Privacy Lawls with Donata

Ep.15 | What’s the deal with U.S. privacy laws? (Guest: Darin Moore)

Why is the United States so divided when it comes to privacy? Will there ever be a federal law or will it always remain up to the states to draft their own?

Show Transcript

Hello, and welcome to episode 15 of Privacy Lawls, where I, Donata Stroink-Skillrud speak with amazing privacy professionals, and we have some laughs along the way as well. This podcast Termageddon, an auto updating Privacy Policy Generator. Today, I’ll be speaking with Darin Moore to provide you with an overview of privacy laws in the United States.

Darin is an associate general counsel and graduate of the University of Illinois, Chicago Law School, which is where I went to law school too. He has worked in the technology and SaaS industry for nearly nine years for companies in various sectors, including finance, retail, and hospitality. Darin obtained his CIPP EUS in 2020, and has specialized in privacy law, specifically for complex commercial transactions.

Darin, thank you so much for joining me today. Um, I wanted to ask you what sparked your interest in privacy. Well, thanks for having me, first of all. Uh, secondly, probably just like everyone else, [00:01:00] you start to get customers that ask about privacy law, especially around 2019 when GDPR and CCPA were coming out.

Um, so I had a lot of customers asking me about what our privacy practices were. And how we, how we manage privacy, um, and, you know, privacy requests and stuff like that. So I got my CIPP in order to help them and discuss with them our privacy practices. And getting that privacy certification actually really helped me to understand the company’s current obligations and come up with proactive solutions for anything that might come up in the future.

So that’s, that’s basically the reason I started. It’s really interesting because like you said, you hear that from a lot of privacy lawyers, like GDPR came out and that’s when everybody started in privacy or most people started in privacy. Then I should have looked this up before we started, but I’m really curious as to like, how many jobs has GDPR created, um, within the EU [00:02:00] and outside of the EU.

Cause you hear that so many times of, you know, people saying, well, GDPR came out and this became like an interest for our clients. That’s right. Yeah. I, I know a ton of people that scrambled to get their privacy certifications after 2019 came out. Yeah, me too. That’s actually, you know, we started Termageddon before GDPR, uh, but it was kind of a backburner project and then GDPR went into effect and that’s when we started getting like really serious about it.

Um, and that’s where I switched over careers from the job that I had before to this, um, because we saw like a huge demand for, you know, privacy policies and all the other stuff when GDPR came out. Yeah. I noticed, um, when applying for jobs and, um, just reading through the job descriptions, privacy is always on there now where, you know, it used to be like a specific title that you had if you were the privacy person, but now it’s expected that everyone should, should know at least a little bit.

Yeah. [00:03:00] Yeah, absolutely. Um, so in your career as legal counsel, you work with many different departments within organizations like product and engineering teams, security teams and marketing teams. What advice do you have for lawyers who may find it challenging to work with colleagues outside of the legal department?

So I actually, um, had this, this issue working with departments when I first started out. Um, you just, you’re not used to dealing with the business and you only really know the law and, and how to interact with lawyers being in law school. Um, but the one thing that I would say it helps is to listen to the other party.

Um, When you listen to them, it not only builds trust, but it shows that that you care about what they’re saying. Um, and it helps you to identify areas for help. Um, and like I said, developing trust with with the stakeholder and trust is [00:04:00] key for. You know, working relationships and collaboration. So I would recommend listening to them, building that trust early and often.

And I’ve usually found that when I do that, a lot of, um, really good friends come out of it. A lot of champions, uh, my champions in the, in the, uh, The corporation. So, yeah, it’s interesting because I’ve done this in the past too. And, and, you know, you talk to the engineering team. They’re like, we’ve never had to deal with this before, you know, we’ve never had to adjust the way we code or the way we design things based on privacy requirements.

So why do we have to do it now? Um, and 1 thing that I found helpful, at least in my experience is explaining why. Um, because at least for me personally, like, if I don’t know why I’m doing something, it’s going to be really hard to get me to do something right. Because I don’t think it’s important. I don’t know why I have to do it.

