Lambert 1

Sean Lambert

Jan R. Babcock

ENGL 138T

17 April 2023

Individual Data Privacy in the U.S.

of technology in recent years also comes with the rapid development of different methods that

companies and individuals can access and record your personal data. These methods range from

more direct approaches, such as websites asking the user to accept cookies on their site or

websites requiring users to create and account by inputting their personal information to use it, to

much more subtle and unrecognizable methods such as companies skimming your information

just from plugging your phone into a public outlet to charge. Now, while the advancement of

technology developed alongside its applications in this capacity, the laws surrounding data

privacy in the United States have majorly fallen behind this development. Current laws

surrounding this issue tend to only deal with outdated information or specific kinds of data.

While it is widely known that your data is being stored and sold off by many different

companies, the extent of the data being collected and the possible implications of it being sold

goes largely unsupervised under national laws and requires government intervention to stop or

limit the problem.

The Problem
As more and more articles and headlines are written and published on the subject over the

past few years, the only major change is how popular the issue has become in society, with little

to no movement from the national government to help this issue. In that regard, this issue guide

seeks to both inform people on the intricacies regarding the problem as well as outline some

possible solutions that could be implemented. While a majority of Americans acknowledge the

issue of data privacy and security, it is reported in a survey from September 2021 by Ground

Labs that “71% of respondents are unaware of consumer data protection laws like the California

Consumer Privacy Act (CCPA)” and “71% of respondents either never or only occasionally read

Graphs and statistics from Pewresearch about Americans’ privacy concerns and control over their data.1

1
Atske, Sara. “Americans and Privacy: Concerned, Confused and Feeling Lack of Control over Their
Personal Information.” Pew Research Center: Internet, Science & Tech, Pew Research Center, 17 Aug.
 Lambert 3

data sharing disclaimers to find out why their personal data is being collected and what it will be

used for.”2 It is clear to see that there is a lack of actual information on the problem and more just

knowledge of its existence. This ignorance among most people has lead the problem to grow to

an unprecedented extent “...with a 141% increase in compromised records due to breaches in

2020 compared to 2019”3 and many consequences and implications have arisen alongside it.

This lack of supervision by our government of our data privacy has become a much

bigger issue than could have ever been imagined even just a few years ago, with the scale of how

much information is recorded and traded, even among reputable companies, reaching statistics

that are hard to imagine. A report from the Irish Council for Civil Liberties4 said that “...ad

platforms transmit the location data and browsing habits of Americans and Europeans about 178

trillion times each year. According to the report, Google transmits the same kind of data more

than 70 billion times daily, across both regions.”5 If looked at from another angle, that would

mean “By way of online activity and location, a person in the U.S. is exposed 747 times each day

to real-time bidding, according to the data.”6 These statistics truly highlight the underlying

problems of how little actual individual data security there is in the United States. However,

while the rampant data collection may be shocking, the many different uses that this data has in

2020,https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-f
eeling-lack-of-control-over-their-personal-information/.
2
“Sensitive Data Discovery Software and Tools.” Ground Labs, 28 Feb. 2023,
https://www.groundlabs.com/.
3
Ibid.
4
“- Irish Council for Civil Liberties.” Irish Council for Civil Liberties, 4 Apr. 2023, https://www.iccl.ie/.
5
16, Bloomberg News | May. “Google Is Sharing Our Data at a Startling Scale.” ITPro Today: IT News,
How-Tos, Trends, Case Studies, Career Tips, More, 16 May 2022,
https://www.itprotoday.com/data-privacy/google-sharing-our-data-startling-scale.
6
Ibid.
 Lambert 4

the hands of organizations is the real cause for concern and the reason this issue requires

regulation.

