Privacy advocates called the law weak and too burdensome for consumers who want to opt out of targeted advertising or correct mistakes in their personal data, among other things. And like other state data privacy efforts, the law doesn’t apply to public agencies, which are increasingly falling victim to ransomware and other cyber attacks as more services go online.
“This industry-friendly law needs a lot of work to get to a place where it can meaningfully protect consumers in Iowa,” said Matt Schwartz, policy analyst at Consumer Reports, in a statement that reflected the general theme of the criticisms.
A dozen or so other states are considering their own data privacy protection laws even as Congress contemplates its own action, highlighting the apparent urgency of the issue. As all that unfolds, suppliers and users of government technology need to pay close attention not only to the debates and criticisms, but also to the lessons offered by Iowa and other states, and Europe as well.
Data privacy, after all, is a vital issue in all parts of the economy and society — including health care, law enforcement and academia — and any new laws promise to have broad impact over time.
WARM WELCOME
Sure, the laws and proposed bills tend to focus on consumer rights and retail activities — unsurprising, given the ubiquity of e-commerce, mobile advertising and digital banking — but there is little doubt that state and local agencies will have to adjust, directly or indirectly, to any new major data protection policies.
Plus, ongoing pressure to provide mental health services in law enforcement situations can involve personal data about, say, firearms and health care, noted Tim Boyle, chief customer officer at CentralSquare Technologies, which sells public safety software.
“Data privacy is incredibly important, especially in this current environment,” he said. “Guidelines are hugely important. Gray areas are not good.”
In fact, a clear federal law governing data privacy might find a relatively warm welcome within state and local government.
“It might give them a firmer foundation for them to trust the vendors they are doing business with,” said Cobun Zweifel-Keegan, managing director at the International Association of Privacy Professionals (IAPP). “Basic privacy requirements will standardize the playing field and reduce the burden on governments as they suss out vendors.”
PRIVACY OFFICERS
Some of those governments are not waiting around for a federal law — more specifically, the proposed American Data Privacy and Protection Act, or ADPPA — before enacting their own protections. States and even some counties have hired privacy officers to build digital fortresses around personal data, among other tasks.
Such hiring has the support of the National Association of State Chief Information Officers (NASCIO), which in 2021 brought together state privacy officers to share their experiences, the first time the group had done that in person.
“Our No. 1 recommendation for this is for each agency to have a privacy officer, point of contact or champion,” said Amy Hille Glasscock, program director for innovation and emerging issues for NASCIO. “Some agencies, like health and human services, will need someone dedicated full time with specific health-care privacy law expertise.”
STATE PATCHWORK
Supporters of a federal law, the ADPPA, argue that it would provide better and more consistent data privacy protections than what is usually called a “patchwork” of state laws. The proposed law would require data “minimization” to lessen the chances of theft; limit the transfer of Social Security numbers, geolocation and biometric data; and give people the right to learn how their personal data is being used, among other measures.
Meanwhile, critics of the federal effort — reportedly including former House Speaker Nancy Pelosi from California — worry about stifling state-level innovation or passing relatively weak protections.
California has one of the most prominent such laws, the California Consumer Privacy Act, passed in 2018, which itself followed a pre-digital 1972 privacy rights amendment to the state constitution. Supporters point to consumers’ rights to opt out of the sale of their personal information and to delete their data as reasons why the newer law offers some of the most robust protections in the U.S.
“We’d love to see federal legislators acknowledge that states have taken the lead on privacy,” said Maureen Mahoney, deputy director of policy and legislation for the California Privacy Protection Agency.
Part of her mission, she said, is educating consumers about their privacy rights. A recent survey from the University of Pennsylvania Annenberg School for Communication showed that people in the U.S. have a relatively poor understanding of their protections — yet another challenge when it comes to improving data privacy laws.
“We take that responsibility seriously,” she said.
BIPARTISAN SUPPORT
Even so, awareness of the issues surrounding data privacy protections appears on the upswing in Congress, given that the ADPPA is the first such bill to pass committee markup, and has that rare thing in 21st century U.S. politics: bipartisan support.
The bill still enjoys “the same support it had in the House last year,” said Zweifel-Keegan, of the IAPP, though some committee assignments have changed since then. In late March, he told Government Technology that the bill should be “back on the radar” shortly, with the level of support remaining relatively high.
“Everyone says they want a privacy law, especially in lieu of having a patchwork of state laws,” he said, adding that in his view, the chances of the bill passing within the next one to three years is higher than 50 percent.
One of the main concerns about such a law and its potential effectiveness is that technological innovation could make the ADPPA outdated in a relatively short time.
After all, biometrics and artificial intelligence — to name just two of the currently hottest areas of tech research, marketing and sales — are making quick strides, with their roles within society and government not yet defined, and their drawbacks and biases still not yet fully understood.
“In the tech policy world, people talk about crafting a technology-neutral law,” Zweifel-Keegan said, “which is more based on certain kinds of outcomes” than specific tools and services. That could mean, for instance, a law that focuses more on best practices and precedent than the latest software or gear.
EUROPEAN LESSONS
One obvious precedent comes from the European Union, which implemented the General Data Protection Regulation (GDPR) in 2018. The law’s 11 chapters define the lawful purposes for which personal data can be used. It also gives people the right to withdraw or withhold their consent for those uses.
Since then, several countries, and California, have used GDPR as a model for their own data privacy protections.
The law has increased awareness among governments and companies about the need to protect data, which stands as among the most successful outcomes of the GDPR, according to Rosa Barcelo, Brussels-based global privacy and cybersecurity partner at McDermott Will & Emery, a law firm. Individual awareness also has increased along with data protection rights.
Still, she said that the law could provide for more harmonization among the 27 data protection authorities charged with enforcing GDPR. As for what the U.S. federal government might take as a lesson from the law, she said that proper enforcement powers will be key for data privacy protection. That includes empowering individuals and NGOs to seek damages in court in order to encourage compliance.
Two other lessons also stand out.
“It’s important to legislate using principles that adapt to new technologies, to future-proof the laws, rather than being very specific,” Barcelo said, adding that it is better to have “one set of rules” than “diverging state laws.”
This story originally appeared in the June issue of Government Technology magazine. Click hear to view the full digital edition online.