So I found, um, also in addition, um, you know, explaining why you’re doing certain things. Um, I think that really helps build trust too. Yeah, [00:05:00] I agree. Yeah. Um, so kind of personal question. Um, you know, I really enjoyed your article that you titled when you hear your family. Um, you know, you’re a full time lawyer who’s, who’s a parent as well.

Um, what advice do you have for full time lawyers who are also juggling a demanding career being a lawyer and a family to, um, I would say one, one important thing to know is that you aren’t alone. There’s tons of parent lawyers out there. Um, being able to find Yeah. You know, a mentor or even a friend that can help you discuss some of these issues is, is very important, um, because, you know, juggling family and a legal career is difficult for even the most veteran lawyers out there.

So I would say that I would also say, make sure you evaluate your priorities. Well, um, work isn’t everything. You know, like work is very important to us, of course, but, um, you know, family’s very important as well. And so [00:06:00] be flexible, I think when necessary is what I would say, but it’s okay to readjust your, your work expectations.

If you need to spend more time with family, um, just being able to discuss that with people to really helps a lot. Yeah, definitely hats off to all the working lawyer parents out there. I don’t have kids and I cannot imagine how you guys do it because it just seems like it’s so much, you know, you have your work and then you have to pick up the kids from school or drop them off and take them to school.

All the different places and activities and things. And yeah, that’s, uh, that’s very impressive. That’s, uh, definitely a feat of time management, I think. Oh yeah. It teaches you a lot too. You know, you know, time management, dealing with difficult personalities, all that, all that good stuff. So yeah, hats off.

Yeah. It’ll be really interesting to see, um, if your kids grow up and want to be lawyers, just like you, you know? Uh, yeah. I mean, they They could definitely do it right now [00:07:00] with the amount that they argue with me. So you’re getting them ready early, right? Right. Um, so if people want to reach you, uh, where can they connect with you online?

Uh, my LinkedIn is probably the best way to get in contact with me. Uh, linkedin. com slash in slash Darin W. Moore. D-A-I-N-W-M-O-O-R-E, or you can go to my website at darin w moore com. Awesome. That’s great to know. Um, all right, so let’s get into the, kind of the main meat of what we’re talking about today, which is, um, privacy laws in the us.

Um, so in the US we do have several, several federal privacy laws, um, covering only certain information like healthcare data, children’s data, financial data. But there’s really no comprehensive, overarching federal privacy law. Um, why do you think that’s the case? Well, kind of to our point earlier, um, nobody even really thought [00:08:00] about privacy, really, until the GDPR came along.

So I don’t think that there was really an interest in pushing a law until individuals started to get to know how their names are used and a lot of their personal information is used on the internet. So I think because the, uh, The populace is much more educated in it now that pushed the governments, the state governments and federal governments to, to start pushing laws.

Yeah. I think that all kind of started with GDPR and Cambridge Analytica where, you know, everybody saw, you know, if I put my information into a website, this is what can happen and it’s not just like, Oh, they’re going to serve me ads, which some people hate, some people like. It’s all also like this information could be used to manipulate you in certain ways.

Um, you know, and I, I think at least. In my experience in the last several years, you know, it’s, it’s almost like, [00:09:00] um, great examples. My phone is essentially unusable now because I get so many spam calls every day, you know, and it’s spam calls for things that are just so beyond what I would be interested in, like Medicare, right?

Like I don’t, I don’t have Medicare. Why would I be interested in this? Um, you know, and just having that continuous spam, just endlessly assault you day and night day and night. You know, I think a lot of people are realizing, Hey, maybe we shouldn’t be living like this, you know, maybe we should have certain rights.

And maybe if we don’t want to do business with somebody, maybe we could ask them to delete their data so they don’t call us anymore, um, you know, or maybe I got married and I want to change my last name on different. Companies databases, and it’s such a pain to do it. Like I have to send 30, 000 different kinds of documents to 30, 000 different companies instead of just filing a data correction request.

