governor Jerry Brown recently signed the California Consumer Privacy Act (CCPA), which creates a broad array of protections for technology consumers’ personal information.[10] This article argues that Congress should mirror the CCPA, but Congress’ passing of this legislation is unlikely due to the partisan divide in this highly politicized era. The article begins with a discussion of the intent, scope, and drawbacks of the CCPA. Then the article examines how partisan fights in Congress have impeded any path to a consensus solution.

The Swift Passage of the California Consumer Privacy Act

On June 28, 2018, California signed into law the California Consumer Privacy Act (CCPA) which takes effect on January 1, 2020. Although the CCPA initiative was approved for the November 2018 ballot[11], California’s legislature instead passed similar legislation before the June 28th deadline to avoid submitting the initiative to the California voters.[12] This allows the CCPA to be an amendable text, as opposed to an approved ballot proposal which cannot be amended.[13] The legislation is the most expansive protection of user information and establishes certain rights for consumers who use social media companies that conduct business in California, including the right to know what information is being obtained, to request deletion of all users’ personal data, and to opt out of the sale of users’ personal information.[14]

The same characteristics that make the CCPA appealing to consumer rights activists— the CCPA’s broad application—are the same characteristics that opponents denounce. The CCPA covers businesses that are involved in brokering data[15] of 50,000 or more individuals, whose annual revenue comes mainly from the sale of consumer personal information, or that have at least $25 million in annual gross revenues.[16]  Critics believe the CCPA places too large a burden on small to medium sized businesses; California Attorney General Xavier Becerra has expressed worries about the responsibilities the CCPA imposes on the Attorney General office.[17] Even the CCPA’s proponents have argued that the legislation does not go far enough because companies can charge higher prices to users’ who opt out of information sharing.[18]

Despite this criticism, the CCPA marks the first legislative effort to establish rights for consumers’ personal information and to address growing privacy concerns and rise in data breaches.[19] The law specifically cites many recent data breach scandals—Cambridge Analytica included—as the impetus for the CCPA’s creation.[20] Substantively, the CCPA establishes the rights for consumers to request that businesses disclose the categories and specific pieces of personal information the business has collected, to request that businesses delete any personal information that was collected, and to know how and to whom consumers’ personal information was sold or disclosed.[21] Further, the State Assembly also ensured that any issues arising in scope or administration of the law could be changed by drafting the CCPA through the legislative process rather than as a ballot initiative. While the CCPA has its limitations, the act is an unprecedented step forward for data privacy rights.

Capitol Hill’s Response to Data Privacy Concerns

Members of Congress could enact federal legislation similar to the CCPA but have not made the same bipartisan strides present in California. Immediately following the news reports that Cambridge Analytical harvested user information from Facebook accounts which the Trump campaign used for targeted political advertisements[22], a political wall began to rise.

Members of Congress could enact federal legislation similar to the CCPA but have not made the same bipartisan strides present in California. Immediately following the news reports that Cambridge Analytical harvested user information from Facebook accounts which the Trump campaign used for targeted political advertisements, a political wall began to rise.

The Trump campaign was then under FBI Investigation into collusion with foreign governments to interfere in the 2016 election. Since data privacy was at the center of the election interference, both political parties used the Zuckerberg Testimony to make a partisan example of the social media company. Both Republicans and Democrats criticized the Facebook CEO.[23] The reason for the disapproval, though, was split along party lines.[24] Democrats asked about the foreign use of Facebook data to interfere in elections.[25] Republicans focused on the platform’s treatment of conservative views, a complaint often charged against tech companies from conservatives.[26] Yet, all Congressional members expressed concern for Facebook’s user agreement, future handling of election meddling complaints, and Facebook’s handling of user information.

Despite the anti-regulatory climate in Washington and Facebook’s government lobbying[27], some proposed legislation has been backed by Congressional members—the bipartisan[28] Honest Ads Act which makes social media platforms disclose the source of political advertisement funding and Senator Ed Markley’s Consent Act which requires users to opt-in to data sharing[29].[30] Even Republican Senator John Thunes said, “In the past, many of my colleagues on both sides of the aisle have been willing to defer to tech companies’ efforts to regulate themselves, but this may be changing.”[31] But these examples are outliers, not the rule. Critics of comprehensive tech industry regulation cite freedom of speech[32] and general business regulation concerns while disdaining these legislative efforts.  Currently, no broad, bipartisan effort exists to enumerate consumer information rights on a national level similar to the state-level rights contained in the CCPA.

The Political Hurdle Ahead

Partisan differences and the events that have politicized social media—including Cambridge Analytica, the FBI investigation of the Trump Campaign, and Zuckerberg’s Congressional Testimony—have stalled the possibility of Congress passing substantial regulation. California legislators collaborated to introduce and pass broad legislation designed to protect user’s information. California recognizes the protection of personal information as a right, and this now enumerated right provides trust to consumers who use interact with a company online. If this was replicated nationally, members of Congress could set a standard that individuals’ information is more valuable than the price social media companies’ assign to it when they sell user information to advertisers.

