Framing a privacy right: Legislative findings for federal privacy legislation

US Congress

Since debate on privacy legislation began in earnest following the 2018 midterm elections, members of Congress have released over 20 comprehensive information privacy bills or drafts. Most of these bills do not include proposed legislative findings or statements of policy that explain the overarching foundations of the legislation. Such declarations are primarily rhetorical rather than operational, but this rhetoric can serve several important functions. In this light, as the House and Senate and a new presidential administration prepare for the 117th Congress, we are proposing a set of legislative findings for federal privacy legislation as a template for the coming debate.

A handful of bills, like Sen. Kirsten Gillibrand’s (D-N.Y.) Data Protection Act and Sen. Sherrod Brown’s (D-Ohio) Data Accountability and Transparency Act, include statements of legislative findings or policy—but the majority do not. Most notably, legislative findings are absent from the bills that are the most likely starting points for legislation in 2021: Sen. Maria Cantwell’s (D-Wash.) Consumer Online Privacy Rights Act, Sen. Roger Wicker’s (R-Miss.) SAFE DATA Act, and the House Energy and Commerce “bipartisan staff draft” (although the latter does include a bracketed placeholder).

These omissions are understandable. The core provisions of privacy legislation present plenty of challenging and contested issues that we explored in our report “Bridging the gaps: A path forward to federal privacy legislation” last June. That report analyzed the Wicker and Cantwell bills in particular and suggested ways to reconcile differences, including on the polarized issues of preemption and private right of action. To make our recommendations concrete, we also drafted complete legislative text. Complete, that is, except for legislative findings. Like the House bipartisan staff draft, our proposed legislative text put in only a placeholder. The “Bridging the gaps” report commented briefly on the significance of findings and referred to “an ongoing project” on the content of such findings. Here, we introduce legislative findings and policy statements as the end product of that effort. They seek to provide an overarching foundation for our June report, and to fill in the placeholders in the draft privacy legislation. We hope to motivate further discussion about articulating the foundational principles and aims of privacy legislation.

“Legislative findings present an argument for a bill that can help build congressional and public support.”

Legislative findings present an argument for a bill that can help build congressional and public support. More significantly, they build a record of congressional intent that can guide interpretation by courts, administrative agencies, and affected parties, as well as enunciate grounds to uphold legislation against constitutional challenges. Such a record will be significant for the inevitable challenges to privacy legislation, especially on First Amendment commercial speech protections or Article III standing questions. As Congress continues to debate privacy legislation going into 2021, legislative findings will provide an opportunity to make a statement about the significance of privacy—one that can not only inform judges, regulators, and lawyers applying a privacy law, but can also declare American values to the world.

What do legislative findings accomplish?

Writing for the University of Chicago Law Review, Brigham Young University law professor Jarrod Shobe conducts a rare and thorough study of the use and legal significance of legislative findings and purposes in enacted statutes. In a review of 30 years of legislation appearing in the Statutes at Large, the chronological collection of laws passed by Congress, Shobe finds that the majority of “significant bills” included findings. Nevertheless, he points out, courts and legal academics have given them little attention. This judicial omission is wrong, he argues, because “[e]nacted findings and purposes are law just like any other law, and there is no reason why they should not be given the full weight of the law.”

Shobe points to institutional reasons for the underestimation of legislative findings: they are often published only in the Statutes at Large, stripped out when legislation is codified in the United States Code, and discouraged by the House and Senate Offices of Legislative Counsel. In short, this omission does not indicate a lack of legal import, but rather reflects a mere matter of practice by the Office of Law Revision Counsel, a nonpartisan congressional office charged by statute with “[c]lassifying newly enacted provisions of law to their proper positions in the Code.” If Congress wants its text to matter, perhaps it should change this practice of relegating enacted findings and purpose statements to either hard-to-find statutory notes or the Statutes at Large.