Um, so yeah, I think, you know, a lot of people are fed up with it and I think you’re right. That’s why we’re seeing so much more interest on this. [00:10:00] Yeah, I agree. Uh, to your point, you know, being able to correct information or delete information, you have to, you have to send so many different requests. I mean, there are services out there that could do it for you, but you should You should be able to at least do it yourself, if, if anything.

Yeah, absolutely. Um, and in the last few years, we have seen multiple proposed federal privacy bills, but none of them have passed. Why do you think it’s so difficult to pass the federal privacy law in the U. S.? And what are some of the contentious aspects of these bills? I would say the American Data Privacy and Protection Act The one that was in 2022, that didn’t pass because I believe I’ve read that it didn’t guarantee the same protections as some of the existing laws, state laws.

I think at the time there were about 13 plus state laws. Um, there’s probably disagreements on enforcement and remedies. Um, uh, from what I’ve read, that [00:11:00] was the main things. Um, I don’t know. I would say the most contentious portions is probably the preemption of state privacy laws, just like people are worried about with the ADTPA.

You know, there are certain state laws that have a private right of action for, for individuals and, uh, The good majority of them don’t, but there’s like one or two states that do have that as part of their laws, um, you know, and it gives different privacy rights for individuals like being able to correct your information, being able not to process for profiling reasons.

I think that. Those are probably the most contention contentious portions is the preemption. Yeah. It’s interesting. Whenever they propose a federal privacy law, you’re almost guaranteed to get a letter from California saying that, um, our residents deserve more protections or equal protections to what we provide under state privacy law.

Um, you know, that’s, that’s almost [00:12:00] always guaranteed is that letter from the AG’s office saying, you know, this needs to be beefed up. Um, and I think it’s. It’s interesting how many consumer protection groups get involved and how many, um, groups that represent business interests get involved. Um, and they’re always butting heads, you know, businesses want less obligations, consumer protection groups want, um, more privacy rights for individuals.

Um, and it just seems like we don’t have a system where. Um, you know, you can come together to come to an agreement. Um, and I think one of the issues is that these laws, um, they’re written so quickly, you know, um, so if we had like a full process where, you know, everybody got together, got all their thoughts out, there’s like a thorough drafting process, similar to what was done with GDPR.

Maybe we’d be in a different boat, but then, you know, here, somebody writes the law and then they argue about it, right? Yeah. You know, [00:13:00] the, the federal government operates usually at such a glacial pace that it’s kind of weird that these laws get written so quickly. Yeah, it’s like somebody writes them up and then they, they discuss them.

What I’ve seen like in the past, the state laws is really interesting to you. I’m not sure if you’ve seen this where, uh, like I use state net to, um, track bills and I saw this thing where, uh, one of the states proposed a privacy law and it was a mirror copy of another law from another state and they just replaced the state names.

Yeah. Um, and usually how it works is like the privacy level, say the solve will apply to you if you collect the data of 35, 000 residents of a particular state or whatever, but they forgot the number and the number was just, there’s like a blank, like clearly a blank where the number was supposed to be.

Uh, so like their copy and paste wasn’t even, you know, working that well, cause they deleted some stuff and then forgot to add other stuff. [00:14:00] You know, having these laws passed and then having to navigate these laws is very difficult because you know, that no thought or effort was put into it. put into proposing some of these in certain states, which is very frustrating.

Right. Yeah. No, I agree with you. So, um, while we have no comprehensive federal privacy law, uh, we’ve seen attorneys adapt by filing lawsuits, hoping that old unrelated laws can be adapted to fit, uh, modern privacy violations. Um, one example of this is the Video Privacy Protection Act. Um, can you tell us a little bit about this act, um, why it was passed and how it’s being used now?

Sure. So the video privacy protection act was, um, around 1988, I believe is when it passed, um, it was, it was to address videotape service providers, which if you are old enough, you remember Blockbuster and Hollywood video actually used to work at a Blockbuster. So that tells you how old I am. Um, [00:15:00] so, uh, they, in order to provide the services they would require For you to give some of your personal information like your name, um, later on, probably email address, physical address, um, the VPPA prohibited knowing disclosure of personal information other than to the consumer or with permission of the consumer.

