Meta, the parent company of Facebook and Instagram, is facing scrutiny in Europe over its data use practices. Although the US currently has no singular federal law that encompasses data privacy, the EU ruling has American companies wondering if similar laws will become commonplace in the US.
By examining current state laws, we can determine what eventual federal laws may look like. While it’s likely that the country will see more comprehensive data privacy laws, businesses can choose to leverage that possibility to their advantage by proactively offering consumer data protection, thus upholding their corporate social responsibilities while establishing their brands as trustworthy.
2. State Privacy Laws: Inferring Possible Data Privacy Laws at the Federal Level
3. Data Mining: Ethical Dilemmas and Corporate Social Responsibility
4. Conclusion
In April 2019, a Facebook leak exposed 533 million users' personal information: their phone numbers, locations, and birthdates. The Irish Data Protection Commission (DPC) fined Meta 276m dollars for the data breach in November 2022.
Because Facebook and Instagram have their European headquarters in Ireland, the DPC takes the lead on making sure they comply with EU law, and in January 2023, the DPC fined Meta again. This time, the fine reached 390m euros – over 430m dollars.
The DPC's reasoning for fining Meta in January stems from the EU's General Data Protection Regulation (GDPR) – a data privacy law that went into effect in May 2018. The DPC claims Meta's method of asking users' permission for data use for targeted advertisements on Facebook and Instagram was unlawful under the GDPR.
If users declined to accept the updated terms of service, they could no longer use Facebook or Instagram. According to the DPC, this illustrates that Meta forced users to consent to their data being used for targeted ads. In response, Meta claims their platforms could not work without using data for personalized advertising, and therefore, they weren’t forcing an ultimatum on users.
The DPC ruled that Meta has three months to change how they obtain and use data for targeted ads; however, Meta intends to appeal the decision. Additionally, according to the Irish Times, Meta set aside 2bn euros or 2.176bn dollars to cover EU fines. The appeal, coupled with allocated money specifically for data privacy fines, suggests Meta doesn’t intend to change their practices any time soon.
This decision has American companies wondering about the future of data privacy laws and how potential regulations will impact their business models.
Currently, in the US, there is no all-encompassing federal law such as the EU’s GDPR. Instead, there’s a mix of federal regulations and state privacy laws that impact the collection and use of consumer data. Looking at the three states with comprehensive privacy laws, we can infer how eventual privacy laws may impact businesses nationwide.
The California Consumer Privacy Act of 2018 (CCPA)
Gives consumers the rights to:
California Privacy Rights Act (CPRA)
An amendment to the CCPA adds the rights for consumers to:
In California, businesses subject to the CCPA and CRPA must respond to consumer requests to exercise these rights within 15 business days and give consumers notices that explain their privacy practices.
Virginia Consumer Data Protection Act (VCDPA)
Gives consumers the rights to:
The VCDPA only affects businesses that
The VCDPA also requires companies to conduct data protection assessments of personal data used for targeted advertising on sales, and businesses have 45 days to respond to consumer requests.
Colorado Privacy Act (CPA)
Gives consumers the rights to:
The CPA only affects businesses that
The CPA will go into effect on July 1, 2023, and businesses will have 45 days to respond to consumer requests.
At a federal level, similar laws would give consumers more control over how their data is collected and used. Businesses would be required to allow their customers to have information on the personal data collected and opt out of sales or data sharing.
However, these state laws suggest that similar federal regulations would require consumers to request these rights rather than implicitly have them. Then, businesses would have a specific time frame to respond to these customer requests.
In 2017, ProPublica found that Facebook advertisers could exclude users from advertisements based on race. They were able to buy rental housing ads on the platform and request the advertisements “not be shown to certain categories of users, such as African Americans, mothers of high school kids, people interested in wheelchair ramps, Jews, expats from Argentina, and Spanish speakers” – groups protected under the federal Fair Housing Act.
This example illustrates discriminatory practices resulting from data mining and targeted advertisements. Although there is no all-encompassing federal mandate for data privacy, organizations should consider their corporate social responsibility (a form of self-regulation that aims to support ethically oriented practices) to maintain ethical practices when capitalizing on users’ data.
Thorin Klosowski, the editor of privacy and security topics at Wirecutter, outlines four basic protections data privacy laws should encompass: data collection and sharing rights, opt-in consent, data minimization, nondiscrimination, and no data-use discrimination. While data privacy laws may inspire fear in companies reliant on collecting personal information, organizations can leverage these areas as a framework to operate more ethically, thus establishing themselves as a trustworthy brand.
Organizations can foster greater transparency and trust that they’re appropriately handling sensitive information by allowing consumers to request to see their collected personal data and ask that it not be sold to third parties.
In 2021, Apple received positive press for requiring developers to request opt-in consent before tracking users with Apple’s ID for Advertisers (IDFA). Explicitly giving users a choice to consent to data tracking can establish confidence that an organization has its users’ interests in mind.
Data minimization allows companies to collect information necessary to provide their services while not exceeding the bounds of user trust by collecting excess data. Companies using data minimization can position themselves as dependable and honest.
Companies clearly stating they won’t discriminate against individuals exercising their privacy rights can establish their brand as principled and ethical. Additionally, they can prevent advertisers from discriminating against specific characteristics.
Rather than fear future laws, organizations can leverage the likelihood of more state and federal protections against data privacy to position their brands as ethical, satisfying their corporate social responsibility and appealing to consumers concerned about the use of their personal information.
Data privacy rights are becoming an increasingly crucial issue for businesses and consumers, and the DPC's ruling against Meta highlights this problem. While organizations may fear how their business models will change with more comprehensive laws, they can leverage data privacy to their advantage by maintaining ethical practices when capitalizing on users' data.
Consumers are more likely to trust a business that shows transparency in collecting and using personal information. Companies that learn from these principles of data collection rights, opt-in consent, data minimization, nondiscrimination, and no data-use discrimination can establish themselves as trustworthy brands while giving customers greater control over their private information. By adopting some of these guidelines, companies can capitalize on users' data without compromising consumer trust.