 

 

 

 

[1] Matthew Rosenberg et al., How Trump Consultants Exploited the Facebook Data of Millions, N.Y. Times (Mar. 17, 2018), https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html.

[2] Transcript Courtesy of Bloomberg Government, Transcript of Mark Zuckerberg’s Senate Hearing, Wash. Post (Apr. 10, 2018), https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/?noredirect=on&utm_term=.914a66239ee2.

[3] Id.

[4] US Privacy and Data Security Law: Overview, Practical Law Practice Note Overview 6-501-4555

[5] Id.

[6] Federal Trade Commission Act, 15 U.S.C §§ 41-58.

[7] Graham-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified as amended in scattered sections of 12 U.S.C. and 15 U.S.C.).

[8] The Health Insurance Portability and Accountability Act of 1996, P.L. No. 104-191, 110 Stat. 1938 (1996).

[9] Id.

[10] California Consumer Privacy Act, https://www.caprivacy.org/ (last visited Sept. 30, 2018).

[11] For a discussion of California’s Proposition System, see generally Andy Warner, Majority Rules: How California’s Proposition System Works (with Lesson Plan), KQED News, https://www.kqed.org/lowdown/14882/majority-rules-how-propositions-make-it-on-the-ballot-in-california-infographic (last visited Oct 20, 2018).

[12] Art Neill, What You Should Know About the New California Consumer Privacy Law, FORBES (Jun. 29, 2018), https://www.forbes.com/sites/artneill/2018/06/29/what-you-should-know-about-the-new-california-consumer-privacy-law/#74e05431f76f.

[13] Id. (“[O]nce an initiative is approved for the ballot, the text is permanent, which means that there is no way to improve or amend the text based on comments from various stakeholders (as opposed to going through the legislative process, which allows for such comments and improvements to be made).”).

[14] The California Consumer Privacy Act of 2018: Summary and Comparison to GDPR

[15] “Brokering Data” includes businesses that buy the data, sell the data or share the personal information of individuals, devices, or households. California Consumer Privacy Act (CCPA) (Questions/Answers), Intivix, https://www.intivix.com/california-consumer-privacy-act-ccpa-questions-answers/ (last visited Oct 26, 2018).

[16] Id.

[17] Harriet Pearson et al., Consumer Privacy Act: The Challenge Ahead, Lexology, https://www.lexology.com/library/detail.aspx?g=ac6d94a0-0b7d-41a4-8d76-7b6cfa5f4d8d (last visited Oct 28, 2018).

[18] Adam Schwartz, Lee Tien & Corynne McSherry, How to Improve the California Consumer Privacy Act of 2018, ELECTRONIC FRONTIER FOUNDATION (Aug. 08, 2018) https://www.eff.org/deeplinks/2018/08/how-improve-california-consumer-privacy-act-2018.

[19] California Consumer Privacy Act (CCPA) (Questions/Answers), Intivix, https://www.intivix.com/california-consumer-privacy-act-ccpa-questions-answers/ (last visited Oct 26, 2018).

[20] Id.

[21] Art Neill, What You Should Know About the New California Consumer Privacy Law, FORBES (Jun. 29, 2018), https://www.forbes.com/sites/artneill/2018/06/29/what-you-should-know-about-the-new-california-consumer-privacy-law/#74e05431f76f.

[22] The California Consumer Privacy Act of 2018: Summary and Comparison to GDPR

[23] See Transcript Courtesy of Bloomberg Government, Transcript of Mark Zuckerberg’s Senate Hearing, Wash. Post(Apr. 10, 2018), https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/?noredirect=on&utm_term=.914a66239ee2.

[24] Id.

[25] Id.

[26] Id.

[27] In 2017, Facebook spent $11.6 million in government lobbying. Natasha Bach, Google Outspent Every Other Company on Washington Lobbying Last Year, Fortune, 2018, http://fortune.com/2018/01/24/google-facebook-amazon-apple-lobbying-efforts/.

[28] The Honest Ads Act was introduced by Democratic Senator Mark Warner, Democratic Senator Amy Klobuchar, and Republican Senator John McCain. America’s Tech Giants Have no Political Party to Protect Them, Economist (Oct. 26, 2017), https://www.economist.com/united-states/2017/10/26/americas-tech-giants-have-no-political-party-to-protect-them.

[29] Zuckerberg supports the Honest Ads Act; the Consent Act has not been endorsed by the tech giant’s CEO. Hanna Kozlowska & Heather Timmons, What We Learned from Mark Zuckerberg’s Congressional Testimony, Quartz (Apr. 13, 2018), https://qz.com/1251646/what-we-learned-from-mark-zuckerbergs-congressional-testimony/.

[30] Id.

[31] Id.

[32] Lincoln Caplan, Should Facebook and Twitter Be Regulated Under the First Amendment?, Wired, https://www.wired.com/story/should-facebook-and-twitter-be-regulated-under-the-first-amendment/.