And so it also allowed for Pi to be destroyed after, um, As soon as practicable, it said, but no later than one year after is no longer necessary. So that’s kind of the basics of what the VPPA addressed. Um, recently it’s been evolved to use against, uh, streaming services and other, and other companies. Um, recent cases really interpreted them, the videotape service provider to be any website that contains video content and user tracking tools like pixels.

Um, Many of the recent cases narrowed the scope of those providers to companies and websites [00:16:00] that are centered around offering video content, not just those who use it as like, for example, a marketing strategy. Um, I know Walmart was sued for sharing their video purchasing records with Meta. And I believe, um, Chick fil A also reported to Meadow what videos people were watching on their website.

So it’s gone a little bit beyond just, you know, videotape service provider. Yeah. Yeah, this one’s really interesting to me. Um, funny thing that I saw the other day, it was like a video where somebody was purchasing alcohol. And they asked them to show them their ID and they show their Blockbuster card.

And they were able to continue with that because, you know, nobody under a certain age has a Blockbuster card anymore. That is true. But I think it’s interesting because it was meant to prevent companies like Blockbuster from sharing video records with somebody else, but now it’s being used for websites, right?

So like, it’s, it’s [00:17:00] a lot different from, Hey, she rented these 3 movies to she watched these 3 videos, um, on a particular website and I think it shows that companies that, you know, run ads based on who watched a particular video on their website. Um, by sharing that data with, like you said, Metta, um, you know, are getting into trouble now, which is not something that people were ever expecting to be an issue, right?

So many businesses have videos on their website, um, you know, whether it’s for sales or marketing or, or just general education. And the way they’ve set it up always is that, you know, you run ads because they watch this video. So they’re clearly interested in your products or services. Um, and now you can’t really do that anymore.

Yeah, that’s true. It is a lot more of a narrow scope, I believe, for the kind of activities that they’re tracking now. So yeah, it is a little scary. Yeah, it definitely is. Um, but, you [00:18:00] know, obtaining consent. Um, that could potentially, uh, be a defense to, to all this stuff. Um, which is why we’re seeing so many more of these could be consent banners, even on us websites.

Um, it’s because of lawsuits like this, um, and a very similar situation as the California invasion of privacy act, um, and that being used to file lawsuits against businesses for website tracking, um, can you tell us a little bit more about that? Sure. So the, the SIPA was, um, trying to prevent attempted eavesdropping or wire tapping, uh, this was introduced back in the sixties, um, but it’s been recently used to challenge whether websites can use tracking technology without consent.

Um, I know that the ninth circuit. held that wiretapping under SIPA can’t apply to internet communications. So of course that then opens the floodgate of litigation under SIPA. Um, the claim can apply to [00:19:00] different software used to track consumers on websites. Like I said, pixels earlier, you can use the chat functionality that you see in most websites.

Um, a whole host of different ways that you could be able to track the user. So. I’m sure that’ll be introduced in a lot of these new lawsuits. Yeah, there’s so many lawsuits being filed, um, filed about these, and actually in our next episode, we’ll talk more about SIPA as well, um, from a lawyer who defends companies against these lawsuits.

Um, but I think this is really interesting as well, you know, a law from the 60s to prevent eavesdropping on landline phones, um, being used for, for websites. Um, I think You know, one aspect of it, I can kind of understand. Um, you know, we’ve seen IP intelligence tools where you go to a website and never fill out your information.

And then all of a sudden you get an email from that company saying, oh, you looked at this couch. Um, here’s a 10 percent discount on it. And, uh, That’s happened to me before. [00:20:00] And it is so creepy. It’s like the creepiest thing of all time, at least to me. Um, and some of our employees have experienced this too.

And it’s almost frightening. Cause you’re like, but I never gave you my email. Like, how did you find me? And then it happens so quick where you can clearly connect it. Like I clearly just was on this website and now I’m getting an email. Like. And I never submitted a form or anything. Um, so, and I’ve seen some simple lawsuits for healthcare websites as well, which makes sense because you don’t want to share that data with, with Metta, but we’ve also seen, uh, websites getting sued for, um, just regular websites getting sued, not medical.

