Protecting Personally Identifiable Information in the United States

Today, smart devices fill every facet of life; We check the time on our smart watches, listen to music on smart speakers, stream shows on smart TVs, and do just about everything else imaginable on smart phones. These systems are constantly pooling information to better serve both the individual user and the customer base as a whole. Amidst this growing sea of raw data, personally identifiable information (PII) serves as a link between the individual and the otherwise faceless accumulation of information. [1] PII includes any data that could identify an individual such as a person’s name, face, or phone number, but the concept can also extend to IP addresses, web browser information and even GPS coordinates. [2] When your speaker calls you by name, or your phone recognizes your face, PII collection is streamlining your technological life.

However, a breach of trust and privacy can occur when the information a person believed to be protected is shared with others or sold for profit. To prevent this violation of confidence and security, various laws have been implemented on the state and federal level to govern the sharing and sale of PII, but these laws are far from uniform.[3] Some states, like California, have pushed ahead by passing legislation that thoroughly protects their citizens, while the majority of states lag behind, leaving their residents relatively unguarded.[4]

II. The Federal Landscape

The United States currently lacks a comprehensive law that governs the commercial sharing and sale of PII. [5] In this way, the United States lags far behind the European Union, which passed the General Data Protection Regulation (GDPR) in 2016 to protect its resident’s personal information and data. [6] The GDPR has set the global standard for PII protection, and a number of states have recently taken steps to follow this foreign example. [7]

However, the United States is not entirely devoid of federal regulation in this area. Section 5 of the Federal Trade Commission Act (FTC Act) prohibits unfair or deceptive practices and is the primary federal law protecting American PII. [8] While the FTC Act does not explicitly regulate the sharing of this information, it asserts that companies must be abundantly clear about what information they will be collecting, particularly when that information may be shared with a third party. [9] In short, the FTC Act does not tell companies what they may or may not do with the data collected, but instead ensures that the companies are transparent with how they intend to use customer data.[10] No private right of action exists under the FTC Act, so individuals are granted no recourse under federal law for violations of their PII rights. [11]

III. The State Legal Landscape and California’s Latest Legislation

Many states are quickly developing their own data privacy laws to fill the gaps left by the federal legislation.[12] California has led the way for American PII protection, but many other states have taken substantial steps to protect residents’ PII from financial exploitation. [13]

Effective January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) serves as the United States’ most comprehensive statutory protection of PII. [14] The CCPA does not regulate every business that collects consumer data in the state, but instead focuses on those for-profit businesses that collect and profit the most from PII. [15] To be subject to the CCPA, a business must:

1) collect consumer PII;

2) determine the purposes and means of processing that PII; and

3) meet one of the following thresholds:

A) have annual gross revenues in excess of $25 million;

B) annually buy, sell, or share data relating to 50,000 or more consumers or devices; or

C) derive 50% or more of its annual revenue from selling this data.[16]

The CCPA provides various protections to the data of California residents, including mandating that consumers have the right to opt out of their PII being sold. [17] Businesses that fall under this law must help consumers exercise their opt-out rights by including a “Do Not Sell My Personal Information” link in a “clear and conspicuous” location. [18] The CCPA also prevents businesses from discriminating against those customers that opt-out of sharing their PII, or otherwise exercise their rights under the act. [19] Under the California law, consumers have both a right to know what information is being collected and a right to delete this information by request. [20]

Unlike the current federal system and most other states, the CCPA provides a private right of action for consumers in the event of a breach, with maximum statutory damages of $750 per consumer. [21] The new California law also expands the definition of PII to include all “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” [22] While information that is made publicly available on the state or federal level is exempted from the statute, California’s expansive definition of PII affords its residents more comprehensive rights to data protection than anywhere else in the country. [23]

That said, the CCPA only protects California residents, with the vast majority of states lagging significantly behind in data protection legislation. [24] While other states have recently passed or are actively considering new legislation, each state adopts their own definition of PII, what constitutes the sale of PII, and what level of protection should be afforded to the data.[25]

In 2019, Maine passed L.D. 946, which afforded consumers the right to restrict the use of their PII and prevented businesses from discriminating against those that asserted this control.[26] In these two areas, the L.D. 946 mirrors the CCPA, but Maine’s latest legislation differs from California in several key areas, including a less expansive definition of PII and the omission of a private right of action.[27] Even without these provisions, Maine is far ahead of the vast majority of states which have no laws at all governing the use and sale of PII.[28] This inconsistencies are creating a highly variable legal landscape that lacks predictability or cohesive structure.[29]

The current patchwork approach regulating the collection, use, and sale of PII provides insufficient protection to the data of most Americans. The amorphous form of data collection presents a challenge too pervasive for the states to handle on an individual basis. In order to best remedy this mounting problem, the United States could either implement nationwide legislation that creates a baseline protection for all citizens or draft a uniform code that provides state legislatures a model to build upon.

To protect all residents from overreaching and exploitative PII use, the United States could implement a national statute establishing fundamental data protection rights for all Americans. This approach would provide a level of consistency and predictability that the current system lacks. Currently, when an app user in Columbus, Ohio connects with a friend from San Diego, California, the applicable statutory lines are blurred. Can the app developer collect and sell the PII of one and not the other? What if the app company is based in Maryland and wants to apply Maryland law? These ambiguous situations occur constantly in contemporary data sharing. Without uniform legislation, companies are free to target residents of states with the least restrictive regulations on data sharing and PII. Of course, even with a national law, some states would inevitably pass further legislation to protect their residents beyond the protections provided by the federal government. While this future state innovation would create some inequity across the country, a nationwide law would effectively raise the floor for data privacy rights from the current nonexistent requirement to a more just standard.

