US Privacy Laws: Big Tech's 'Do Whatever They Want' Regime

The Current US Privacy Landscape

• 🇺🇸 The US operates under a "privacy regime" where companies claim they can "basically do whatever they want" as long as it's disclosed in their privacy policy.
• ⚠️ Without a federal standard, companies lack incentives to innovate on privacy protection, leading to harms for individuals and the market.
• 🎯 Enforcement efforts, like those by the FTC, are described as a "whack-a-mole" approach due to the lack of bright-line rules.

Consensus on Consumer Rights and Company Obligations

• 💡 There is broad consensus across states on core consumer rights, including the ability to access, correct, and delete personal information.
• 🚫 Consumers should have the right to opt out of data sales, profiling, and targeted advertising.
• 🤝 Consensus also exists on core obligations for data controllers, such as obtaining consent for processing sensitive data and conducting privacy assessments.

Gaps in Current Privacy Enforcement

• 🔍 Even with FTC efforts, companies argue their actions are legal if disclosed in privacy policies, highlighting the need for clearer legislation.
• ⚖️ A comprehensive federal privacy bill is needed to establish bright-line rules on data collection, usage, and sharing.
• 🌐 State laws have varying requirements, and some, like Colorado and Connecticut, are beginning to address processor responsibilities more robustly, but a federal standard is crucial for consistency.

Interoperability and Competition Concerns

• 🗣️ Dominant platforms sometimes use privacy concerns as a pretext to avoid opening up to fair competition.
• 📈 Companies like Google have argued against sharing arrangements by citing privacy, but the underlying motive is often to maintain scale and control data.
• 🏛️ A strong federal privacy law can help ensure interoperability requirements open digital markets to competition by providing regulators with clearer statutes to assess these practices.

Aligning Responsibility for Data Protection

• 📊 Businesses should not be solely responsible for the data privacy practices of third-party platforms they rely on to reach consumers.
• 🔒 Many state laws, with notable exceptions like Colorado, do not require big tech service providers to actively secure the data they process on behalf of other businesses.
• 🇪🇺 Unlike in Europe, US businesses often lack the ability to object to subprocessors that big tech platforms may use, creating a disparity in data protection oversight.