Um, so it’s, it’s a very interesting time right now with this, with these old laws. Um, So adapting these, these old laws to the modern world, um, you know, what are the pros and cons of utilizing privacy laws in this way? Um, I think one of the bigger pros is that it allows individuals the [00:21:00] right to bring action.

Um, mainly, you know, HIPAA. Uh, COPPA, um, those, those types of laws, you can bring a right of action either directly or through the state AGs. So I think that that’s, that’s a big pro of using them. However, the cons, I think, in my opinion, outweigh the pros, because it’s at best a patchwork fix that’s not cohesive or efficient.

Um, and it leaves the issues up to the courts, which a lot of their holdings can be inconsistent with each other, depending on which district you’re in. So, yeah, that’s very true. And I mean, SIPA is for California residents only. So if I’m a resident of Illinois, I don’t have these rights, you know, like I can’t ask them to do these things or to stop tracking me or not track me without my consent, I have nothing.

Um, versus if you’re a resident of California, you can do all these things. Um, you know, then a part of me hopes that we do get some kind of, you know, Comprehensive [00:22:00] law that covers all of the United States. And we don’t have to deal with all of this anymore. Uh, and I can say that I’d be very excited to get privacy rights.

Yeah, me too. I I’m now lucky that my home state of Texas has passed a law, but for, for a while there, I wasn’t able to. You know, access my information or request to delete it because it was only applying to California and a few other states. So, yeah, well, the issue too, is that, like, for example, in Texas, Texas privacy law does not apply to small businesses, right?

So it’s not even all websites that you can exercise this right with. So maybe I’m able to exercise it with Amazon. But not like a local store that you go to. Right. Yeah. Um, so the lack of a comprehensive federal privacy law, it’s also causing difficulties, uh, for people doing business internationally, um, you know, storing data in the U S or transferring data to the U S, um, [00:23:00] why is that the case?

Uh, I believe it’s cause you can’t really get an adequacy decision, uh, since many States still don’t offer protection. If there was a federal law, it’d be a lot easier to be able to do that. But since. A lot of the U. S. frameworks were stricken down, um, you kind of have to go state by state and make sure you have at least a minimum amount of protection in each one of them.

Yeah, I, um, once heard that it was being discussed for California to obtain an adequacy decision. On its own without the remainder of the United States, which just seems so ridiculous. What business in California is not transferring data to another state? You know what I mean? Like there’s no way that every single software that you use to store data is located in California.

Right. And I’ve, I’ve worked for companies that, you know, are based in a certain area, but have data all throughout the U S. And so it’s hard to tell, you know, what laws would [00:24:00] apply or anything like that. So I can understand why we don’t have any adequacy decisions. Yeah. Yeah. For us, like we store all of our data in the Netherlands and then.

You know, we don’t start in the U. S. which is crazy for U. S. based business to have to store it outside of the U. S. Um, and then every single vendor you do, you have to do, like, extreme due diligence to figure out where they’re transferring their data to. And, I mean, having an adequacy decision, let’s say so much time and so much money for for everyone involved.

Agreed. Yeah. Um, can you tell us a bit more about the state privacy law patchwork? Sure, so, kind of how we’ve already been discussing, it’s a set of privacy laws passed by each state. Um, I think currently there are 19 states that have passed laws, and I think 11 will take effect within the next two years, up to 26.

Um, there are six that currently have active bills. So roughly half of the [00:25:00] states are now at least somewhat addressing privacy. So when you have half the states that do and half the states that don’t, uh, it’s a very patchwork function. Yeah. How tired are you of the patchwork? Uh, very tired. I cannot wait for a federal privacy law.

It’s terrible. It’s like every time a new state passes a privacy law, you have to spend like weeks figuring it out. Like Rhode Island just passed theirs and I’m working on like adding it to our privacy policy generator. Well, like every other state, it has two different sets of requirements. Like one for small business and another one for large business.

