Americans want more control over their data, but little is being done at the federal level to update regulations for the digital age. Here's what some state IT leaders are doing to fill the gaps.
In spring 2018, the European nations put into effect sweeping privacy standards known as the General Data Protection Regulation, or GDPR. The move gave consumers far greater control over how their personal information is gathered and used. GDPR also shined a harsh light on the lack of privacy controls here at home. Except in some select cases — primarily in health care and education — U.S. citizens don’t have much say over how the personal information they share with corporations or even government entities is utilized.
Some want the federal government to act, and since that isn’t happening anytime soon, states are beginning to take up the slack. The reason is simple: Americans want more control over their data. A study by technology provider Akamai found 66 percent of those surveyed want the U.S. to adopt GDPR-style rules. Most people think the responsibility lies squarely with government. A recent survey by software provider SAS found 67 percent of those polled said the government should do more to protect their privacy.
Privacy advocates say government should implement some basic requirements. “We want to be sure that people have a right to know what data companies have collected about them,” said Hayley Tsukayama, a legislative activist for the Electronic Frontier Foundation. “We would also like to see the sale or sharing of data be an opt-in activity, where right now it is opt-out. We also talk about the private right of action, that consumers should be able to take companies to court if they violate their privacy rights.”
The issue of data privacy is deeply linked to Internet use, which means it is inherently a component of interstate commerce. That lands it squarely in the jurisdiction of federal legislation — or at least it should. Congress, however, has so far failed to act.
In the current political climate, “the federal government has made themselves functionally irrelevant to so many of the pressing public issues of our day,” said Washington state Sen. Reuven Carlyle. “Even if Congress decided to do this tomorrow, it would still take them five years.”
Rather than wait, Carlyle and other state leaders have stepped up to assert control over what many perceive to be an urgent situation. That’s as it should be, at least according to some experts in the field.
“Where gaps are identified in the laws that aren’t covered by federal regulations, states should have a duty to protect their residents,” said Jay Trinckes, a principal with security consultancy NCC Group. “This includes passing stricter laws on privacy and enforcing these laws to protect their residents’ rights. States should develop guidelines and standards along with providing paths to assurances that organizations should be required to abide by in protecting their consumers’ data privacy.”
In fact, states may be better positioned than federal authorities to move in this complex area. They have flexibility to try new policies and be a little more experimental, according to Aleecia McDonald, assistant professor of practice at Carnegie Mellon’s Information Networking Institute in Silicon Valley. “States can often update laws in a faster, more agile way.”
A case in point is the state of California. When the California Consumer Privacy Act (CCPA) becomes effective in 2020, it will give that state’s residents sweeping new protections. They will have the right to:
The law applies to any business that either has annual gross revenues in excess of $25 million; holds personal information on 50,000 or more consumers; or earns more than half its revenue from selling personal data.
Rapid technological advances made the law necessary, according to state Sen. Bob Hertzberg, who introduced the legislation behind CCPA. “In the old days, privacy was a peeping Tom or somebody getting your mail,” he said. “Today there is the ability to analyze everything about your life, to follow everywhere you go at all times.”
He pointed to marijuana legislation as an apt analogy for privacy rights. Federal government is too big and too slow to move on cannabis, so states have stepped into the breach. With GDPR as a model, states now have a similar opportunity to give consumers greater control over their personal information.
For states that cannot muster the political will to craft legislation on par with CCPA, there is still plenty of room to make incremental improvements, according to Hertzberg. “You can start with the right to tell the companies not to sell your information. You should be able to say, ‘No, it’s my information. You can’t make money off of me,’” he said.
Before looking to regulate how corporations leverage consumer information, some chief privacy officers and their partners in state IT are working to ensure that personal data held by the state is handled appropriately. Since becoming the first chief privacy officer of Arkansas in 2018, Jennifer Davis has scrutinized every new piece of legislation to ensure government is not being too heavy-handed with personal data and works with sponsors where necessary.
'Privacy by Design'
Ann Cavoukian was Ontario, Canada’s information and privacy commissioner for 17 years. Now an expert-in-residence at the Privacy by Design Centre of Excellence at Ryerson University, she is the creator of one of the core elements of Europe’s General Data Protection Regulation.
“Privacy by design” is a foundational model for data management. It says in effect that privacy is the default, that your data belongs only to you and, if you give it away, it can only be used for a specific designated purpose.
“Your customers and your citizens don’t have to ask for privacy,” she said. “You give it to them automatically as the default setting; they don’t have to search for the ‘opt-out’ box.”
Such a model helps to build trust: Consumers and citizens have an inherent understanding that there will be strict limits on how data is used and how it is shared. It’s not a model embraced by all, however. “The lobbyists for Facebook and Google don’t want it,” Cavoukian said.
“They might say they do, but really they feel this would curtail their business, which right now involves doing whatever the heck they want with your information.”
The power to hold, share or dispose of personal data should rest with the individual, she says. People should be able to amend or erase their information. They should have the right to be forgotten entirely, or to move their data from one repository to another.
With the rise of GDPR, and with growing consumer concern about commercial uses of public data, the time may be ripe for a broader implementation of privacy by design.
“The political clout is there. There has never been as much concern for privacy as there is now,” she said. “If a state government wanted to do this, their citizens would be on their side in a heartbeat.”
