Data privacy is a big public concern. Will Congress answer with a law?

A computer with Facebook ad preferences pages in San Francisco on March 26, 2018. California passed a consumer data privacy law in 2018 that went into effect last year. Now, other states and Congress are considering legislation.

Jeff Chiu/AP/File

October 8, 2021

Your “friends” online? Check. Your shopping habits? Check. Your credit card or other online payment information? Check. Some of America’s biggest, richest companies are custodians of that data.

American consumers display plenty of ambivalence about this – showing little reluctance to sign up for no-fee apps and web tools that earn money by using their data for targeting ads.  

At the same time, the public is worried – enough so to heavily support legislation to safeguard online privacy. And a tide of data hacks adds to the urgency. T-Mobile and retailer Neiman Marcus are two of the most recent data-breach targets involving millions of customers. 

Why We Wrote This

Ohio resident Amy Krebs knows firsthand about the damage that invasions of privacy can bring. Concerns from people like her are one reason there’s momentum in Congress for a possible federal law.

Amy Krebs is an Ohio resident who has seen up close how personal data can be compromised. Eight years ago, soon after the Obama administration passed a privacy “bill of rights,” a set of voluntary guidelines for companies to follow in order to protect consumers’ privacy, she received a phone call from her credit card company. Her name and financial information had been stolen. 

“I couldn’t believe that this could happen,” she says. The culprit used Ms. Krebs’ information at banks, for credit card purchases – even for a subscription to the local newspaper.

Why many in Ukraine oppose a ‘land for peace’ formula to end the war

Now, despite the difficulty of legislating in a highly polarized Congress, the push for a nationwide consumer data privacy law has gained momentum. Privacy experts say a federal law could establish broad new protections for the American people and reconfigure the power dynamic between consumers and companies, which historically have used people’s information as if it belonged to them. Three states – California, Virginia, and Colorado – have now passed data privacy laws that, in effect, say otherwise. 

“We’ve always operated in the U.S. as if the data did not belong to the individual,” says James E. Lee, chief operating officer at the Identity Theft Resource Center. “So this is a huge shift that’s underway.”

Multiple data privacy bills have been proposed in Congress over the past couple of years to clean up the mess, and at least 30 states have considered their own legislation. 

Support is bipartisan. “Americans deserve to have their data protected,” said Mississippi Republican Sen. Roger Wicker, at a hearing on data privacy Sept. 29

“I do think the moment is here,” Democratic Sen. Maria Cantwell of Washington said on Oct. 6.

In the race to attract students, historically Black colleges sprint out front

Rising pressure on Big Tech 

The push for a law comes as technology companies face criticism on multiple fronts – the latest example being a whistleblower who appeared on Capitol Hill on Oct. 5, testifying that Facebook has ignored​ internal evidence that its content-sharing business models are having harmful effects on users.

A privacy law would address just one of the concerns about Big Tech – but an important one. Mr. Wicker, the top Republican on the Senate Committee on Commerce, Science, and Transportation, introduced a federal data privacy bill earlier this year. Ms. Cantwell, who now chairs the committee, introduced a bill of her own in 2019.  

Democratic Sen. Maria Cantwell of Washington speaks with Roger Wicker of Mississippi, then-chairman of the U.S. Senate Commerce, Science, and Transportation Committee, during a hearing on Capitol Hill, Jan. 26, 2021. Ms. Cantwell is now chairing the committee, and Mr. Wicker is the ranking Republican. Both want a federal data privacy bill.
Tom Williams/Reuters

“The conversation has become much more sophisticated over the last couple of years, which is helpful,” says Stacey Gray, senior counsel at the Future of Privacy Forum. “There’s room for compromise.”

One point of contention is whether a federal law should preempt, or override, state laws. Many Democrats prefer letting states pass tougher laws if they want. Another sticking point is whether the bill should include a private right of action for individuals to sue companies that violate the law. Mr. Wicker is wary of this unless the scope is limited. 

But the bills, including those at the state level, “come down to the same basic principles,” says Mr. Lee, of the Identity Theft Resource Center. 

“You have the right to know who is collecting information about you, what information is collected, and then depending upon the purpose of that information, you can then request that it be deleted or you can request that it be corrected if it was wrong,” he says. 

Those steps could be a big help for people like Ms. Krebs, who works for a nonprofit community foundation and now runs a blog to help others who face identity theft. 

She emphasizes, also, the importance of corporations maintaining records that are correct. 

“Before we can go and talk about privacy laws, either at the federal or the state level,” she says, “we need to talk about accuracy.” 

In her case, fictitious identity-verification data from the criminal denied her access to her own credit reports. She estimates that the criminal used her information at about 80 places. 

When Ms. Krebs got the call about her information being stolen, she didn’t know what to do. After researching online, she found that very few people had spoken out publicly about identity theft. 

“One of the natural responses you have is to be even more hidden because you feel a swell of different emotions,” Ms. Krebs says. She decided to call local police in North Canton, Ohio, and file a report. 

Accessing her credit reports was a next step, but the thief had already changed the reports’ confirmation questions with incorrect information. 

“There needs to be ability for the consumer to challenge information if they find it to be inaccurate,” she says. 

The number of identity theft reports went from about 650,000 in 2019 to over 1.3 million a year later, according to data from the Federal Trade Commission, the nation’s privacy enforcer. 

That may help explain widespread popular support for a federal privacy law, spanning party lines. 

More than 8 in 10 voters said Congress should prioritize privacy legislation, according to an April Morning Consult poll. That included 86% of Democrats and 81% of Republicans who said Congress should make privacy a “top” or “important but lower” priority in 2021.

Some companies including Facebook, which had over 500 million users’ information posted in a hacking forum, are calling for a federal law instead of a patchwork of state statutes. 

The president, apart from a couple of lines in a July executive order, has been largely silent on the data privacy issue since taking office, but he did nominate a privacy advocate to a seat on the FTC last month.   

“Within shouting distance of each other”

Cameron Kerry, who served as acting secretary of the Commerce Department during the Obama administration, says the United States is an outlier as a major economy without a data privacy law. 

“The key Democratic and Republican bills are within shouting distance of each other,” says Mr. Kerry, now a visiting fellow at The Brookings Institution. “Congress should act.”

On Sept. 29, Senator Wicker called for the president to appoint a specific senior staff person in the administration to work with Congress to pass a law this year. And last month, nine Senate Democrats urged FTC Chair Lina Khan to begin a rule-making process to protect consumer privacy “in parallel to congressional efforts to create federal privacy laws.”

Ms. Gray, of the Future of Privacy Forum, says federal legislation could have both visible and invisible benefits. Consumers could see what data of theirs a company holds. And the “invisible” help: The law would call on companies to better secure customer data. 

Data minimization and limitation requirements, similarly, would reduce the amount of data being saved on corporate servers or sold for uses beyond the original reason for collection. 

“The success of [a new] law, no matter how it comes about, is also going to require individuals to actually utilize the rights that they’re getting,” says Mr. Lee, “because if they don’t, then it’s as if we have no law at all.”

Even eight years later, Ms. Krebs is still dealing with the effects of the theft, despite the culprit being tracked down and charged with a felony through the work of local detectives.

“It’s insane the amount of hours that go into this,” she says.