But the best part is that you can tell it was like a quick and dirty draft because for small businesses, they have a list of privacy policy disclosures that you need to have. But then for large businesses, they don’t have like a separate list of like things they additionally need to have. So you’re kind of just like [00:26:00] left on your own to try to figure it out.

Or you’re like waiting for regulations to interpret the law. And it’s just like, Why, why are we doing things this way? Right, exactly. That’s, that’s one of the major consequences of this type of type of patchwork. Yeah. And I think for consumers too, it’s very confusing, right? Like I live in Illinois, but then I moved to Texas, like, but I haven’t changed my driver’s license yet.

So like, how do I prove that? I’m a Texas resident now and I have these rights or, you know, let’s say I’m on vacation in another state. Do I have these rights or do I not have these rights? You know, it’s very confusing. Right. And I even, uh, uh, I’m sure, you know, cause you and I went to law school together, but I was in Illinois for three years, um, going to law school and then I moved back to Texas.

And then I got a notification a few years later about the, um, I think it was the meta, uh, Illinois biometric [00:27:00] act, um, settlement. And so I, I was getting notification of that all while sitting in a state that didn’t have protections yet. So it was kind of interesting to see. Yeah, it’s, it’s really wild and it’s really confusing.

And I think for. For privacy professionals, it’s very frustrating for businesses. It’s very time consuming and expensive. And for consumers, it’s very confusing, you know, and versus Europe, you have one set of rules that are mainly the same country to country. Maybe you have some like tiny differences here or there, but.

You kind of know what’s going on, uh, versus here. It’s, it’s this patchwork disaster that we’re all dealing with. Um, hopefully for not much longer, but seeing how difficult it is to pass a federal law. I don’t know. I don’t have big hopes. Yeah. Well, we’ll see how it goes. It’s, it’s probably not the most pressing issue for some, but I definitely would, would think that it’s a very important issue to, to put up in the next Congress.[00:28:00]

I hope so, too. Um, so in the U. S. With a patchwork, we generally have an opt out approach. Um, so data can be collected, used, shared, sold, unless an individual tells the business to stop. Why is this problematic for privacy and for consumers? So I would say that it’s problematic for individuals that may not know that the business has even collected their data.

Or the reasons for collection might not be as clear, or the purpose for collection could change without the individual’s knowledge. So, if Pi can be shared and sold to others without explicit opt in, then there’s no telling where the individual’s data may be. It could be in the hands of data brokers, or You know, any other third party that didn’t get the original permission to process the data.

Yeah, I think a lot of it is it’s kind of too late, right? So once your data is sold, it’s already sold, resold, resold to somebody else. And then [00:29:00] you opt out and it’s like, but it’s already been sold. So really it’s like the train has left the station already. Um, same thing with sharing it with third parties, you know, it’s already been shared, they already have that data, you know, and in some states, you know, you can opt out of the sale of data, but maybe the business is not obligated to inform the people who you’re already sold the data to, so then they resell it.

And it’s kind of like the cat’s out of the bag already versus if we had an opt in approach. You know, you could decide whether or not it’s okay to sell your data. Same thing. Like you get all these spam calls and you ask them, you know, who are you calling from? Like, where are you calling from? What’s your company name?

And they just hang up on you. Or you say, can you delete my data? And they just hang up on you and they never delete it. And they continue calling you. Um, You know, the cat’s kind of out of the bag already. Um, I think an opt in approach would be better at least. I agree. Yeah. And I, I honestly think [00:30:00] that businesses should already be running an opt in approach just because I feel that that gives a little more consumer trust.

And, and how you handle, you know, personal information. Yeah. That’s interesting that you bring that up. Um, I’ve seen a lot of studies on privacy as a competitive advantage, um, you know, where consumers are so fed up with these terrible privacy practices that they switch to companies that have better privacy practices.

So maybe offering those rights to everyone, regardless of their location or doing an opt in approach can actually win you business, which I think would be interesting. Yeah, it’d be interesting to see if, um, things like sustainable businesses that get business because they’re sustainable and green, if that’ll be the same thing for privacy in the next few years.