The U.S. Capitol building exterior is seen at sunset as members of the Senate participate in the first day of the impeachment trial of President Donald Trump in Washington, U.S., January 21, 2020. REUTERS/Sarah Silbiger. TPX IMAGES OF THE DAY

Privacy Bridging the gaps: A path forward to federal privacy legislation

Cameron F. Kerry, John B. Morris, Caitlin Chin-Rothmann, Nicol Turner Lee

FILE PHOTO: An election worker places mail-in ballots into a voting box at a drive-through drop off location at the Registrar of Voters for San Diego County in San Diego, California, U.S., October 19, 2020. REUTERS/Mike Blake/File Photo

Technology & Information By passing Proposition 24, California voters up the ante on federal privacy law

Cameron F. Kerry, Caitlin Chin-Rothmann

November 17, 2020

Professor Shobe’s groundbreaking argument makes sense. The late Supreme Court Justice Antonin Scalia’s most accepted contribution to American law has been the significance of textualism in statutory interpretation (not to be confused with a second and more debated Scalia contribution, originalism in constitutional interpretation). From his first term on the Supreme Court, Scalia waged a battle against use of legislative history to interpret statutes, dismissing statements of sponsors and even committee reports as irrelevant to the meaning of the text and a dubious reflection of the intent of Congress as a whole. As a result, as Jonathan Siegel puts it, “[w]e are all textualists now compared with the 1960s and 1970s.” As Shobe points out, legislative findings are a different order of congressional statement. “The text is the law,” Scalia argued—and legislative findings adopted by Congress are an integral part of that text, enacted by the full Congress the same as the other parts of a bill.

The need for legislative findings in privacy legislation

Legislative findings will matter in privacy legislation. Privacy legislation addresses the use of personal information, and any legislation that regulates information may implicate the First Amendment. The Supreme Court has extended First Amendment protection to encompass commercial speech, in particular advertising and marketing, albeit under a more lenient standard than for non-commercial speech. Under this standard, any government restrictions on commercial speech must “directly advance” a “substantial” government interest, whereas restrictions on other speech must be “narrowly tailored” to interests that are “compelling.” Commercial speech cases raise questions for how privacy legislation may limit businesses that share personal information with third parties, track and profile online users for advertising and marketing, serve ads based on personal information, and collect and disseminate information that may be considered public. Inevitably, some of these issues will become judicial questions.

In particular, the Supreme Court’s 2011 decision in Sorrell v. IMS Health may increase the likelihood that limitations on advertising and marketing resulting from privacy legislation will be challenged on First Amendment grounds. The Sorrell decision resulted from a Vermont law that prohibited pharmacies from disclosing information that links doctors with drug prescriptions to “data miners,” and barred pharmaceutical manufacturers from using such information to contact doctors for marketing purposes. The Court saw the statute as discriminating against these pharmaceutical manufacturers and marketers on one hand, while others were allowed to use the same prescription information for non-marketing purposes. It therefore struck down the statute under the stricter standard that applies to discrimination in expression (but said the same result would apply under the more lenient commercial speech standard).

Cvr: Turning Point

Technology & Information Turning Point

Darrell M. West, John R. Allen

This narrow rationale was complicated by the statute’s confusing history—leaving the impact of the Court’s decision on privacy limits open to interpretation. Notably, the Court contrasted Vermont’s narrowly-targeted law with the broader protection of the Health Insurance Portability and Accountability Act (HIPAA) and suggested that a HIPAA-like statute “would present quite a different case than the one presented here.” Even so, the potential impact of privacy legislation on commercial speech has been raised in the privacy debate, and challengers would likely cite Sorrell as support for their claims. Indeed, a Maine law establishing privacy requirements specifically for broadband providers is being challenged on the theory that it discriminates among First Amendment speakers, and facial-recognition systems provider Clearview AI is defending a suit under Illinois’s Biometric Information Protection Act on similar grounds. Legislative findings will help to meet the Supreme Court’s effective guidance in Sorrell—that Congress should explain the broad societal goals that baseline privacy legislation seeks to address.

Privacy legislation also needs to address the Supreme Court’s Spokeo v. Robins 2016 decision on standing. This class action case was brought under the first federal privacy statute—the Fair Credit Reporting Act of 1970—by a plaintiff who alleged that a “people search engine” used to assess individual credit contained inaccuracies and sought damages. The Court sent the case back to the lower courts to determine whether allegations of intangible harm were “particularized” and “concrete” enough to meet the requirement of a case or controversy to sue in federal court under Article III of the Constitution. In discussing these requirements, the Court noted that injury to rights like free speech and free exercise of religion can be concrete for these purposes even though they are abstract. Although the Court ruled that not every inaccuracy or procedural violation under FCRA amounts to concrete harm, it acknowledged that when considering “whether an intangible harm constitutes an injury in fact, both history and the judgment of Congress are instructive.” The Spokeo decision specifically recognized that “Congress is well positioned to identify intangible harms that meet minimum Article III requirements …” This directly invites Congress to identify and articulate privacy harms.

