author photo
By Rebecca Rakoski, Esq.
Mon | Mar 8, 2021 | 11:37 AM PST

Rich and versatile consumer data is arguably the holy grail for cyber attackers and part of the main event when it comes to data breaches—from small companies that made up nearly 28% of all data breaches in 2020 to large organizations like the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Department of the Treasury. Additionally, corporate giants like Microsoft, Cisco, Intel, and Deloitte were all impacted by some measure in the SolarWinds attack.

Yet, in no small part, nearly every action taken by consumers in the marketplace requires them to input personal or semi-personal data about themselves. One thing is clear: the current state of domestic laws and regulations addressing consumer data protection will not solve this issue.

Now, I am sure that you are questioning an attorney not thinking laws are enough; I know I would probably be too. Fundamentally, the laws and regulations are one of the best, if not the best, methods to encourage organizations to address data privacy and cybersecurity. The threat of non-compliance enforcement looms heavy. But these laws must incorporate principles that respect ethical data collection practices to be truly effective.

Current questionable data practices

If COVID-19 has shown us anything, it is that businesses can adapt and thrive in nearly any environment. One of the ways these businesses have adapted is they have incorporated new technologies to maximize profits in the current landscape. For example, by taking patient data and using it for things like research and development, businesses, particularly those in healthcare, can utilize that data and maximize innovation. On the surface, this looks to be a noble cause, but is not likely what patients envision when they consent to giving their protected health information (PHI) to a healthcare provider. Notwithstanding, there are already laws like the Health Insurance Portability and Accountability Act (HIPAA) that protect against this type of data use—or so you would think.

Roughly 25 years have gone by since HIPAA was first passed. The goal, of course, was to provide individuals more control and transparency over their individual health records. Part of that control, however, meant that healthcare providers had an obligation to protect PHI after medical treatment. HIPAA did not allow free sharing of PHI but restricted sharing and viewing of PHI to those individuals on a "need to know" basis unless the patient consented to a particular use of the data.

So the idea that major hospital systems can pool together and sell access to patient data is a curious notion indeed. But a new entity (Truveta, Inc.) plans on doing that very thing. By essentially anonymizing the data, it would take that same data out of the purview of HIPAA. In fact, Truveta has stated outright that the data will not contain information which may identify individual patients. Putting my attorney hat back on, one assumes that means everything is alright and the case is closed. Well, we all know what happens when we use the word assume in any legal context.

A prime example of a new and questionable data collection practice is springing up from the area of COVID vaccinations. When the Trump Administration hurriedly entered into partnerships with retail pharmacies to distribute the long-awaited COVID vaccines, it had been touted at the time as a significant achievement in getting more people across the country vaccinated. A practical decision at the time, for sure, but in order to schedule a shot, most of the pharmacies request you to create an account. This would include the rich and versatile consumer data mentioned earlier, like an individual's name, date of birth, phone number, address, gender, and email address. To be clear, this information does not include health information, but it most certainly constitutes personal data that the pharmacies can use in marketing campaign promotions or for any other purpose disclosed in the company's privacy policy. While admittedly some may say it is a small price to pay, why should American consumers be forced to turn over private information simply to receive a life-saving vaccine?

All told, it should not, and does not have to, be an either/or question. It is simply not too much to ask that in implementing such a life-saving distribution, privacy rights be part of the discussion to forecast a workable system on its face without taking for granted cybersecurity, or taking advantage of consumer insecurities, more to the point, on the back end.

What is the solution?

Looking to Europe and the General Data Protection Regulation (GDPR), the GDPR goes much further in protecting personal data than any current, or even proposed, data privacy laws in the United States. Unlike domestic data privacy laws (HIPAA included), the GDPR requires organizations to use the most stringent privacy settings by default, i.e., Privacy by Default Art. 25, and limits data usage to six lawful basis, including consent given, vital interest, and legal requirement. Art. 6. The GDPR would potentially protect hospitals from taking data, even anonymized data, and using it for another purpose. Businesses are also not allowed to simply change a privacy policy or terms of service to allow it to use the data for whatever purposes it believes fit. In sum, the GDPR infuses much-needed ethics to data collection and data use practices.

Even the new GDPR-like domestic laws do not accomplish that goal. For example, Virginia recently passed the Consumer Data Protection Act (CDPA, SB 1392). It applies to companies that process personal data of at least 100,000 consumers or derive 50% of gross revenue from the sale of personal data. The CDPA also exempts two large categories of personal data: healthcare data, and financial data used to determine an individual's creditworthiness. Unlike the GDPR, the CDPA and the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) have threshold requirements, i.e., they don't apply to all businesses, and they have carve-outs like the healthcare data exemption.

So while it seems on the surface these laws have us moving in the right direction, they are still a far cry from the comprehensive data protection afforded to all data to all consumers under the GDPR. These laws are a good start and get us moving in the right direction, but make no mistake, there is still work to be done and lots of refinements ahead. 

Let ethics be our guide

There is little doubt that technology is growing in leaps and bounds. We are constantly faced with ways technology is making our world better. Most of us, though, have at some point asked the eternal question: but at what cost? Misuse of data, or unintended use of data, should be the exception and not the rule. Too many instances have creeped into the news where this has not been the case.

Practices where companies collect data for one purpose and use it for another should be included in every data privacy law and applied to all data practices. A company should not financially benefit from a consumer's data without the consumer's knowledge, consent, and/or compensation. The continued free flow of consumer dollars in the marketplace demands that they feel confident in their transactions and not left doubting whether they have been had in some way when it comes to their privacy and personal information. Laws like the GDPR empower consumers to have control over their data through the ethical principles of consent, transparency, and accountability. This empowerment ultimately keeps consumer transactions up and business profitability models moving in a positive direction.

The CCPA, CPRA, and CDPA are without reservation steps in the right direction, but they simply should go further. Unless and until domestic laws provide consumers real control over their data, the states are just substitutes for that accountability over data collection and use practices. For a nation that fiercely values its freedoms, it seems as if we sometimes prioritize convenience over privacy for the sake of expediency. Both do not have to be mutually exclusive, and both can coexist even in the face of what we deem desirable or prudent.

Empowering the consumer to feel confidence and ease in spending their hard-earned dollars and providing a secure practical framework for businesses to operate that does not take advantage of consumer privacy or trust is just good business. A classic win-win for everyone involved in the transaction, and one which moves closer to the real endgame for most businesses: repeat consumer spending.