Uses of Collected Data

aspects of our society, the demand for large amounts of data to feed these programs continues to

rise. This information is especially important for advertising as companies have developed bots

to pick and choose what type of person and at what cost they are willing to advertise their

products to. In order for these advertisers to accomplish this they require the companies that

would be hosting the advertisements to collect their user’s data and present it to these advertisers

to start a bidding war in real time to see which advertiser is willing to give the most money. This

bidding war is not limited to just a few companies at a time, but can include hundreds of different

advertisers trying to end up in the ad space on the user’s screen. Google has reported that

it”...transmits the data of American users to about 4,700 companies in total across the world” to

support this process.

The extent as to which companies like Google share their user’s information is also

concerning, as what they broadcast may include the user’s location, personal characteristics, and

browsing habits, all for the artificial intelligence bots of these advertisers to receive and analyze

to figure out how much they are willing to spend on an ad for this user specifically.

According to the Interactive Advertising Bureau, sometimes extremely personal labels

are also attached along with the user’s information, such as health disorders, hobbies, personal
 Lambert 5

finance, religion, career, etc.7 Examples of these tags include “Cancer”, “Autism/PDD”, “Brain

Tumor”, “Marketing”, “Logistics”, “Vegan”, “Immigration”, “Legal Issues”, and many more.8

These labels are especially concerning as it shows a level of data privacy invasion that goes

beyond what would normally be understood as the limits to what websites could ascertain and

record about an individual. And while this information is generally secure and only seen by

artificial intelligence programs for the purpose of advertising, it invites the possibility of

devastating security breaches and outside invasions of privacy, with some prior examples of this

already existing.

According to The Wall Street Journal “A company that collects and sells consumer

information gleaned from cellphones said it was the source of some of the advertising data used

by the Department of Homeland Security and other government entities to track mobile phones

without warrants…”9 This event is clearly a result of the risks presented by the largely

unregulated laws regarding data privacy and a great example of why these laws must be revised

and expanded upon.

7
“Open RTB Specification - IAB.” OpenRTB API Specification Version 2.5, Dec. 2016,
https://www.iab.com/wp-content/uploads/2016/03/OpenRTB-API-Specification-Version-2-4-FINAL.pdf.
8
Ibid.
9
Press, Charlie Riedel/Associated. “WSJ News Exclusive | How Cellphone Data Collected for Advertising
Landed at U.S. Government Agencies.” The Wall Street Journal, Dow Jones & Company, 18 Nov. 2021,
https://www.wsj.com/articles/mobilewalla-says-data-it-gathered-from-consumers-cellphones-ended-up-wit
h-government-11637242202.
 Lambert 6

Current Legislation
Looking at the current laws in place that regulate data security, they almost all have the

same downsides of being too specific and mostly too incomplete to act as a full system

addressing the issue. Multiple states in the United States have already passed or are in the

process of passing comprehensive legislation regarding consumer data privacy. These states

include Virginia, Massachusetts, New York, North Carolina, Pennsylvania, etc.10 While these

proposals would work well within each state individually, especially California’s, a standard has

to be established within national law for real change to occur. However, currently the laws that

have been passed in reference to data privacy and security only target specific types of data

rather than any law setting a general standard.

Map from iapp representing the current state of US State’s privacy legislation process.11

10
Ibid.
11
Desai, Anokhy. US State Privacy Legislation Tracker,
https://iapp.org/resources/article/us-state-privacy-legislation-tracker/.
 Lambert 7

The acronyms of the main federal laws that have already passed legislation in the United

States are HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA, and each of them deal

with a different type of data regulation. Even among the laws that have already passed, some are

barely effective, if at all, when it comes to defining data privacy in the area they focus on. For

example the Health Insurance Portability and Accountability Act (HIPAA) mainly relates to the

interactions between citizens and individuals or companies such as doctors, hospitals, insurers,

etc. and the Video Privacy Protection Act (VPPA) prevents the disclosure of VHS rental records,

which is severely out of date and doesn’t even apply to current day streaming services.12 Most of

the power to pursue and enforce data privacy derived from these laws falls upon the Federal

Trade Commission (FTC), with it being the one of the only major organizations that holds this

right/power. While it has been clearly established that data privacy is a problem that requires

additional intervention, the question turns to how it will be implemented and enforced.