“Legislative findings in privacy legislation will amount to a congressional brief to the Supreme Court.”

In the context of issues like these, legislative findings in privacy legislation will amount to a congressional brief to the Supreme Court that can articulate “substantial” or “compelling” interests—and how the statute directly advances these interests as well as limits harms that privacy violations can cause to individuals. With the force of law, such a brief would be far more persuasive than any “appellate counsel’s post-hoc rationalizations for agency action.”

Our proposed legislative findings

With these considerations in mind, we have drafted a set of legislative findings and policy conclusions to anticipate and address these likely challenges. Our proposal is intended to inform interpretation by courts, the Federal Trade Commission, and the many other parties that would apply privacy legislation and need to understand congressional intent. These proposed findings are more expansive and detailed than what is typical in most legislation (though far more concise than the 173 recitals and 31 pages that explain the European Union’s General Data Protection Regulation). Unlike Members of Congress, however, we do not seek to win the votes of a majority of colleagues or to declare a set of conclusions. Instead, as think tank scholars, our goal is to provide a comprehensive outline for Congress and stakeholders to consider, and arguments to back up the recommendations in our June report. We leave it to Congress to distill such ideas into punchy declarations about enacted legislation as the privacy debate builds on current bills in the next Congress.

In drafting these suggested findings, we have drawn wherever possible on existing declarations in enacted legislation. Endnotes to the suggested language indicate these and other sources of the language.

The findings below contain five segments. We begin with a brief statement of the legal, moral, and historical foundations of privacy in America, demonstrating that privacy is a value deeply embedded in American law and society and describing some of the history that the Supreme Court alluded to in Spokeo. Second, we cover recent technology developments that underlie the need for legislation, especially the explosion of data and widespread collection and sharing of personal information, as background for legislative purposes.

“Privacy is a value deeply embedded in American law and society.”

The third and fourth segments lay out these purposes. The third identifies effects of these developments that privacy legislation aims to address and the fourth explains how it aims to address them. Finally, we conclude with a set of policy declarations that express key governmental objectives (which may be somewhat broader than the findings and specific provisions of the legislation), as Congress did in both the Fair Credit Reporting Act of 1970 (FCRA) and “Section 230” of the Communications Act of 1934, as amended (47 U.S.C. § 230). FCRA was a foundational national privacy law not only in the United States but around the world, and Section 230 is aimed at some of the same sectors most affected by privacy legislation. The proposed findings address reasons for the potential compromises framed in our “Bridging the gaps” report: tailored federal preemption, individual rights aimed at recognized privacy harms, and a graduated approach to risk and obligations centered on duties of loyalty and care that balance prescription and flexibility.

PROPOSED FINDINGS

The legal, moral, and historical foundations of privacy in America

The right to privacy is a personal and fundamental right protected by the Constitution of the United States. 1
Americans cherish privacy as an essential element of their personal and social lives, and our system of self-government. 2 It serves essential human needs by sheltering zones for individual liberty, autonomy, seclusion, and self-definition, including the exercise of free expression; for family life, intimacy and other relationships; and for physical and moral space and security, among other values. 3
Privacy also advances societal interests in the protection of marginalized or vulnerable individuals or groups, the safeguarding of foundational values of democracy, and the integrity of democratic institutions and processes including elections. 4
The United States has protected aspects of privacy since the Nation’s founding. The Constitution protects various privacy interests through the First, Third, Fourth, Fifth, Ninth, and Fourteenth Amendments, 5 and protection of individual privacy helps enable the exercise of these fundamental civil rights and fundamental freedoms of all Americans. 6
The United States has a history of leadership in privacy rights since that time. It enacted some of the first privacy laws anywhere beginning in the 18th century, 7 it gave birth to the legal concept of a “right to privacy” in the 19th century 8 and, in the 20th century, it adopted one of the first national privacy and data protection laws 9 as well as “fair information practice principles” that influenced laws and privacy practices worldwide. 10 The United States should continue to be a leader in protecting privacy rights in the 21st century.
The right to privacy is widely recognized in international legal instruments that the United States has endorsed, ratified, or promoted. 11