Recently, Davis reviewed a state plan to adopt monitoring software intended to prevent overbilling on contracts with state agencies. The tool would take screenshots and monitor keystroke activity among contractors who work with the state. “That sounds like a prudent way to manage state funds, but there is no way you can do that without capturing personal data, and we spoke against that,” she said.
To better safeguard privacy, Davis has worked to shrink the data profile across state agencies. She advocated for legislation that cut the governor’s direct reports from 42 down to 15 individuals, with an eye toward streamlining data management. “That will give me 15 people to work with, rather than having to work with all the individual boards and commissions,” she said. “There will be opportunities for greater data sharing, but it will be in a more controlled environment.”
Right now, every state agency in Arkansas sets its own terms and conditions for information use. Davis wants to develop tighter controls that all agencies should follow. “It may mean that you cannot sell this data to others, that you cannot use this data beyond its intended purpose,” she said. “We want those to be consistent across the whole state.”
While Davis’ structural initiatives are helping to safeguard state-held data, others who have tried more ambitious projects have been less successful. In Washington state, lawmakers this spring failed to capture enough votes in the House to pass a measure similar in scope to California’s privacy act, even though it passed overwhelmingly in the state senate.
Carlyle’s bill would have given consumers in Washington the right to know what data was being collected and whether it was being sold to third parties. Companies would have been required to let consumers fix inaccurate data, delete personal data and opt out of having their data sold. Opponents alleged that Microsoft and other tech giants had literally helped write the bill and had watered down protections.
Carlyle described a year-long collaborative process with industry that eventually won Microsoft’s endorsement of the bill, which he said would have benefited the tech industry as well as consumers. “When you have bad actors, it implodes the ability of the public to have confidence. Everyone should be in favor of having clear lines of authority and accountability,” he said.
While he’s vowing to bring up another privacy bill next year, Carlyle laments that those who advocate for more stringent regulations may be setting too high a bar.
“Many in the privacy advocacy community have made the ‘perfect’ the enemy of the ‘good.’ Legislation is by its nature incremental, but many consumer advocates want a categorical approach, a model where all data at all times resides within the power of the individual,” he said.
For example, Carlyle pointed to calls for legislation that would apply restrictions and penalties to any business, of any size. Better, he suggests, to go after the big fish. “What we are looking for is patterns of abuse and systemic issues,” he said. “We are not trying to go after the local grocery store that sends an email inappropriately.”
Even states that restrain their ambitions may face hurdles in trying to regulate data privacy, said Kristina Podnar, author of the new book The Power of Digital Policy. They may experience:
Arkansas Chief Privacy Officer Jennifer Davis is working to establish consistent privacy standards across all state agencies.
Even before trying to address commercial practices, states can address data privacy by ensuring proper handling of the information contained in state IT systems. This begins with concepts around data minimization, least privilege and need-to-know access rules.
“You need to bake those into any new solution and push those as a cultural mindset among the government employees, so they don’t get numb to the sheer magnitude of personal information that they see on a daily basis,” said Barbra Symonds, a director in risk advisory services at Grant Thornton. “It starts with that awareness that every single employee is a data steward.”
As legislators look to extend these same safeguards out into the public sector, state IT leaders should have a prominent place at the table. With their technical skills, they will be the ones to implement privacy legislation on the back end, and should therefore play a prominent role in ensuring that legislation is realistic in its goals.
IT experts “are typically at the forefront of leveraging evolving technologies for securing personal data; they have access to state-of-the-art tools, so they are well positioned to make a valuable contribution,” said Karen Neuman, former U.S. Department of Homeland Security chief privacy officer and now privacy lead at the law firm Goodwin Procter. “They have the expertise and the skill needed to engineer and manage those solutions.”
At the Electronic Frontier Foundation, Tsukayama envisions state IT taking a lead role in the formation of privacy policies. Technology leaders “understand what is fiscally possible and what is technically possible,” she said. “IT can make it clear to the policymakers: If you want this outcome, this is the sort of data we need, and we don’t need this. They can think carefully about what needs to be done, preferably with the least amount of data possible.”
Carlyle puts IT front and center in any major legislative push around privacy. “The need for technical skill in our public policy work is imperative,” he said, noting that CIOs can play a profound role in leading the development of public policy. “We in the public sector need those with the technical skills to be thought leaders and teachers as we talk about how to manage data better.”
Even with tech experts at the table, privacy is a tough nut to crack. There are competing commercial and individual interests. Data resides across a wide spectrum of private and public repositories. Even the few existing protections are siloed, with disparate rules for health, education and financial data. Some suggest it is time for states to come together around the issue.
“Maybe the states need to have a consortium to determine what is really applicable and what will best help citizens to keep their privacy intact,” said Lalit Ahluwalia, Accenture’s security lead for its state and local government practice. “We don’t need to be reinventing the wheel every time. There is a lot that states can learn from each other.”
By working collaboratively, state technology leaders could help regulators and lawmakers to make their privacy goals practical and realistic. “You will need to have controls in place; you need automation to make this effective,” he said. “You can define all the privacy laws you want, but you need technology to support the implementation. IT will be the ones who bring privacy to life.”