Suggested Solution
According to the New York Times, there are four areas that deserve basic protections in

order to establish a “floor” that other laws could build off of in the future.13 These four areas

include data collection and sharing rights, opt-in consent, data minimization, nondiscrimination

and no data-use discrimination. These four areas would give rights to consumers to have much

12
“Health Insurance Portability and Accountability Act of 1996 (HIPAA).” Centers for Disease Control and
Prevention, Centers for Disease Control and Prevention, 27 June 2022,
https://www.cdc.gov/phlp/publications/topic/hipaa.html.
13
“The State of Consumer Data Privacy Laws in the US (and Why It Matters).” The New York Times, The
New York Times, 6 Sept. 2021, https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/.
 Lambert 8

more control over their data privacy while still not undermining the current system of reliance on

trading consumer data which is an essential part of the advertising industry.

According to the New York Times, data collection and sharing rights refers to laws that

give people the right to see what data various companies have collected on them, to request that

companies delete any data they’ve collected, and to take data easily from one service to another.

This also includes the right to tell companies not to share/sell your data to third parties.14

Currently, California’s legislation referring to data privacy (CCPA) gives a good example of what

this would look like after implementing. To request information under the CCPA, users usually

are required to at least one form on every single website they interact with.15 This section would

alive a lot of the current problems of the current system as it allows for much greater control on

what consumers allow companies access to when they browse through sites.

The opt-in consent clause would require companies to ask you if they may “share or sell

your data to third parties” and “You shouldn’t have to spend hours opting out of the collection of

your private data through every service you use.”16 The basic idea behind this is that rather than

the user being responsible for requesting that companies not spread their information, the

responsibility falls on the company to get the user’s consent before they are legally allowed to.

This clause would prevent a lot of sidestepping of the first clause by burying the opt-out option

on their website in inaccessible spots to make it harder for the user to do so.
14
Ibid.
15
Cowan, Jill, and Natasha Singer. “How California's New Privacy Law Affects You.” The New York
Times, The New York Times, 3 Jan. 2020,
https://www.nytimes.com/2020/01/03/us/ccpa-california-privacy-law.html.
16
“The State of Consumer Data Privacy Laws in the US (and Why It Matters).” The New York Times, The
New York Times, 6 Sept. 2021, https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/.
 Lambert 9

The third clause would require companies to practice data minimization, which would

ensure that companies would only collect data that they require to provide the services the

consumer is using. While this definition is the most vague out of the four definitions and

therefore the most easily sidestepped, it still would be a good countermeasure against a lot of the

more invasive methods websites collect data.

While the other three clauses exist relatively independently of each other the fourth

clause is dependent on the other three and is possibly the most important for enforcing the other

three clauses. Nondiscrimination and no data-use discrimination ensures that “A company

shouldn’t discriminate against people who exercise their privacy rights; for example, the

company can’t charge someone more for protecting their privacy, and the company can’t offer

discounts to customers in return for their giving up more data.”17 In this sense, it works a lot like

Net Neutrality, in which companies can’t treat users differently should they choose to not

opt-into sharing their data with the company.18

However, some potential drawbacks to the implementation of protecting these four areas

could prevent any of them passing legislation. One main concern with these laws would be them

being written too vague to hold any real power over organizations. In this case,

websites/organizations could simply extend their terms of service (TOS) to account for and

sidestep these new laws as users would be forced to accept everything on their TOS to access

their product.

17
Ibid.
18
“Net Neutrality: A Free and Open Internet.” National Archives and Records Administration, National
Archives and Records Administration, https://obamawhitehouse.archives.gov/net-neutrality.
 Lambert 10

Overall these four clauses, if passed, would ensure a good foundation to be established

for expanding upon and redefining data privacy laws going forward. A good foundation is

incredibly important to establish now as technology is only going to become more and more

integrated into society in the future, and the value of individual protection against data breaches

is going to greatly increase alongside it.