The development of a digital information society and economy

Throughout the Nation’s history, economic growth, opportunity, and leadership have been propelled by technological innovations. In the 20th century, digital and communications technologies and networks have become integral to economic competitiveness, social and political discourse, and the flow of information, ideas, and innovation in the United States and around the world. 12
The expansion of computers, Internet connectivity, mobile telephones, and other digital information and communications technology has magnified the risks to individuals’ privacy that can occur from collection, processing, storage, or dissemination of personal information. 13
Digital network connectivity has become essential for full engagement in modern life.
As of 2019, more than 90 percent of Americans possess mobile telephones and approximately 80 percent own smartphones equipped with powerful computers, immense storage capacity, arrays of sensors, and the capacity to transmit information around the globe instantaneously. 14 Many individuals use these devices continuously and store on them a digital record of nearly every aspect of their lives. 15
An increasing number of individuals have smart consumer devices such as automobiles, televisions, home appliances, and wearable accessories that collect, process, and transmit information linked to these individuals and their activities.
In addition to these personal devices, a growing number of interconnected sensors in public spaces collect, process, and transmit personal information linked or linkable to individuals, often without their knowledge or control. The number of such devices is likely to expand faster with increased deployment of smart public and private infrastructure and systems and advances in network technology.
These ubiquitous and always-connected devices have exploded the volume and variety of personal information collected, stored, and analyzed by a wide variety of entities. Such information is often available not only to service providers with which the individuals affected have some relationship, but also to networks of applications providers, websites, advertisers, data brokers, and additional parties that are able to collect, process, and transmit the information for purposes that may be unexpected and unrelated to the reason for which this information originally was shared or collected.
The aggregation of personal information from many different sources across these networks, coupled with the increasing power of data science, enables a wide variety of entities to make connections, inferences, or predictions regarding individuals with levels of power and granularity far beyond what individuals linked to this information reasonably know or expect. These include the ability to link information to specific individuals even in the absence of explicit identifying information, and to derive conclusions about individuals that are sensitive to a reasonable person.

The impact of information technology on individuals

Surveys demonstrate that most individuals do not read or understand published privacy policies. 16
Even if they do, the increased velocity, complexity, and opacity of data collection, aggregation, and use have rendered individual control or consent a futile exercise.
Numerous surveys of consumer attitudes on privacy and security also indicate that a majority of Americans lack confidence in industry to handle personal information and keep it secure, and also believe they lack control and knowledge of information collected about them. 17
Some use of personal information in advertising and marketing provides benefits to businesses and consumers by disseminating information about products, services, and public issues; supporting the delivery of news and other content; and enabling free services. However, increases in precise targeting of individuals and automated advertising exchanges have enabled sharing of personal information for advertising that can be unwanted, intrusive, manipulative, discriminatory, or unfair.
With the development of artificial intelligence and machine learning, the potential to use personal information in ways that replicate existing societal biases has increased in scale. Algorithms use personal information to guide decisionmaking related to critical issues—such as credit determination, housing advertisements, and hiring processes—and can result in differing accuracy rates among demographic groups. 18 Such outcomes may violate federal and state anti-discrimination laws or result in diminished opportunities for members of some groups. The covered entities that use these algorithms should have the responsibility to show that the algorithms do not cause discriminatory effects.
The majority of Americans have experienced losses of personal information linked to them due to data breaches that have occurred at numerous businesses and institutions. 19 Personal information increasingly is a target of malicious actors, including nation-states and organized criminals anywhere in the world.
The aggregation of increasing volumes of data among many different entities expands the attack surface exposed to malicious actors in cyberspace and the availability of personal information to such actors.
The risks of harm from privacy violations are significant. Unwanted or unexpected disclosure of personal information and loss of privacy can have devastating effects for individuals, including financial fraud and loss, identity theft and the resulting loss of personal time and money, destruction of property, harassment, and even potential physical injury. 20 Other effects such as reputational or emotional damage can be equally or even more substantial.
Individuals need to feel confident that data that relates to them will not be used or shared in ways that harm themselves, their families, or society. 21
As with all forms of commerce, trust is an essential element for broad consumer use and acceptance of goods and services offered in the digital economy, and a growing lack of trust in online services harms the interstate and foreign commerce of the United States. 22 Trust is also important to social and political discourse, and a growing lack of trust in online communications impairs American democracy and society.

