Getty Images/Tetra images RF
Consumer data lacks the same level of protection afforded healthcare and financial data.
Strict laws like the federal Health Insurance Portability and Accountability Act and Financial Privacy Rule are intended to prevent the collection and distribution of personal healthcare and financial data. This protects sensitive information that could be used against an individual.
Consumer data, however, is not nearly as protected.
Consumer data is information collected on customers as they shop, and the volume of it is growing exponentially as technology advances and peoples' every move on the internet are tracked by their computer and their every physical move tracked by the GPS on their smartphone.
That data can be misused and made subject to online threats, just like healthcare and financial data, according to Brendan Egan, a marketing expert who is the founder and CEO of Simple SEO Group, co-founder and CEO of The Marketing Masters, and author of "101 Tips from Marketing Masters."
Congress is considering the American Data Privacy and Protection Act (ADPPA). The proposed legislation aims to better protect consumer data. But it doesn't go nearly far enough, according to Egan, who recently discussed the state of data privacy in an interview.
It doesn't clearly lay out federal guidelines the way the General Data Protection Regulation (GDPR) does in Europe and doesn't give individuals nearly enough control over whether their data can be collected and what can be done with that data.
In the first part of a two-part Q&A, Egan discussed the lack of control individuals have over their consumer data. Here in the second part, he delves into the ADPPA and what he sees as its shortcomings.
The ADPPA is up for consideration in Congress. If passed, will it improve consumer data protection?
Brendan Egan: It's a start. It doesn't matter what side of the political aisle you're on -- we know that Washington is a little slow when it comes to these things. Unfortunately, we have a lot of politicians that don't quite understand the intricacies of the internet, technology and privacy. So, in my opinion, this is politicians taking one step forward when they should be sprinting toward the finish line and trying to provide better protection of Americans' data privacy.
Essentially, it's a bill that is trying to set some guidelines in place in terms of how companies can collect and handle personal data. But the bill, in my opinion, falls a bit short in terms of really putting in place GDPR-style legislation that has strict timelines, strict penalties and strict criteria. It's a very vague bill. It's great that we're having these discussions, but this bill is only one step when we need to be sprinting.
As the ADPPA awaits consideration, what legislation already on the books protects data privacy?
Egan: The other side of this bill is that Washington's inability to act and pass sweeping legislation has led states to pass their own rules and regulations. That's a worse-case scenario, because now we're taxing businesses with having to figure out what data they collect in California versus Florida versus Texas versus Illinois. It creates this burden on businesses to not only know what they're collecting but also follow all these different laws, some of which are contradictory. When you have e-commerce businesses that are working in all 50 states and beyond, it creates a nightmare.
And that's an area where the ADPPA falls short: it doesn't address states and their own regulations. It essentially says that states are allowed to have their own laws. Businesses already have enough burdens coming out of COVID-19 and dealing with a potential recession. They shouldn't have to figure out how to collect data in all 50 states separate from federal regulation.
How does GDPR better address data privacy than the ADPPA?
Brendan EganFounder and CEO, Simple SEO Group; co-founder and CEO, The Marketing Masters
Egan: What GDPR does a very good job of is being clear in what the rules and regulations are and who they apply to. What's interesting is that GDPR doesn't just apply to businesses that are based in Europe -- the rules apply to businesses that have any sort of physical presence in Europe, that do any business in Europe, or that collect personal information from European citizens.
I could have a business in the United States and, in theory, have no intention of doing business in Europe. But if I allow someone from Europe to get on my email list or go to my website and get tracked with cookies, I could be held liable under GDPR. The ADPPA doesn't do that. This regulation also only applies to American companies. There hasn't been much thought given to how to enforce it internationally, which is a huge issue. This wouldn't, for example, in any way address TikTok, which is a China-based company partially owned by the Communist Party in China that's collecting data from U.S. citizens.
Are there positives with respect to the ADPPA?
