ACLU Counsel Says Be Wary of Federal Privacy Legislation

In a Washington Post op-ed piece, Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union (ACLU), warns that the growing push for federal privacy legislation is bad news for consumers. Guliani cites several examples of how states are leading the efforts to protect consumer privacy, including California’s recent consumer privacy act and the Illinois law that sets limits on the commercial collection and storage of biometric data.

According to Guliani, the U.S. Chamber of Commerce and lobbying organizations that represent Amazon, Airbnb, Google, Microsoft, and many other digital behemoths are urging Congress to adopt a federal privacy framework that preempts state law. Further, Facebook, IBM, and Microsoft, among other tech companies, are working with the White House to lobby Congress for such a national law.

“And some people seem to be falling for it,” she writes. “After all, the Senate Commerce Committee held a hearing on consumer privacy protections last week that included many industry representatives but not one representative of consumer interests.”

Guliani asserts that a federal law could jeopardize existing consumer protections, many of which are state-led, and leave states bound by a federal law that could prevent additional protections later. State regulators could lose the authority to sue or fine companies that violate their laws. And consumers may even be barred from taking companies to court.

In defending the so-called “patchwork” of state laws, Guliani writes, “It’s because of a patchwork that Equifax ultimately notified all consumers of its data breach, choosing to apply certain state standards nationally. And it’s because of a patchwork that states have prohibited discrimination on the basis of sexual orientation, despite the fact that our laws at the federal level are still lacking.”

Guliani and the ACLU would support strong federal privacy legislation, she said, “But any such legislation must put consumers in control of their own data. It must require companies to clearly inform consumers about their data practices and get consent to retain, share or otherwise use consumer data. It must address coercive practices that condition services on consumers’ consent to unnecessary data collection and put in place limits on how data can be retained and used. And, perhaps most importantly, it must give the government a large stick for enforcement and consumers a way to take companies to court that violate privacy.”