The need for federal privacy legislation

As enterprises use technology to collect, retain, and process more and more personal information, laws and regulations protecting individual privacy must keep pace to protect users and businesses and sustain the Nation’s digital economy and society.
Current laws and regulations governing the use of personal information do not sufficiently protect individual privacy because they do not cover many new and expanding types of information and uses of such information.
In addition, they rely substantially on “notice and choice” for individuals. This places the burden of protecting privacy on individuals instead of on the companies that use and collect data, and permits the companies to set the boundaries for what information they collect and how they use or share it, with little meaningful understanding on the part of the individuals whose data is collected.
Entities that collect, use, process, and share personal information should be subject to meaningful and effective boundaries on such activities. They should be obligated to take reasonable steps to protect the privacy and security of personal information, and to act with loyalty and care toward individuals linked or linkable to such information. 23
Privacy risk and harms must be mitigated and addressed up front, because in the digital era, data harms are often unforeseen and compounded almost instantaneously. Information leakage usually cannot be undone, and it is often difficult to make victims of privacy harms whole after the fact.
There is a need for a national solution to ensure that entities that collect, process, and transmit personal information do so in ways that respect the privacy interests of individuals linked or linkable to that information and do not cause harm to these individuals or their families and communities. 24
States have a patchwork of differing laws and jurisprudence relating to the privacy of their citizens. A robust and comprehensive federal privacy law will ensure that all Americans have the benefit of the same privacy protections regardless of where they live and can rely on the entities they deal with to handle personal information consistently regardless of where these entities are located.
The need for consistent federal privacy protection is heightened by the interstate and global nature of the information economy in which few online products and services are targeted toward specific states. Instead, many such services are offered to users anywhere in the United States (and often around the world) who can access the Internet. 25 Consistent federal privacy protection will facilitate entry and competition in interstate commerce for millions of small businesses for which compliance with multiple state laws could present barriers to entry.
Consistent and robust data security practices will enhance the privacy of individuals as well as the collective security of U.S. information and communications networks.
Privacy laws must be backed by strong enforcement agencies and tools. To provide such enforcement, the Federal Trade Commission needs adequate resources and legal authority at least equal to that of other leading privacy regulators, reinforced by authorized state officials. 26
Individuals should have recourse through the federal courts for privacy harms that have been commonly compensable under existing laws, including anti-discrimination laws, as well as violations of federal privacy law that cause “actual” harm.
Technology will continue to evolve and change. Any new privacy laws therefore must be flexible and technology-neutral, so that the laws’ protections may apply not only to the technologies and products of today, but to those of tomorrow.
A comprehensive federal privacy law will enable the United States to take steps toward ensuring that Americans’ privacy is appropriately protected internationally, while increasing the flow of information and promoting greater trust in American commerce abroad.

“Any new privacy laws must be flexible and technology-neutral, so that the laws’ protections may apply not only to the technologies and products of today, but to those of tomorrow.”

PROPOSED POLICY STATEMENTS

In order to protect the privacy of individuals, it is necessary and proper for Congress to regulate the collection, use, processing, and sharing of personal information. 27
There is a compelling national interest in providing meaningful and effective boundaries on the collection, use, storage, and sharing of personal information so all individuals linked or linkable to such information have a basis to trust that such information will be handled in ways consistent with their privacy and other interests.
There is a compelling national interest in empowering individuals through meaningful and effective rights with respect to personal information linked to them so that those individuals who want to can ensure this information is used and shared in ways consistent with their privacy and other interests.
It is the policy of the United States to provide a consistent national approach to the collection, processing, storage, and sharing of personal information, but also to preserve the existing fabric of state and local statutory and common law protecting privacy to the extent it does not interfere with the comprehensive operation of federal law.
It is the policy of the United States to provide individuals with meaningful remedies for privacy harms, whether those harms are financial, physical, reputational, emotional, or other kinds; and to ensure that an exclusive federal remedy for violation of privacy rights vindicates interests that have long been protected by other privacy laws.
It is the policy of the United States to ensure that protections for users’ privacy can remain up-to-date, and continue to evolve as technology, innovation, and services—and risks to privacy—evolve.

The Brookings Institution is a nonprofit organization devoted to independent research and policy solutions. Its mission is to conduct high-quality, independent research and, based on that research, to provide innovative, practical recommendations for policymakers and the public. The conclusions and recommendations of any Brookings publication are solely those of its author(s), and do not reflect the views of the Institution, its management, or its other scholars.

Brookings recognizes that the value it provides is in its absolute commitment to quality, independence, and impact. Activities supported by its donors reflect this commitment.