![\"\"](\"http:\/\/sites.law.duq.edu\/juris\/wp-content\/uploads\/2021\/03\/Pagana-Privacy.jpg\")
<\/p>\n<\/p>\n
Photo provided courtesy by Unsplash.com.
\nBy Daniel Pagana, Staff Writer<\/p>\n
Many industries are subject to privacy laws.\u00a0 Often times, privacy law violations indicate potential criminal conduct because of the nature of certain sensitive information.\u00a0 For example, sensitive data held by the banking industry is subject to the Right to Financial Privacy Act, which \u201cprotects the confidentiality of personal financial records.\u201d[1]<\/sup><\/a>\u00a0 The Act is viewed as congressional backlash to the Supreme Court decision in United States v. Miller<\/u>. \u00a0In that case, the Court held that individuals have no reasonable privacy expectations in banking records after voluntarily turning such sensitive information over to third parties such as financial institutions.[2]<\/sup><\/a>\u00a0 The Court has also weighed in, regarding sensitive information handled by other heavily regulated industries such as health care. In a string of decisions, the Supreme Court has protected individual privacy relating to contraceptives and abortion. In other instances, the Court has limited privacy interests in health related information like the use of controlled substances[3]<\/sup><\/a>\u00a0 And of course, Congress has regulated privacy for nearly all involved in healthcare through The Health Insurance Portability and Accountability Act or (\u201cHIPPA\u201d).[4]<\/sup><\/a>\u00a0 Healthcare and banking are two of the largest industries in the US, contributing trillions of dollars to the economy, so it is unsurprising to most that they are also two of the most regulated in terms of privacy.[5]<\/sup><\/a><\/p>\n Privacy in the technology sector, specifically regarding data controlled by big tech, is the new heated debate in partisan politics,[6]<\/sup><\/a>\u00a0 It is also the area that has changed substantially over the past 20 years.[7]<\/sup><\/a>\u00a0 For example Google\u2019s privacy policy used to be only a paragraph long. That same policy is currently over 4,000 words long.[8]<\/sup><\/a>\u00a0 This is due to a change in how the company employs user data.\u00a0 Early on, the company considered use of such data only in the aggregate, but now google uses a much more sophisticated method of isolating user data.[9]<\/sup><\/a>\u00a0 Through a combination of gps data, user searches\u2014even data specific to a particular users\u2019 device\u2014google has become much better at selling its users to advertisers.[10]<\/sup><\/a><\/p>\n The debate in Congress on how to regulate tech giants is currently at a standstill, with no real comprehensive legislation materializing.[11]<\/sup><\/a> While Congress has been flat footed on the issue, the courts have been active in regulating data privacy.\u00a0 The courts dismissed alleged wiretap act claims against Google for storing and listening to user audio data.[12]<\/sup><\/a> The courts have also decided that money gained by a company that shares user data is not the same as the plaintiff losing money. [13]<\/sup><\/a>These decisions are important but not comprehensive, both decisions rely on law that does not directly apply to user data.<\/p>\n Many of these cases are being brought under the California Unfair Competition Law (\u201cUCL\u201d).[14]<\/sup><\/a>\u00a0 The UCL has been cited by plaintiffs broadly because the law \u201cprohibits business practices that are unlawful, unfair, or fraudulent.\u201d[15]<\/sup><\/a>\u00a0 However, lawsuits seeking protection from alleged data privacy violations under UCL have had little success since the law requires plaintiffs to allege money or property damages to have standing.[16]<\/sup><\/a>\u00a0 Plaintiffs thus far have not been able to convince the courts that user data constitutes either money or property.