Data Privacy: Current Landscape & Future Directions
Discover the evolution of data privacy laws, from foundational policies to today’s fragmented landscape, and envision the global frameworks of tomorrow.
PAST | 1990s–2010s
Privacy as a Fundamental Right
Privacy is a time-honored principle in the United States, dating back to the 4th Amendment in the Constitution’s Bill of Rights, which safeguards citizens against illegal searches and seizures. As communications technology advanced, citizens began clamoring for privacy protections to keep up.
In the early 1970’s, the United States Department of Health, Education and Welfare explored these issues and released findings that led to passage of a new federal law. The Privacy Act of 1974 established a Code of Fair Information Practice governing federal agencies’ collection, maintenance, use, and dissemination of personally identifiable information.
As the internet gained traction in the late 1990’s and online commercial activity grew, industry experts (and to a lesser extent consumers) began talking about the role of privacy in the burgeoning internet ecosystem. According to Robin Andruss, Chief Privacy Officer for data security company Skyflow, the focus was really on data security, not privacy per se. She writes:
In the early period of internet adoption, the concept of ‘privacy’ was secondary to the focus on ‘security’. As early internet users got used to remembering passwords and using email, companies had to devise new ways to prevent fraud and data theft. For the average user, privacy and security were one and the same — there wasn’t yet an idea of data being used beyond its explicit purpose, let alone being sold to advertisers.
The advent of online advertising marked an inflection point in the privacy story. The first major online advertising agency, DoubleClick, launched in 1996, and Google pivoted adopted an online advertising model in 2000. Suddenly, thanks to the rise of cookies technology, online behavior and consumption habits were part of one’s personal profile.
Still image from the movie Wiretapper, released 1955
In the absence of a federal law, individual states were left to establish their own statutes. California was on the vanguard of the digital privacy protection movement. The California Consumer Privacy Act (CCPA) went into effect in 2020, followed immediately by the California Privacy Rights Act (CPRA); in combination, these laws gave consumers new rights over their personal data and held businesses accountable for protecting it. States such as Virginia, Colorado, Utah and Connecticut followed suit.
As social media proliferated in the 2000’s, concerns about privacy grew. The 2018 Cambridge Analytica scandal on Facebook was a major wake-up call for many. In this case, user data was collected under the guise of academic research. Individuals’ online behavior, as well as that of their connected friends’, was harvested, sold to the political consultancy, and used for psychological profiling and serving up tailored political ads. Fueled by extensive media coverage, American consumers began waking up to the perils of online data collection. In response, the federal government began to turn its attention to privacy once again.
PRESENT | Today, 2024
A Patchwork Quilt of State Privacy Laws
U.S. consumer groups and online activists have been clamoring for federal privacy regulations for several decades. However, as of today (Dec. 2024), the United States lacks a comprehensive law addressing consumer privacy in the digital domain. This strongly contrasts with Europe, which is governed by the GDDP (Guidelines on the Protection of Privacy and Transborder Flows of Personal Data), passed back in 1980! This GDDP articulates clearly defined privacy principles and gives consumers significant control over their personal online data.
In 1986, the U.S. Congress passed the Electronic Communications Privacy Act (ECPA), which prohibits the interception of electronic communication such as emails and phone calls without a court order. However, the law has not caught up with current technologies and data practices and is widely considered to be outdated.
What we’re left with in America is a smattering of state laws. In the past 5 years, 16 states have passed privacy laws, reflecting a growing recognition that digital privacy – and the regulation of companies to protect it – is a priority for citizens and consumers.
Map of present state policies from International Association of Privacy Professionals
While the United States lacks a comprehensive federal approach to data privacy, there are clearly articulated privacy requirements in particular sectors of society, as follows:
-
Health: HIPPA (Health Insurance Portability and Accountability Act of 1996) covers communication between patients and “covered entities” such as hospitals, doctors, and insurance companies.
-
Education: FERPA (The Family Educational Rights and Privacy Act of 1974) prohibits K-12 or post-secondary educational institutions from sharing student records without express permission from their families.
-
Personal Finances: The FCRA (Fair Credit Reporting Act of 1970) covers the collection and use of consumer credit information. It limits the use of this information to specific functions such as credit, insurance and employment evaluations and guarantees that consumers can receive free credit reports annually. The GLBA (Graham-Leach-Bliley Act, or Financial Services Modernization Act of 1999) requires that consumer financial companies disclose how they use data and imposes strict data security requirements on financial companies.
-
Children: The COPPA (Children’s Online Privacy Protection Act of 1998) puts certain limits on data collection for children under the age of 13. Parents must give affirmative consent for collecting information such as names, email addresses, etc.
​
A glimmer of hope for federal U.S. privacy legislation appeared in July 2022, when the Energy and Commerce Committee of the U.S. House of Representatives drafted the American Data Privacy Act (ADPA) and voted overwhelmingly to advance the legislation. Although the bill had strong bipartisan support in committee, it faltered over arguments about whether it would pre-empt stronger state privacy laws, as well as lobbying from business groups about the provisions for consumers to sue companies for privacy breaches. While many members of Congress claim that data privacy is an issue that should be tackled, there does not seem to be strong, coordinated momentum for it at the moment.
FUTURE | 2025 and Beyond
Increasing Pressure for Privacy
ADPA has stagnated in Congress, so comprehensive federal legislation is unfortunately not around the corner. However, there are several key trends that will likely “force” Congress to act at some point in the future.
One factor that will likely influence federal action is the fact that different states have different privacy laws, so it is hard for companies to operate seamlessly across state borders. Kade Crockford, director of the Technology for Liberty program at the ACLU of Massachusetts, described it this way in a Politico article:
“[W]hen you pick up a bottle of shampoo in New York state, you can read the words, ‘the state of California has forced us to say this product causes cancer. It’s the same general idea — the shampoo company isn’t going to make different shampoo bottles for consumers in California and New York.”
In addition to navigating the patchwork quilt of state laws, companies transacting with consumers in Europe need to comply with the EU’s GDDP. The complexity of navigating all these different state and international laws may encourage big tech to work with government, and consumer groups, to formulate a federal solution. However, there will invariably be tension - and ultimately compromise – between what corporations want and what organizations like the ACLU demand.
​
Another important driver of federal action will be an outcry from the public itself. As described in a 2022 Harvard Business Review article, people may start to “vote with their thumbs.” In other words, consumers will express concerns about privacy and stay away from services that exploit it – and, conversely, migrate to services that protect it. Companies that tout data privacy as an explicit benefit will attract consumers; Apple’s iOS 14.5 features a way for consumers to block certain (or all) apps from tracking them.
Future Pew Data, Image from Pew Research Center
​In addition to modifying their own online behavior, consumers will likely put increasing pressure on their elected representatives. It’s not hard to envision that some future data breach or scandal will finally serve as the tipping point for consumers to demand that Congress address data privacy.
With every widely reported data scandal (e.g. the Wall Street Journal’s coverage of Grindr data being sold to 3rd parties), consumer ire peaks – then seems to recede. However, due to growing concerns about AI and the growth in biometric data-based businesses, American citizens appear more concerned than ever before. At some point this has to get converted into federal action (doesn’t it?!).