Current Privacy Actions Across States, Congress and Executive Branch

Data privacy has proven to be one of the more difficult policy issues to oversee and legislate. Not only is there a privacy paradox in which consumers state they care about privacy but do not change their behavior to match, but they often lack insight into the personal data that technology companies have and what they do with it. This is especially telling with data that mobile telecommunications companies generate from cell phones, because they need to know their users’ locations (at the very least) for their services to work properly. With the Supreme Court’s decision in Dobbs v Jackson Health Center, there has been increased concern that women’s healthcare activities could be discerned from their location data. Federal policymakers are tackling these issues from multiple angles.

The FTC has pledged to double down on preventing the illegal sharing of sensitive health data generated by mobile devices. This follows its longstanding governance of information privacy, which it has enforced throughout the years by suing Facebook over some of its practices, creating privacy labels for app developers, and most recently, filing an Advanced Notice of Proposed Rulemaking to “crack down on harmful commercial surveillance and lax data security” with health care data.

However, as this data is shared through the Internet, the FCC, which generally oversees the telecommunications industry, also has jurisdiction in this space. Telecommunications companies have also been known to commercialize consumer mobile phone data, and in 2018 security researchers found that several of them were disclosing consumer location data to third parties that weren’t authorized to receive it. (Specifically, A-GPS data that is typically used for emergencies.) In 2020, the FCC proposed fining them over this, but ultimately did not.

While government agencies determine whether and how to regulate use of data by private entities, these agencies have also faced criticism around their own access to consumer data. For instance, the US Department of Homeland Security purchased vast troves of location data on US citizens without a warrant. The FTC’s recommitment to cracking down on illegal health data sharing was likely the impetus for the FCC to send an inquiry to major wireless providers regarding the collection, storage, and processing of customers’ geolocation data. (However, the FCC has never explicitly mentioned women’s health as the reason for this inquiry.) These included large companies like Verizon and Comcast, virtual network operators like Mint Mobile, and even telehealth providers like Best Buy Health. FCC Chairwoman Jessica Rosenworcel stated in her letters that the FTC found that mobile ISPs collected more data than was necessary to provide service and more than consumers expected.

On August 25, the FCC shared the companies’ responses. The carriers collect information about the closest cell tower, latitude and longitude, cell IDs/IP addresses, etc. They do so in the name of business models (e.g., advertising), providing services through unique apps and managing their network. These companies retain data from as little as 90 days to as long as 5 years. When asked how they protect this data, the companies reference their privacy policies and employee training. The US-based companies indicated that their data is processed in the US, but telecommunications companies with an international presence may process the data at any of their centers worldwide. Some companies stated that it takes about two months for them to fully delete users’ data once they unsubscribe.

Verizon and AT&T indicated that they had ended relationships with third parties to whom they formerly sold data, while T-Mobile US said that it never sells geolocation data to third parties. The carriers also indicated that users (save for those in California, which passed the California Consumer Privacy Act) could not opt-out of most of their data collection practices, or out of carriers sharing data with third parties (law enforcement or otherwise). They also do not notify users when sharing (even in the aggregate) occurs. While many of these activities are similar to one another, there is significant variation in how carriers protect and use consumer data. The letters are not the end of the story – the FCC’s enforcement bureau will be further investigating the carriers to ensure they properly disclose their practices.

However, the degree to which the FCC can enforce data privacy going forward remains a significant question. While the bipartisan America Data Privacy and Protection Act (ADPPA) did not pass in this most recent Congressional session, it included a stipulation that only the FTC can enforce data privacy. Furthermore, another provision in the ADPPA stated that many FCC rules “shall not apply to any covered entity with respect to the collecting, processing, or transferring of covered data under this Act.” Experts are concerned that preempting the FCC, which has years of experience in data privacy, will do more to harm privacy enforcement than help. The FTC also has fewer tools and legal capabilities than the FCC, such as being able to hold carriers responsible like the FCC has without going to court. But even if a bill like the ADPPA were to pass, the FCC and FTC have cooperated on enforcement in the past.

Regulating and enforcing data laws have proven difficult. Data brokerage, or the buying and selling of large swaths of consumer data, was a $240 billion industry in 2021, indicating just how much some organizations are willing to pay for such information. The amount of money brokers can make from particular datasets varies wildly, ranging from $1-4 per user per year to a reported payment of nearly $600,000 to media intelligence company Anomaly Six. Likewise, it is very difficult to know how much data a particular broker may have about an individual, but in 2013, the Government Accountability Office published a report on data brokers. Large brokers like Acxiom and Experian indicated they had not only individual personal data like name and address, but wealth indicators, music preferences, ailments, and even visual impairments. Because the sources of these datasets are unknown, it can be very difficult to curtail their systematic and robust collection, legally or technically.

In addition to the ADDPA, many members of Congress have attempted to tackle this issue directly. Last year, Senator Ron Wyden (D-OR) and others introduced the bipartisan 4th Amendment is Not for Sale Act. While consumer advocacy groups have called on Congress to pass the bill this year, so far the bill has not moved forward. Existing federal privacy laws only focus on particular subsets and types of data, leaving data transactions outside of certain specialized fields like health or finance completely unregulated at that level. Additionally, in his first State of the Union address in March, President Biden discussed banning targeted advertising to children, and mentioned the topic at a White House listening session in September. There are now two bipartisan bills in Congress, the Kids Online Safety Act and the Children and Teen’s Online Privacy Protection Act, that address children’s data privacy. There are also a number of state laws specifically focused on consumer data privacy, and the California and Nevada laws allow consumers to opt their data out of the sale to third parties. More laws with similar provisions will likely come into effect next year. Our privacy policy tracker has a visual representation of states with privacy laws on the books.

While data privacy is a thorny and multifaceted issue, these initiatives from agencies, the President, and federal and state legislatures indicate that comprehensive privacy laws and enforcement remains a priority. Those who hope for cohesive privacy legislation that covers the totality of online data may soon get their wish.