Data Privacy

4A’s Pepper: Congress Will Act on Data Privacy to Avoid “Nightmare”

July 8, 2019 – A growing spotlight on data privacy will lead the federal government to create national data privacy regulation in lieu of a patchwork of different regulations spanning 50 states, according to Alison Pepper, senior vice president for Government Relations at the 4A’s.

Speaking at the recent Coalition for Healthcare Communication’s Rising Leaders Conference on Healthcare Policy, held in Washington, D.C., Pepper pointed out to attendees that “bifurcated state-by-state legislative efforts in this area are a very big concern for industry. “The potential of having 50 different regimes for how you use data in whatever context is obviously going to be an administrative nightmare and a liability nightmare.”

To that end, the 4A’s recently announced it is a steering committee member of the “Privacy for America” coalition, formed to work with Congress to support “enactment of groundbreaking comprehensive federal consumer data privacy and security legislation,” according to a 4A’s press release. The group is designed to provide “a powerful advocacy platform representing the advertising industry,” and includes a wide range of members.

The need for national data privacy legislation on data privacy is becoming greater as “the outrage around privacy incidents continues to get a little bit louder every year,” Pepper told Rising Leaders attendees. “This is an evolution about how regulators think about privacy, I think it’s an evolution about how legislators think about privacy, and most important of all, I think it’s very much an evolution … as to how consumers think about privacy,” she said.

“We’ve also seen a lot around healthcare” data privacy, she noted. Questions in this space include: “What kind of healthcare apps [collect data]? What kind of healthcare information is being transmitted to third parties that consumers were unaware of? What kind of notice was given? What was transferred? Who has it? Who is holding it? All of these questions are swirling around this space right now and the questions are building on all sides, from consumers to regulators to legislators.”

In the current 116th Congress, Pepper explained, “there are 209 bills pending in Congress, both on the House and Senate side,” that address some aspect of privacy. “What’s included in privacy legislation? What are the high-level concepts?” she asked. The privacy topics lawmakers are considering include transparency, accountability, consumer access rights, social media, facial recognition, amending the children’s privacy law, amending financial education law, artificial intelligence and algorithmic fairness, “and that’s not even the full picture of what’s coming out of Congress right now on privacy,” she said.

For example, the “Algorithmic Accountability Act” (S 1109/HR 2231) would require companies to perform “impact assessments” on their own algorithmic decision-making systems. Those assessments would flag potential consequences for “accuracy, fairness, bias, discrimination, privacy and security” within automated systems and companies would be required to correct any issues they uncovered during the process.

Those in the Senate and the House are wondering, how many different companies are using algorithms to make decisions that we don’t even know anything about, that are disproportionately affecting actual protected classes, or otherwise are  having a disproportionate impact?

These types of bills will likely proliferate (both at the federal and state level) as more and more predictive algorithms come into use, according to Pepper, and she indicated that such provisions could affect the use of algorithms in finding patterns across disparate clinical data sets.

Pepper explained that the European Union’s General Data Protection Regulation (GDPR) actually led the way in addressing this concept. One of the lesser-discussed rights established under the GDPR is the right to ask for non-algorithm decision-making. “I think this is the type of thing that you are going to see a lot of discussion about … if you don’t see Congress to some extent act on this, you might see the states start to act on this.”

On the federal front, there has been “no shortage of hearings” in Congress this year on privacy issues, particularly in the Senate Commerce Committee, the Senate Judiciary Committee and the House Energy and Commerce Committee. Legislation is most likely to emerge from the Senate Commerce Committee, but not quickly, because “privacy is difficult and these are difficult issues, even if you are working in a bipartisan fashion,” she said.

One stumbling block to Congress taking federal action is that its members have “a little bit of a deficit in technical knowledge,” Pepper asserted. The technology is complex, there are many aspects to consider, and these issues “require a lot of background and discussion.”

Although many stakeholders are advocating national legislation modeled after the GDPR, Pepper said that such an approach fails to appreciate:

  • Differences in enforcement culture
  • Forces behind U.S. success in the digital economy
  • Costs to small businesses and non-profits
  • Threats to subscription-free Internet services

Speaking to the enforcement issue, Pepper told Rising Leaders Conference attendees that the Federal Trade Commission is understaffed, with roughly 40 staffers handling this issue nationally. “We need to do a better job of funding and staffing,” she said. Without appropriate staffing and infrastructure, she added, any new program “is not going to look like a success.”

She also commented that in addition to enforcement, potential legislation needs to address preemption. “Without it you end up with a federal law and 50 different state laws,” she said.