<\/p>\n The European Union has passed a comprehensive data privacy program under the General Data Protection Regulation (\u201cGDPR\u201d).\u00a0 GDPR is a \u201cregulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.\u201d[17]<\/sup><\/a>\u00a0The GDPR has provided a regulatory framework that big tech companies have been forced to acknowledge.[18]<\/sup><\/a>\u00a0 In Facebook, Inc. Sec. Litig.<\/u>, executives claimed that Facebook was almost compliant with the data privacy restrictions that the GDPR was ready to enforce.[19]<\/sup><\/a>\u00a0 Facebooks made a number of claims most notably that they do not sell data to third parties and that the user owns what they post to Facebook and control how it is being shared.[20]<\/sup><\/a> In contrast, at the time of the GDRP rollout in the EU, Facebook was engaged in the Cambridge Analytica scandal in the US which was a blatant example of Facebook selling user data to third parties.[21]<\/sup><\/a><\/p>\n Comprehensive legislation in the US has yet to come, but there have been efforts by states like California to get a data privacy bill done.\u00a0 The California Consumer Privacy Act (\u201cCCPA\u201d) is such a bill, and is modeled after the GDPR.[22]<\/sup><\/a> The CCPA requires that businesses disclose to Californians how their data is to be used.[23]<\/sup><\/a>\u00a0 It allows Californians to request that collected data be deleted and even \u201cgrants consumers the right to control selling their information to third parties via a \u2018Do Not Sell My Personal Information\u2019 link in their privacy policies.\u201d[24]<\/sup><\/a> The legislation does have its short comings. Most notably, the CCPA has been criticized as being far too broad.[25]<\/sup><\/a> It will be interesting to see how much of this legislation will be used by Congress, other states, or simply thrown out by the courts.<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n [1]<\/a>https:\/\/epic.org\/privacy\/rfpa\/#:~:text=The%20Right%20to%20Financial%20Privacy%20Act%20of%201978%20protects%20the,ruling%20in%20United%20States%20v.&text=%C2%A7%203401%2D342.-,United%20States%20v.,425%20U.S.%20435%20(1976).<\/p>\n [2]<\/a> United States v. Miller<\/u>, 425 U.S. 435, 96 S. Ct. 1619 (1976)<\/p>\n [3]<\/a> Whalen v. Roe<\/u>, 429 U.S. 589, 97 S. Ct. 869 (1977)<\/p>\n [4]<\/a> https:\/\/www.hhs.gov\/hipaa\/for-individuals\/guidance-materials-for-consumers\/index.html<\/p>\n [5]<\/a> https:\/\/www.statista.com\/statistics\/247991\/value-added-to-the-us-gdp-by-industry\/<\/p>\n [6]<\/a> https:\/\/www.csoonline.com\/article\/3429608\/11-new-state-privacy-and-security-laws-explained-is-your-business-ready.html<\/p>\n [7]<\/a> https:\/\/www.nytimes.com\/interactive\/2019\/07\/10\/opinion\/google-privacy-policy.html?mtrref=www.google.com&gwh=CC342D0A46F2C37D3BBFC548A2746984&gwt=regi&assetType=REGIWALL<\/p>\n [8]<\/a> Id<\/em>.<\/p>\n [9]<\/a> Id<\/em>.<\/p>\n [10]<\/a> Id<\/em>.<\/p>\n [11]<\/a> Id<\/em>.<\/p>\n [12]<\/a> In re Google Assistant Privacy Litig.<\/u>, 457 F. Supp. 3d 797 (N.D. Cal. 2020)<\/p>\n [13]<\/a> In re Facebook, Inc.<\/u>, 402 F. Supp. 3d 767 (N.D. Cal. 2019)<\/p>\n [14]<\/a> https:\/\/www.csoonline.com\/article\/3429608\/11-new-state-privacy-and-security-laws-explained-is-your-business-ready.html<\/p>\n [15]<\/a> In re Facebook, Inc.<\/u>, 402 F. Supp. 3d 767 (N.D. Cal. 2019)<\/p>\n [16]<\/a> Id<\/em>.<\/p>\n [17]<\/a> https:\/\/www.csoonline.com\/article\/3202771\/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html<\/p>\n [18]<\/a> In re Facebook, Inc. Sec. Litig.<\/u>, 405 F. Supp. 3d 809 (N.D. Cal. 2019)<\/p>\n [19]<\/a> Id<\/em>.<\/p>\n [20]<\/a> Id<\/em>.<\/p>\n [21]<\/a> https:\/\/www.nytimes.com\/2018\/04\/04\/us\/politics\/cambridge-analytica-scandal-fallout.html<\/p>\n [22]<\/a> https:\/\/www.csoonline.com\/article\/3429608\/11-new-state-privacy-and-security-laws-explained-is-your-business-ready.html<\/p>\n<\/h3>\n