Businesses would also benefit from a federal statute that establishes a minimum threshold for PII protection. Currently, businesses in this market are forced to go through each state’s applicable PII laws and ensure that their policies are up to date with rapidly developing and relatively unpredictable legislation. Companies have to evaluate their risk of exposure to litigation under each statutory construction independently and decide whether business in the state is worth the risk. In contrast, a federal standard would simplify this process by providing businesses a stable, consistent benchmark by which they could conduct business.

The most prevalent countervailing interest to this proposed federal law arises from a concern for the financial wellbeing of small businesses in the face of potentially oppressive regulations. However, this objection could be easily addressed by establishing a sliding-scale standard based on business size and the amount of data collected. For small businesses that collect relatively little data, the requirements would be fairly lenient, while large corporations that collect vast pools of consumer data would be held to a higher standard. A comparable approach has already been implemented in California and could be similarly applied on a national scale with some adjustments.

Absent national legislation, a model code to serve as a framework for best practices in data protection legislation could be immensely helpful and lead to more predictable laws from state to state. States would have to voluntarily choose to adopt this uniform law, but a model statute would at least provide a baseline for commonality between the states. The advantage to this approach is that it leaves the decision up to the states and avoids federal interference in state affairs. Each state legislature could adjust the model code to fit the needs of their particular constituency instead of having to build upon a federal statute in which they had limited input.

The next time you mindlessly plug in your name, date of birth, or phone number into one of your smart devices, pause for a moment and consider if you actually know where that information goes after you press send. Even now, what sites are collecting your information and linking it to you through PII? Without a comprehensive and uniform legal system protecting the PII of individuals across the country, the answer could be drastically different depending on your home state.

To remedy this inconsistency, the United States should follow the example of the European Union and create an equitable, predictable PII regulation that affords every American the same right to privacy and data protection.

[1] Data privacy principles all legal providers should adopt, Thomson Reuters,https://legal.thomsonreuters.com/en/insights/articles/data-privacy-principles (last visited Sept. 4, 2020).

[2] Id. (PII includes both direct and indirect identifiers. Direct identifiers include information that can independently identify a person such as their full name or complete social security number. Indirect identifiers also point to an individual, but they do so less explicitly, and therefore require other information to identify a specific person. Indirect identifiers include birthdates, the last four digits of a social security number, and street addresses without a city listed.).

[3] Andy Green, Complete Guide to Privacy Laws in the US, Varonis (Mar. 29, 2020), https://www.varonis.com/blog/us-privacy-laws/.

[4] Id. (See for more information on PII laws in New York, Hawaii, Maryland, Massachusetts, North Dakota, and California).

[6] Commission Regulation 2016/679, 2016 OJ (L 119).

[7] Elizabeth L. Feld, United States Data Privacy Law: The Domino Effect After the GDPR, 24 N.C. Banking Inst. 481 (2020) (The GDPR focuses on individual rights to data that had previously not existed in Europe such as the right to control and delete one’s own data); Green, supra note 3 (Upcoming or recently passed PII legislation in New York, Hawaii, Maryland, Massachusetts, North Dakota, and California.).

[8] Federal Trade Commission Act § 5, 15 U.S.C. §§ 41-58 (2018); Green, supra note 3.

[9] Jolly, supra note 5.

[11] Federal Trade Commission Act, 15 U.S.C.A. § 45 (2018) (citing Morales v. Walker Motors Sales, Inc., 162 F. Supp. 2d 786, 790 (S.D. Ohio 2000)) (There is no implied private right of action under the provision of the Federal Trade Commission Act prohibiting unfair and deceptive acts and practices.); See also U.S. v. Philip Morris Inc., 263 F. Supp. 2d 72 (D.D.C. 2003).

[14] TITLE 1.81.5. California Consumer Privacy Act of 2018 [1798.100 – 1798.199].

[15] Brumfield, supra note 10 (“The law applies to applies to businesses that collect information from California residents and meet at least one of the following thresholds: (1) have over $25 million in annual gross revenue; (2) buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derive 50 percent or more of their revenue from the sale of consumers’ personal information.”).

[17] California Consumer Privacy Act (CCPA), State of California Department of Justice, Attorney General’s Office, https://oag.ca.gov/privacy/ccpa (last visited Sept. 4, 2020).

[22] TITLE 1.81.5. California Consumer Privacy Act of 2018 [1798.100 – 1798.199].

[23] See California Consumer Privacy Act, supra note 17. (Information that is exempted from the statute includes public licenses or property records.)

[25] Green, supra note 3; Noordyke, supra note 12. (Maryland, Hawaii, New York, North Dakota, Nevada, Pennsylvania, Rhode Island, and Massachusetts are some of the states that have recently proposed or passed legislation related to PII protection.)

[26] Noordyke, supra note 12.

[27] Id.; L.D. 946, 2019 Leg., 129 th Sess. (Me. 2019). (PII is defined in Maine by § 9301(1)(A)(1)).

[28] Green, supra note 3 (As of early 2020, only California, Nevada, and Maine had privacy laws regarding PII in effect.).