January 28 is Data Privacy Day. An October 2023 survey from the Pew Research Center found “72% of Americans say they have little to no understanding about the laws and regulations that are currently in place to protect their data privacy.” This is unsurprising, as a growing patchwork of laws continue to complicate privacy issues for both consumers and innovators. Additionally, these questions also likely impact not only the development of new technologies like AI but a growing number of industries that are using data in beneficial ways. Data Privacy Day should serve as a good reminder to consumers to check that they are acting on their own privacy preferences, but also to policymakers of the tradeoffs involved with overly restrictive privacy laws.
State of the State Patchwork Entering the 2024 Legislative Sessions
The patchwork of state laws governing data privacy has only grown since we last wrote about it. As of January 2024, 13 states have passed data privacy legislation. More states are actively considering it, and this will likely only continue to grow as the legislative session resumes. Unfortunately, this patchwork approach continues to create more problems in many cases than it solves by creating further confusion for both consumers and entrepreneurs.
This trend continues to grow in the absence of a federal standard. Two states officially passed new data privacy laws in the latter half of 2023. In July, Oregon’s governor signed into law the Oregon Consumer Privacy Act; Delaware signed the Delaware Personal Data Privacy Act in September.
In addition, three states — Maine, Missouri, and New Hampshire — currently have active data privacy bills that were introduced or re‐introduced in the latter half of last year in their legislatures. Overall, comprehensive privacy legislation was considered in at least 25 states in 2023, with over 60 bills proposed in total.
Is Data Privacy Legislation Beneficial or a Burden to AI Development?
Artificial Intelligence (AI) has recently become one of the most discussed topics in technology policy. Many of the debates that were already occurring, such as those about data privacy, have continued or expanded to include questions related to AI. Because AI is data intensive, many have concerns about privacy related to the data used in AI. At the same time, existing regulations may be hampering certain beneficial and benign developments of this important technology.
2023 was a model year for showcasing how the European Union’s regulatory regime under the GDPR can hinder the development or deployment of artificial intelligence tools. In April, Italy blocked ChatGPT for a few weeks to allow for the investigation of whether the application complied with the GDPR. Moreover, The Data Privacy Commission in Ireland halted the launch of Google’s Bard last June over concerns around its compliance with EU data privacy law. These occurrences, along with the general heavy‐handedness of the regulation, further weaken the floundering tech sector of the EU. With the EU’s initial passage of the AI Act in December 2023, the line between data privacy and artificial intelligence regulation blurs, and the burden on companies grows.
Notably, California has also considered how its data privacy legislation may or may not apply to AI. In November 2023, the California Privacy Protection Agency introduced regulations that would apply to “automated decision‐making technology”, which could certainly be interpreted to include artificial intelligence. The draft regulations would cover a variety of businesses due to the wide parameters that include advertising, employment, facial‐recognition and geo‐tracking. The proposal also requires businesses to provide “pre‐use notices” to inform consumers about how they intend to use the ADMT, so that the consumers can decide whether to opt‐out or proceed with the technology interaction.
Where is Data Privacy at a US Federal Level in 2024?
While there seems to be broad bipartisan agreement that a federal data privacy law would be ideal, unfortunately, Congress has continued to be stalemated on such a proposal. A federal law would ideal overcome the state patchwork via pre‐emption, but many proposals have considered burdensome regulatory regimes that would come with significant tradeoffs for both consumers and innovators. While the 116th Congress saw a bipartisan bill advance out of committee in the House, no similar proposal has occurred in the 117th Congress to date.
But in addition to the lack of progress on a potential federal framework, increasingly the conversations about data have turned negative. Whether it is members of Congress or the Federal Trade Commission, policymakers are quick to lump data practices into the term commercial surveillance. Such terminology often lumps in the type of benign or beneficial practices that customize a user’s experience or remember their selections are targeted by regulation along with harmful or deliberately misleading practices. While the FTC has not yet moved forward with its notice of proposed rulemaking on this subject, it remains concerning that the agency is considering such an undertaking without clear delegation from Congress.
Will Data Privacy Be Talked About in this Election?
In January 2023, Joe Biden published an op‐ed for the Wall Street Journal where he pushed for three broad principles of bipartisan Big Tech reform. The first principle called for “serious federal protections for American’s privacy,” urging Congress to pass legislation with “clear limits” on how companies can “collect, use and share highly personal data” that goes beyond disclosure requirements.
Currently, neither Nikki Haley nor Donald Trump have discussed data privacy as a topic this campaign cycle. However, in 2018, during his presidency, the NTIA held stakeholder meetings regarding a potential data privacy framework following the passage of Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
While Nikki Haley has not spoken about her preferred approach to data privacy, some experts noted that her approach to social media reform raised significant data privacy concerns, given the desire to erect barriers to anonymous speech.
Data privacy remains an underlying concern for many users, but the nature of those concerns and their preferences vary. Data is also being used in many beneficial ways that support the customized experience we’ve come to expect and enjoy. Policymakers should recognize that data privacy and data usage is rarely one size fits all for either innovators or consumers and preserve a variety of privacy choice and innovation options while providing needed clarity around clearly specified harms when needed. Because of the nature of data, such actions are best handled at a federal level.