Will GAO Report Spur Action from Congress?

By The Hogan Lovells Privacy Team

Last year, U.S. Senate Commerce Committee Chairman Jay Rockefeller (D-WV) asked the Government Accountability Office (GAO) to investigate privacy issues pertaining to companies that collect, aggregate and sell personal information about consumers. In late November, the GAO publicly released the resulting report, "Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace." The report recommends that Congress "consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information." Sen. Rockefeller is expected shortly to issue his own report on the topic, and the Federal Trade Commission is also preparing a report expected in early 2014.

What did the GAO examine, and, in the short term, how might Congress respond to the GAO’s findings and, when they are published, Sen. Rockefeller’s?

The GAO’s investigation looked at the existing statutory privacy framework in the U.S. and concluded that certain gaps exist in the statutory protections offered for consumer online privacy. Specifically, the GAO found that there are no federal laws that address the sale of personal information by information resellers. In addition, the report concluded that the current privacy framework does not fully reflect the Fair Information Practice Principles in all circumstances.

Therefore, the GAO recommends that Congress consider strengthening the privacy protections for consumer data.

Significant concerns raised by the GAO include:

  • Inadequate Access and Control: The GAO reported that "no federal statute provides consumers the right to learn what information is held about them and who holds it." The report also noted that consumers are often unable to fully control the collection or sharing of their sensitive information, such as health information, with marketers.
  • Insufficient Limitations on Collection: The GAO questioned whether existing laws adequately limit the types of personal information that online companies may collect and the permissible sources of information from which resellers and online businesses may gather personal information.
  • Outdated Laws: The GAO also considered whether the current statutory framework is outdated given the development of social media, web-tracking technologies and mobile devices. The GAO found that current privacy laws do not fully address the privacy implications that arise from these new technologies. According to the report "no federal privacy law explicitly addresses the full range of practices to track or collect data from consumers’ online activity" or "expressly address[es] mobile payments."

The report does not, however, contain an unequivocal call for comprehensive legislation. The GAO alerts Congress to the potential adverse consequences associated with privacy laws and regulations. Congress should, the GAO cautions, design "appropriate privacy protections without unduly inhibiting the benefits to consumers, commerce and innovation that data sharing can accord."

While the GAO’s report focuses on the data broker industry, its findings and criticisms of the current U.S. framework may have an impact on the broad range of privacy debates currently underway. For instance, the report could be used to provide support for two pieces of online privacy legislation that now have bipartisan support in Congress: reforming laws affecting government access to electronic communications and expanding the protections for children's online privacy.

The House and Senate are considering companion bills that would reform the Electronic Communications Privacy Act (ECPA), which was enacted in 1986 to protect electronic communications. ECPA was written in an era where people downloaded electronic information onto their computers via screeching modems and the messages would typically be deleted from the remote servers. So it made sense to allow law enforcement to obtain stored communications without first obtaining a probable-cause warrant if the communications were over 180 days old. Those communications could reasonably be thought of as abandoned property. But in today’s world of cloud-based e-mail, the 180-day provision does not make sense. Year-old e-mails may be just as sensitive as the e-mails that just arrived in our inboxes, and we have little reason to delete them given the affordability of storage.

The companion ECPA reform bills, the Email Privacy Act (HR 1852) and the ECPA Amendments Act (S 607), would generally require law enforcement to obtain probable-cause warrants prior to obtaining any electronic communications, regardless of their age. These bills have strong support. The House bill has over 150 cosponsors, and the Senate Judiciary Committee has favorably reported the bill by voice vote. Over 100 companies, civil libertarians and former law enforcement officials also are pushing for swift passage. On Friday, December 12, a petition calling on the White House to support ECPA reform passed the threshold of 100,000 signatures, thereby requiring an official response. However, there is not unanimous support. At the Senate Judiciary Committee markup, some senators raised concerns that the bill does not provide a carve-out for certain enforcement agencies, such as the Securities and Exchange Commission. Even if an agreement is reached on that issue, ECPA reform must still be reviewed by the House Judiciary Committee; get floor time in the Senate and House, and not get bogged down by controversial amendments.

Congressional lawmakers are also pushing for enhancements to the Children's Online Privacy Protection Act (COPPA). Sen. Ed Markey (D-MA) and Rep. Joe Barton (R-TX) recently reintroduced the Do Not Track Kids Act (S 1700 and HR 3481). This legislation includes a number of new online privacy protections for children. Website operators would be required, whenever technologically feasible, to provide an “eraser button” that would allow users to delete publicly available information relating to children under 15. Online advertisers would have to obtain consent from teens aged 13 to 15 in order to collect their personal information or send them behaviorally targeted advertising. And the bill would authorize the FTC to promulgate regulations regarding the collection of geolocation information from children under 15.

The House bill has 10 cosponsors, mostly Democrats, while the Senate bill has two cosponsors, Sens. Mark Kirk (R-IL) and Richard Blumenthal (D-CT). While the addition of Sen. Kirk is a notable change this Congress, neither the House nor the Senate version of the legislation appears to be gaining much momentum as of yet.

Federal lawmakers have also already introduced bills designed to limit the extent of government surveillance and to provide greater transparency regarding the collection of information, with ongoing focus on these issues expected for months to come.

Given the general difficulty of enacting new legislation on any issue, it may be some time before we see any new privacy legislation passed into law. But the GAO report likely will fuel the efforts of privacy advocates and could intensify public calls for reform. With additional, and presumably similar, reports on the data broker industry soon to come from the FTC and Sen. Rockefeller himself, lawmakers may find themselves under new pressure to address concerns about consumer privacy issues. Additional revelations about government surveillance or the public disclosure of a significant and impactful breach might provide just enough pressure to prompt Congress to prioritize privacy next year.

The Hogan Lovells Privacy Team

Hogan Lovells and its team of 60-plus lawyers from the Privacy and Information Management Group are proud to be contributors to the International Association of Privacy Professionals’ Tracker Blog. The Privacy Team, which you can learn more about here, includes the likes of Harriet Pearson, Daniel Solove, Marcy Wilder and Christopher Wolf.