Conclusion
In conclusion, with the recent TikTok hearings and various other new stories, data

privacy has become a major concern for a large percentage of the American population, and with

the current policies in place, this concern will only grow into the future.19 Additional government

intervention is the only realistic way to solve this issue as it would correct the currently

lacking/out of date policies in place, which lack the jurisdiction needed to keep individuals’ data

safe in everyday life. With additional government intervention could come a comprehensive

foundation for data privacy, one that could be adapted and still apply going forward as

technological advancements bring along new concerns and pave the way for the future.

19
“Full Committee Hearing: ‘TikTok: How Congress Can Safeguard American Data Privacy and Protect
Children from Online Harms.’” House Committee on Energy and Commerce,
https://energycommerce.house.gov/events/full-committee-hearing-tik-tok-how-congress-can-safeguard-a
merican-data-privacy-and-protect-children-from-online-harms.
 Lambert 11

Works Cited

“- Irish Council for Civil Liberties.” Irish Council for Civil Liberties, 4 Apr. 2023,

https://www.iccl.ie/.

16, Bloomberg News | May. “Google Is Sharing Our Data at a Startling Scale.” ITPro

Today: IT News, How-Tos, Trends, Case Studies, Career Tips, More, 16 May 2022,

https://www.itprotoday.com/data-privacy/google-sharing-our-data-startling-scale.

Atske, Sara. “Americans and Privacy: Concerned, Confused and Feeling Lack of Control

over Their Personal Information.” Pew Research Center: Internet, Science & Tech, Pew

Research Center, 17 Aug. 2020,

https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confu

sed-and-feeling-lack-of-control-over-their-personal-information/.

Cowan, Jill, and Natasha Singer. “How California's New Privacy Law Affects You.” The

New York Times, The New York Times, 3 Jan. 2020,

https://www.nytimes.com/2020/01/03/us/ccpa-california-privacy-law.html.

Desai, Anokhy. US State Privacy Legislation Tracker,

https://iapp.org/resources/article/us-state-privacy-legislation-tracker/.

“Full Committee Hearing: ‘TikTok: How Congress Can Safeguard American Data Privacy

and Protect Children from Online Harms.’” House Committee on Energy and Commerce,

https://energycommerce.house.gov/events/full-committee-hearing-tik-tok-how-congress-ca

n-safeguard-american-data-privacy-and-protect-children-from-online-harms.
 Lambert 12

“Health Insurance Portability and Accountability Act of 1996 (HIPAA).” Centers for

Disease Control and Prevention, Centers for Disease Control and Prevention, 27 June

2022, https://www.cdc.gov/phlp/publications/topic/hipaa.html.

“Net Neutrality: A Free and Open Internet.” National Archives and Records

Administration, National Archives and Records Administration,

https://obamawhitehouse.archives.gov/net-neutrality.

“Open RTB Specification - IAB.” OpenRTB API Specification Version 2.5, Dec. 2016,

https://www.iab.com/wp-content/uploads/2016/03/OpenRTB-API-Specification-Version-2-

4-FINAL.pdf.

Press, Charlie Riedel/Associated. “WSJ News Exclusive | How Cellphone Data Collected

for Advertising Landed at U.S. Government Agencies.” The Wall Street Journal, Dow

Jones & Company, 18 Nov. 2021,

https://www.wsj.com/articles/mobilewalla-says-data-it-gathered-from-consumers-cellphon

es-ended-up-with-government-11637242202.

“Sensitive Data Discovery Software and Tools.” Ground Labs, 28 Feb. 2023,

https://www.groundlabs.com/.

“The State of Consumer Data Privacy Laws in the US (and Why It Matters).” The New

York Times, The New York Times, 6 Sept. 2021,

https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/.