Yeah, that’d be really cool to see. Um, so it looks like with the most recent privacy laws in the U S they’re mainly concerned with targeted ads, profiling the sale of data. Um, do you [00:31:00] think that legislators are correct in focusing on these items or should they be focusing on something else? I think they’re focusing on the right items because like we had said earlier, they’re the most important and top of mind items for the public right now.

So I think that that’s what they should be focusing on on the sale of data. Um, it’s important because we’ve been seeing increasing awareness of consumer knowledge on sale and transfer and what exactly that means. Um, it’s important to focus because Unlimited data sales can transfer data to parties without the consent like we were talking about, meaning that it could be spread throughout the Internet.

And so I think a lot of people are starting to see that when they sign up for these, um, these services that can get rid of your data on the Internet. You see just how many. different data brokers have your information and just how many they have to search. And so I think getting that, that knowledge, [00:32:00] you know, having that knowledge in your constituency then pushes the legislators to focus on that, that specific thing.

I think I really need to sign up for one of these services that tells you like where your data is and get somebody to like at least try to delete it. Um, I think that would be really, really interesting to see, but I don’t know how that would work with somebody who like doesn’t have privacy rights. You know what I mean?

True. Yeah. Well, especially they have to continue chasing the data too, because it’s probably going to come back to those data brokers every once in a while. Yeah, it’s. Kind of insane when you do like data protection assessments, and then you look at their documentation and they say, okay, we share data with these five parties.

And then you look at these five parties and then they share data with 10 parties, and then you’ll look at those 10 and it’s like, it just explodes. It’s almost like if you give data to one company, everybody has it now. Right? Yeah. Sadly, [00:33:00] that’s the truth. Do you find that certain U. S. privacy laws do not really match consumer understanding of privacy?

Um, specifically, I’m thinking about the definition of sale of personal data and how consumers see it versus how it’s written in the law. And, um, you know, what are the pitfalls that can arise out of that? Um, I’ve seen some, Misunderstanding on, like I said, the sale of personal data because it can include sharing or disclosing data for monetary or quote unquote other valuable consideration.

So that can include sharing and exchange for services for customer insights, trends, other other types of benefits. And this could be And does confuse consumers who may think that monetary value just has to exchange hands for the sale of data. So a lack of consumer understanding could prevent them from looking to take action as a sale may not be a traditional sale that they think.

Yeah, that’s [00:34:00] one of my biggest frustrations with recent privacy laws is that kind of mis Misalignment as to definitions. Um, I think it really shows that they didn’t really talk to a lot of consumers about this, um, because yeah, for most people, when you think of sale of data, you think, okay, they give their email list to data broker and get X amount of money in exchange, but that’s not necessarily what that means according to the law, and I think a lot of companies are trying to strike that balance.

Like you’ll go to a privacy policy and I’ll say, We don’t sell your data in the traditional sense, but we do, um, quote unquote, sell it because we have analytics or whatever, you know, and that’s very confusing because as a lawyer, like you can understand what they mean, but as a consumer, it’s like, well, you don’t sell data, but you do sell it.

Like what, You know, so I, I think it’s very confusing and, and I think it should have been done differently. Um, same thing with like share disclose, you [00:35:00] know, every single privacy law has been using share for the last decade, but now for California, it means something else. Now you have to say disclose, um, you know, and it’s, it’s very frustrating.

Absolutely. That’s true. Yeah. It’s, uh, not fun. Um, so in the U S, um, you know, you have privacy laws that are usually enforced by state attorneys general, the federal trade commission, maybe the CPA, um, though they can be enforced or lawsuits in very limited circumstances, like we talked about, um, do you think this system is adequate to ensure that privacy is fully protected?

I would say that allowing enforcement by the attorneys general and the FTC is a good first step. And ensuring that companies who don’t adequately protect PI can be, um, you know, for lack of a better word, punished. Um, but this step should be the absolute minimum. So I would think that allowing for a private right of [00:36:00] action, while it may be more onerous to businesses, it would.

