FILE - The Facebook logo is seen on a cell phone in Boston, USA, Oct. 14, 2022.
Michael Dwyer / AP Photo
Better than nothing? Pa. considers data privacy bill friendly to companies, called weak by consumer advocates
The bill is modeled on legislation supported by Amazon and Microsoft and is the dominant data privacy model in the country.
-
Jordan Wilkie/WITF
Michael Dwyer / AP Photo
FILE - The Facebook logo is seen on a cell phone in Boston, USA, Oct. 14, 2022.
There are few limits on how businesses can collect, use and sell data about their customers. Grocery stores are now big data companies, thanks to their savings awards programs. As are smartphone apps — Candy Crush is tracking user locations, health apps are selling information on workout frequencies and menstrual cycles, and social media is free in exchange for user data.
Congress has tried and failed, twice, to pass bipartisan consumer data privacy bills. With the federal government’s failure to act, and with no new privacy protections on the horizon, state lawmakers are attempting to set data privacy standards.
A bipartisan group of 17 Pennsylvania state representatives — 11 Democrats and 6 Republicans — is trying to pass the state’s first consumer data privacy protection bill. Only 19 states currently have such a law on the books, though consumer and data privacy advocates say most provide weak protections that favor businesses.
Stephenie Scialabba, a data privacy lawyer and Republican representative from Bucks County, said it’s past time to get something on the books, even if it’s not perfect.
“We can’t let perfection be the enemy of progress,” said Scialabba. “This is the language that will actually pass and will actually help Pennsylvanians.”
A very similar version of the bill passed the House in the previous session and made it out of committee in the Senate, only to languish on the Senate floor during last summer’s budget debates. Now, Scialabba and her cosponsors expect the new bill – HB78 – to pass the House in the coming weeks, though it has not yet been discussed in committee.
“Pennsylvanians and stakeholders share a desire for clarity on the issue of data privacy rights,” Scialabba, said. “I think legislators are finally understanding that we need to work.”
Matt Schwartz, privacy policy expert for Consumer Reports, says the bill has large loopholes and puts pressure on individuals, rather than companies, to ensure privacy.
“ It’s worse than doing nothing because it is deceptive to consumers and would give them a false sense of security that their data is being protected when it’s really not, at least not in a meaningful way,” Schwartz said.
Lacking strong protections
California passed the first consumer data privacy protection law in 2018, and shortly thereafter model legislation backed by the technology industry emerged in Washington state. Though it never passed, that legislation, supported by Washington-based tech giants like Amazon and Microsoft, has been the model for all 18 states that have since passed privacy laws.
The “Washington model,” as it’s called, places the burden for data privacy on consumers rather than companies, while exempting major industries like health care and finance, according to Kara Williams, legal fellow for the Electronic Privacy Information Center, a 30-year-old nonpartisan nonprofit that advocates for the right to privacy in the digital age.
“ Nothing has changed in the past four years about the data ecosystem,” Williams said. “None of these harmful practices have been reined in.”
Maryland is the recent exception. Its robust law, which EPIC ranked as the second best in the country behind California’s, passed last year and added protections not present in Pennsylvania’s draft legislation.
Those include data minimization, which means companies can only collect data that could be reasonably used for the service provided. Flashlight phone apps couldn’t collect location data, for example. Maryland also protects minors from targeted advertising and bans the sale of sensitive data.
Pennsylvania’s HB78, which follows the Washington model, puts the burden on the consumer to opt out of data collection, Williams said.
The bill would require consumers to use privacy-friendly browsers like Brave, Firefox or DuckDuckGo or download an extension like Privacy Badger to Chrome. As is the case now, Pennsylvanians would still have to manage their privacy settings and agreements with apps and websites.
To Schwartz of Consumer Reports, putting that onus on individual consumers is a fatal flaw.
“ Consumers interact with hundreds, if not thousands, of businesses and websites over the course of a year or so,” Schwartz said. “The idea that you’re going to individually opt out from each of them is kind of laughable at best.”
He’s also skeptical of Pennsylvania’s enforcement mechanism. Under the current bill, individuals do not have a private right of action against companies that break the law. Instead, they can make complaints to the Attorney General’s office, which would choose which complaints to enforce. Companies would then have a 60-day period to cure the error or face penalties under Pennsylvania’s unfair trade practice laws.
The bill does not provide additional funding to the Attorney General’s office to monitor complaints or go after non-compliant companies. Attorney General Dave Sunday’s office did not respond for comment on this bill.
A building block in privacy protections
State Rep. Ed Neilson, a Democrat from Philadelphia and primary HB78 sponsor, says Pennsylvania’s bipartisan consumer data privacy act is a building block for consumer protection in the digital age.
“ We are trying to get this act passed into law as the beginning platform for data privacy rights for Pennsylvanians.”
Get this bill passed, then come back and make it better – that’s the message from Neilson and Scialabba. But consumer advocates are skeptical.
Though it’s only been a couple years since states started passing consumer data protections, few have gone back and improved the bills, Schwartz said. The states with the weakest bills haven’t gone back to fix their loopholes at all.
Neilson and Scialabba say they have worked to get major stakeholders to support the bill, including representatives of tech companies, data brokers and state businesses.
For her part, Scialabba said she would like to make some changes to the bill, like matching up the definition of sensitive data with the previously passed Breach of Personal Information Notification Act, which sets security standards for the government and private companies while also requiring notification in cases of data breaches. But she said getting the bill passed is more important and is still supporting the bill as-is.
Neilson first sponsored a consumer data privacy bill in 2019. The bill didn’t make it out of committee until 2023.
The office of state Sen.Tracy Pennycuick, R-Berks, did not respond to a request for comment on HB78, but noted she supported the bill last session and moved it out of the Communications and Technology Committee.
Gov. Josh Shapiro’s office also did not respond to comment. He has shown support for increased regulation over data privacy. As Attorney General, he directed his office to investigate the Equifax breach that exposed data on 143 million Americans. As governor, he signed into law regulations for securing insurance data and updated data breach notification and security requirements.
Mosaic is WITF’s home for all things arts, culture and lifestyle.
We spotlight and uplift the creators around us, featuring amazing artists, musicians, authors, chefs, dancers, designers, photographers, and more.
