The following editorial appeared in The New York Times.
President Barack Obama this week proposed privacy laws that could give Americans greater control over their personal information. But Republicans in Congress will likely undermine or ignore many of the measures.
Some of Obama’s ideas should have bipartisan appeal. For example, he wants to forbid companies from using data about students that they collect when they sell software and services to primary and secondary schools for marketing purposes. That measure is based on a law that California adopted last year with Democratic and Republican votes in the state Legislature. Most members of Congress would have a hard time justifying voting against a bill that sought to protect the privacy of minors.
But another proposal in Obama’s package could result in less protection for consumers. It would require retailers, banks and other companies who have been hacked to notify customers whose data had been stolen within 30 days after officials learned of the breach. The problem is that such a law could invalidate existing state laws and prevent states from enacting new privacy laws.
Most states and the District of Columbia already have disclosure laws. Alabama, New Mexico and South Dakota do not. Some states have laws that are stronger than what Obama proposed. For example, California, Connecticut and New Jersey generally require notification of a data breach as soon as possible. Many states allow consumers to “freeze” credit reports so that hackers cannot sign up for credit cards and loans in their names. Other states allow residents to sue businesses for not protecting their data. Privacy law experts say Congress could use a data breach laws to pre-empt these state requirements.
Obama and lawmakers in Congress say a federal law would establish a national standard for businesses to follow. As a practical matter, privacy advocates say, companies are not hamstrung by having to follow different state policies because they usually do whatever is required by the strongest state law in all states. Another problem with the president’s proposal is that it does not require businesses to improve the security of their computer systems so data are not stolen in the first place.
There is no doubt that federal law does not adequately protect the privacy of Americans. Numerous reports produced by Congress, the Federal Trade Commission and newspapers including The New York Times have documented the widespread collection of data like Internet browsing histories, retail store purchases and health information. Some companies known as data brokers organize and analyze vast sums of such data into dossiers on individuals and families that can be used to target people based on their medical conditions, economic desperation and their willingness to spend money.
In 2012, Obama wisely called for a “privacy bill of rights” that would give individuals more control over how their information is collected and used. The president now says his administration will produce such a bill of rights in the next 45 days. But nobody realistically expects the current Republican-led Congress to adopt a strong law that truly empowers consumers.
State lawmakers in California, Oklahoma, Texas and elsewhere have been willing to pass privacy laws. Those efforts are insufficient, but at least those lawmakers are trying, unlike members of Congress who have taken little interest in a privacy bill of rights because Internet companies and advertisers have heavily lobbied against it. That is why Obama must be careful not to give Congress an opportunity to undermine state laws.