Data Privacy

In recent years, the amount of personal information that is collected, used, shared, and sold has skyrocketed. Virtually all companies now collect some personally identifiable information (PII). Moreover, data-driven companies collect unprecedented amounts of PII. This trend is only expected to accelerate. With the proper safeguards in place, the proliferation of personal information brings the promise of significant innovations that will benefit individuals, groups, and the broader society. But it also brings challenges, including the importance of providing consumers with robust privacy protections. Policymakers and the private sector play important roles in establishing the guardrails that allow data uses that bring lasting consumer benefits while providing consumer privacy protections aligned with AARP’s data privacy and security principles.

Federal privacy laws: In contrast to many other countries’ comprehensive privacy laws, the U.S. has a patchwork of sector-specific federal privacy laws. For example, the Health Insurance Portability and Accountability Act, known as HIPAA, is designed to protect sensitive health information from being disclosed without a patient’s consent (see also Data Privacy, Security, and Use). Other federal industry-specific privacy laws include the Fair Credit Reporting Act, Fair and Accurate Credit Transactions Act, Federal Educational Privacy Rights Act, and Graham-Leach-Bliley Act. The Children’s Online Privacy Protection Act protects the privacy of children under age 13.

No federal agency currently has comprehensive authority to regulate consumer privacy. The Federal Trade Commission (FTC), however, regulates unfair or deceptive acts and practices related to privacy. It requires all companies to maintain reasonable privacy and security for consumers’ PII. The FTC’s jurisdiction has been extended through regulatory and court decisions to govern companies’ collection, storage, use, and sharing of PII. Companies and organizations must properly disclose their privacy practices to consumers ahead of time. They must give consumers notice of their data practices and have consumers consent to those practices in advance. Generally, as long as they do so, they are protected from FTC enforcement, even if the practices they engage in cause consumer harm. As a result, companies and organizations typically have lengthy privacy disclosures. However, they do not always provide consumers with a meaningful ability to control how their data may be collected, analyzed, shared, and sold.

Some federal and state policymakers have proposed new laws and regulations to provide consumers with greater control over their personal information. Most of these have not been enacted. California’s law is a major exception. It contains important consumer privacy protections. Some national companies are applying these consumer protections to consumers across the U.S., not just in California. As such, some privacy experts have said that as the California law continues to be implemented, it may serve as a de facto national privacy protection standard.

California Privacy Law: The California Consumer Privacy Act (CCPA) went into effect in 2020. It gives California consumers control over their personal information. CCPA contains many provisions similar to the European Union’s General Data Protection Regulation. It offers California consumers the right to review, delete, and opt out of the sale of their data. In addition, businesses can no longer require consumers to grant full use of their personal data in order to use a product or service.

In November 2020, California voters approved a ballot initiative, the Consumer Privacy Rights Act (CPRA), which will go into effect in 2023. CPRA expands on the privacy protections in CCPA. It aligns protections more closely with the European Union’s landmark General Data Protection Regulation. Increased protections include:

• an expanded right to opt out of data-sharing, not just of data sale.
• the right to correct inaccurate information.
• an expanded right to limit the internal uses of sensitive personal information, not just the sale of this type of information. Such information includes data related to health, race, ethnicity, sexual orientation, precise location, and more.
• a data-minimization requirement that limits the ability of businesses to collect, use, retain, and share information only that is “reasonably necessary” for the product or service to work.

CPRA also creates a new dedicated privacy agency, the California Privacy Protection Agency. The new agency has primary responsibility for enforcing CPRA. It may fine up to $2,500 per violation ($7,500 for intentional acts). CPRA creates a private right of action only for security breaches. Creating a single agency dedicated to protecting consumer privacy increases the likelihood that it will have the resources and expertise it needs to effectively conduct rulemaking, oversight, and enforcement.

Data brokers: Data brokers collect, collate, analyze, and sell billions of data points about consumers’ online and offline behavior. Such companies often collect information about financial, retail, recreational, and online browsing activities to create detailed profiles of individual consumers. These profiles allow data brokers to make inferences about people based on the data they collect. For example, they might infer consumer interests about potentially sensitive topics related to age, race and ethnicity, or health-related conditions.

Data brokers are mostly unregulated. As of 2020, the only regulations that exist are the new California privacy law and a Vermont law requiring that data brokers register with the state. Unlike consumer reporting agencies, commonly known as credit bureaus, federal law does not require data brokers to provide consumers with access to the information they have collected about them. As a result, most consumers are unaware that data brokers exist. They also generally do not know what kind of information is being sold to other companies. Even if they do, federal law does not provide them with core privacy rights to review their personal files; decide how data may be used, shared, or sold; correct inaccuracies; or delete data.