Allow these individuals to assert their own cause of action and take the breach of their privacy rights seriously, and they would take it into their own hands. Um, it would also require businesses to take more notice of how they handle Pi, because if you can get individual actions come in, coming in against you, you’ll You’ll take it more seriously and you’ll, you’ll treat that data with respect, especially because you can get hit with a monetary fine.

Yeah, I think that’s why we’re seeing so much press and interest in the Video Privacy Protection Act and SIPA as well is because those allow private right of action. So everybody’s just worried about getting sued. So they’re stopping those privacy invasive practices, um, or they’re adjusting how they do business or how they treat that personal information.

Um, it would be nice to see that with other privacy laws too, because, you know, state attorney general, the FTC, they [00:37:00] have, you know, thousands of cases, thousands of complaints. They have thousands of things that they’re looking into. They don’t necessarily have the bandwidth or the resources to investigate every small privacy complaint, you know, investigated if there’s, you know, a lot of people whose data has been breached or whatever.

Other than that, they might not have the resources to do anything. So maybe, you know, having, you know, something similar to data protection authorities where that’s their only focus like they did in California or having a private right of action, I think would be great. Um, as long as there’s more resources provided to businesses on how to comply.

Right. Yeah. And you know, like a grace period and stuff like that, that would be very helpful for small businesses. Yeah. Do you find that a lot in your work where. You know, you have the text of the law and then there’s nothing else. Like there’s no other information from the state as to how to comply or what these things mean or what to do.

Yeah. Oh [00:38:00] yeah. I, I, if I, if I had a nickel for every time I had to try to, to figure out what exactly they mean in that small text, then yeah, I’d be a very rich man. Um, I think. There are privacy, uh, functions in states where you can reach out to them if there’s any ambiguity about the law, but they, they take a long time to get back to you.

And by that time, you don’t need to know it. So I think if they had, if they had better resources, like you said, it’d be a lot easier. I’ve had to do that multiple times in reaching out. And it’s so interesting, like the difference that you see. So. You know, let’s say you have a question about Canada’s privacy law, you send them an email, they write back within two days with like a thorough answer that exactly answers your question.

And then you try to do the same thing in the US, like send something to California’s AG office. And you can get a response six months later saying, we can’t provide you with legal [00:39:00] advice. Right. And in my letter specifically said, I’m not looking for legal advice. I’m just looking for general information.

Um, and that’s what they respond with. And it’s like, well, how can you apply fines when you provide no information as to how to comply? Right. Yeah. And I think they think that just allowing the law to be out there and have a public comment time is adequate enough, which it just isn’t. And also like nobody has the time to read 50, 000 pages of public comments that weren’t answered.

You know what I mean? And it’s like. I don’t have the time for that, but if you could provide like an FAQ or answer basic questions, you know, that’d be really helpful. Um, but we don’t really see that here yet. So, right, exactly. Yeah. Um, so what do you hope to see as a privacy professional in the, in the United States in the next few years?

Well, I think this has been the overarching theme of this podcast, uh, episode is closing the loop on [00:40:00] the patchwork, you know, map and having federal legislation. I think that it would not only make it Easier for companies and, and their compliance departments, but also for the American people, I think just kind of knowing what kind of data is covered, what you can do with your data.

Um, even if you don’t read the law, there’s going to be people out there that explain this to them and they’ll, they’ll, Come to understand that maybe their data isn’t so safe after all, and they could take steps to make that easier. Absolutely. I really hope to see that too. Um, I think there’s going to be a lot of champagne bottles being popped when we get a federal privacy law.

I hope so. Because they’re all going to be hopefully super happy that this patchwork is over, but I’m just hoping they don’t make it worse. Yeah, me too. I guess we’ll, we’ll just have to wait and [00:41:00] see. Absolutely. Um, so Darin, thank you so much for taking the time to speak with me today about privacy in the United States.

Um, and to our listeners, make sure to subscribe to the podcast so that you do not miss our next episode.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates
Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates