It is not enough for government to pass laws that protect consumers from corporations that harvest and monetize their personal data. It is also necessary for these laws to have bite, to ensure companies do not ignore them. The best way to do so is to empower ordinary consumers to bring their own lawsuits against the companies that violate their privacy rights. Such “private rights of action” are among EFF’s highest priorities in any data privacy legislation.
For example, while there is a lot to like about the new California Consumer Privacy Act (A.B. 375 and S.B. 1121), a significant flaw is its lack of a private right of action (except as to some kinds of data breaches). We will work this year to amend CCPA to add consumer enforcement. The California Attorney General, who has the primary duty to enforce the CCPA, supports consumer enforcement, explaining:
The lack of a private right of action, which would provide a critical adjunct to governmental enforcement, will substantially increase the OAG’s need for new enforcement resources. I urge you to provide consumers with a private right of action under the CCPA.
Likewise, when EFF reviews the many federal data privacy bills that have circulated since the Cambridge Analytica scandal first broke earlier this year, one of our primary goals is to ensure that these bills include a private right of action. (We also work to ensure that any federal data privacy bill does not preempt stronger state laws.)
Consumer enforcement is part of EFF’s “bottom-up” approach to public policy. Ordinary technology users should have the power to decide for themselves whether to bring a lawsuit to enforce their statutory privacy rights. EFF itself has gone to court to enforce digital privacy statutes. We also have long advocated for private rights of action to be included in data privacy laws, among other kinds of laws.
This is how legislators normally approach privacy laws. Many privacy statutes contain a private right of action, including federal laws on wiretaps, stored electronic communications, video rentals, driver’s licenses, credit reporting, and cable subscriptions. So do many other kinds of laws that protect the public, including federal laws on clean water, employment discrimination, and access to public records.
Enforcement by government officials is a start, but not enough by itself. Agencies may fail to enforce privacy laws due to lack of resources. For example, the ongoing federal budget impasse shut down the FTC’s investigation of Facebook’s data privacy practices, including whether Facebook violated its 2011 consent order with the FTC. Agencies may likewise be hamstrung by competing priorities.
Further, there is the inherent risk of regulatory capture, meaning undue influence over an enforcement agency by the companies supposedly subject to its overight. The recent leashing of the federal Consumer Financial Protection Bureau is just one example of why we should broadly diffuse the power to enforce statutes that protect the public. In essence, if everyone has the power to protect their own privacy, then special interests will have a harder time using their influence to shield themselves from accountability.
Looking ahead, a federal data privacy law might be passed with great fanfare. It might have all the substantive rules that EFF has long sought, including opt-in consent to collect or share a consumer’s data, a right to know what data was collected, data portability, and information fiduciary duties for the companies that we entrust with our data. But without a strong enforcement regime, such a law will protect privacy in name only. The best privacy enforcers are ordinary people. Legislators should give them the power to defend their own privacy.