Egan: I think it's a step in the right direction. But the concern I have is that, knowing the politicians in the United States, it will take a long time to take the next three or four steps to get data privacy where it really needs to be. It will probably be the 2030s before that happens.
Assuming the ADPPA is passed into law, what would be a good next step to better protect data privacy?
Egan: A lot of times in Washington, what we see is that a bill gets passed and Congress acts as if it has checked that box and moves on to the next issue. My concern is that will happen with data privacy. I think the next natural progression is to put in place guidelines that apply at the federal level and restrict the states from having their own stricter or more lenient requirements that burden businesses with different requirements across state lines. It should be no different than a driver's license -- it should be the same in all 50 states.
If passed, how will the ADPPA be enforced?
Egan: A lot of politicians don't understand that this isn't a brick-and-mortar issue. This is an online issue, and there are no clear borders for many of the businesses this impacts. Businesses are not only doing business across the U.S. but also, in many cases, globally. That, to me, is the biggest issue that needs to be addressed next. After that, enforcement needs to be figured out. The Federal Trade Commission has been tasked with enforcement of the ADPPA, and that may or may not be the right body. The question becomes, 'How it will be enforced?' The bill doesn't do a great job of setting up provisions for who will be overseeing data privacy and how complaints will be filed. There are a lot of holes. The bill is a good first step but leaves almost more questions than answers.
If nothing beyond passing the ADPPA is done for another three or four years, will the bill make any difference?
Egan: With a lot of laws -- whether it be drunk driving or gun regulations or something else – a lot of times, the only people that follow stricter laws are people that wouldn't break them in the first place. I have a lot of concerns that people that are doing all the right things with data will be the ones who follow the law, and it won't really change much. What it lacks is addressing the people that are doing the things that are criminal or mischievous, a lot of whom are offshore. The ADPPA doesn't establish ways for us to crack down on them.
I fear this is one of those laws to save face and say, 'Hey, we did something, and now we're going to move on from this topic.' In reality it's not going to do a whole heck of a lot.
What's your prediction for the state of data privacy three to five years from now?
Egan: I think some of the states that are traditionally a little more liberal like California and Illinois are going to pass stricter data privacy laws that are going to eventually trickle down and become some sort of federally mandated law. But I think we're quite a ways away from that because I just don't think enough politicians understand this topic. If someone is not in this space and not consulting with experts on data privacy, it's a very intricate and difficult topic to understand. Given Congress' history over the last 10 years of not being able to get much of anything done, I fear that we're five-plus years away from having some kind of meaningful data privacy regulation at the federal level.
Will it take a generational shift in Congress, with those now too young to serve but who grew up with smartphones and tablets being ubiquitous coming of age, for there to be meaningful data privacy legislation?
Egan: Even a 20- or 30-year-old, if they don't have a background in this, will find it hard to understand. While it will help, I don't think it will fully solve the issue.
I honestly think it will take some kind of massive event for us to be awoken. There was a story recently about TikTok logging users' data in the app and in the in-app browser, so who knows how much data China has collected on us? I think it's going to take some sort of large-scale geopolitical threats, hacking or takeover of a water system -- all these things that are worst-case scenarios. It often takes a large catalyst for us to take action, and I think, unfortunately, this is going to be no different.
We've focused on pending legislation, but is there anything individual consumers can do to better protect their own data privacy?
Egan: This is an issue that a lot of people don't think about on a daily basis and don't realize how important an issue data privacy is. We all have alarm systems on our house and blinds on our windows, and we're used to shredding paper. But we don't think about what data is being collected about us. We think about our credit cards and bank accounts needing to be secure. But we don't think that maybe it's not good if the Chinese government knows everything our kids are doing on their iPad or their personal information from TikTok. All that data amassed about us that gets in the wrong hands can lead to some really bad things.
I think it's something individuals need to start thinking about. If enough individuals demand action on this and stop using things that don't have the right data collection and privacy policies, we may see consumers be able to demand a shift and affect what the government passes in terms of regulations.
Editor's note: This Q&A has been edited for clarity and conciseness.