Evasive Maneuvers --- How Privacy Regulations Can Cover Government Actors in the Future

-- By MorganC - 05 Mar 2024

The Current Privacy Landscape

The California Consumer Privacy Act (CCPA) and other data privacy regulations across the nation were passed with a goal in mind: to protect consumers from the extensive sharing and selling of their data by companies profiting from that personal, and often private, information without consumer knowledge or consent [https://termly.io/resources/articles/ccpa/] Similar legislation passed in the years following the CCPA in states like Virginia, Colorado, Utah, and Connecticut [https://perma.cc/G7WL-8ADZ]. While there are variances across the different consumer data regulations, a consistency across the board is that they are considered progressive steps forward, intended to allow transparency and provide protection for their consumers [https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us].

In the time that has passed since the passing of the CCPA (now California Privacy Rights Act (CPRA)), businesses have worked to comply with the obligations imposed, and it seems that more and more legislation aiming to protect consumer data will emerge in the coming years [https://www.ncsl.org/research/telecommunications-and-information-technology/2022-consumer-privacy-legislation.aspx]. But the successful implementation of these state privacy regulations has enabled a far more dangerous and pervasive form of data collection, share, and sale of consumer data. It was recently revealed that the United States government has been “buying up reams of consumer data — information scraped from cellphones, social media profiles, internet ad exchanges and other open sources — and deploying it for often-clandestine purposes like law enforcement and national security in the U.S. and abroad [https://www.politico.com/news/magazine/2024/02/28/government-buying-your-data-00143742] ” The digital footprint that any American citizen has, “[t]he places you go, the websites you visit, the opinions you post — all collected and legally sold to federal agencies.” Id.

How Government Evades Privacy Regulations

There is considerable danger and justified discomfort in the knowledge that the United States government is quietly purchasing and collecting consumer data from companies. This data can be, and is, “used for everything from rounding up undocumented immigrants or detecting border tunnels. We’ve also seen data used for man hunting or identifying specific people in the vicinity of crimes or known criminal activity [https://www.politico.com/news/magazine/2024/02/28/government-buying-your-data-00143742] ” See also [https://www.wsj.com/articles/federal-agencies-use-cellphone-location-data-for-immigration-enforcement-11581078600]. We risk turning into an even bigger surveillance state than we already are with government purchasing consumer data, and many of those risks are even higher for minority populations[https://www.brookings.edu/articles/examining-the-intersection-of-data-privacy-and-civil-rights/]. While consumers may be protected from (some) of the predatory share and sale habits of for-profit businesses thanks to the existing privacy regulatory framework, the United States government has found a way to access this information while not being subject to the requirements of the data privacy regulations specifically designed to avoid such collection as this [https://www.politico.com/news/magazine/2024/02/28/government-buying-your-data-00143742]. This was likely accomplished through a few means. One, the privacy regulations apply to companies that meet certain criteria, and the government and government contractors were probably conducting business with companies that fell outside of these criteria. See id. For example, the CPRA applies “to any for-profit organization, which may do business in the State of California,” (emphasis omitted) and “applies to businesses that:

---

[1] Have a gross annual revenue of over $25 million in the preceding calendar year, or

---

[2] Buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices, or

---

[3] Derive 50% or more of their annual revenue from selling or sharing California residents' personal information[.][https://www.termsfeed.com/blog/cpra/]”

---

To avoid the companies who would be subject to regulations like the CPRA, these government organizations and associates need only coordinate with the businesses just outside of these parameters. For instance, the government gleans consumer data from “tiny, obscure data brokers,” with “very little public-facing presence and almost no direct consumer relationship. Some of these companies focus on consumer data. Some focus on social data. Some focus on movement data [https://www.politico.com/news/magazine/2024/02/28/government-buying-your-data-00143742] ” The second way that government was able to get around the privacy regulations is merely by taking advantage of the functionality of the “opt-out” mechanism. These regulations offer “opt-out” provisions that require businesses that qualify under the legislation to offer consumers the option to either opt out of the sharing of their data, or to be able to see to whom their data is sold [https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/]. In the European Union, the General Data Protection Regulation (GDPR) uses an “opt-in” format that requires consumers to intentionally choose to allow their data to be collected and shared by the pages that they visit[https://secureprivacy.ai/blog/difference-beween-opt-in-and-opt-out]. In the United States, it is the exact opposite. As a result of this, more data is collected because opting into data collection is the default option [https://arstechnica.com/gadgets/2021/05/96-of-us-users-opt-out-of-app-tracking-in-ios-14-5-analytics-find/]. The companies that evade privacy regulations are able to exploit this default option and collect large swaths of consumer data, and profit off of selling it to third parties such as government and government contractors.

Closing the Gap

For current and upcoming consumer data privacy regulations to improve upon their goal of protecting consumer data and increasing transparency about where consumer data is going, future amendments and regulations should adjust the criteria for qualification under the privacy regulations and should make efforts to move our nation to an opt-in system. On the former point, the current revenue requirement should be lowered to include more businesses than it does at present. Considering the government is currently buying data from “tiny” data brokers, a smaller revenue requirement could help to include some of these parties [https://www.politico.com/news/magazine/2024/02/28/government-buying-your-data-00143742]. Alternatively, the number of residents whose data is bought, received, or sold could be reduced for the same purpose. Including for-profit businesses that receive even 10,000 residents’ personal information, instead of the current 100,000, could be included and help to reduce the degree to which the government is able to quietly access this information. Also, moving to an opt-out system would at the very least reduce the number of people whose consumer data and private information is caught up in the share and sale data market. The conscious choice to opt into data share would reduce the number of people who do it, and agency could be successfully returned to large swaths of consumers [https://arstechnica.com/gadgets/2021/05/96-of-us-users-opt-out-of-app-tracking-in-ios-14-5-analytics-find/]. The government has been taking advantage of the data privacy regulatory framework as it is today, but there is still time to change it to avoid an even stronger surveillance state.

You need to get the next draft under 1,000 words. You don't need all the bot-like background information. Your idea is that state privacy regulation doesn't effectively prevent federal government acquisition of available consumer data, This idea is largely correct, but beyond reiteration of the danger to "privacy" from "surveillance," there's not much more for the reader to gain by close reading.

Let's try a draft that uses links rather than scattering URLs in the text, that provides higher-value references for the reader (to actual statutes, for example, rather than to"web content" about law), and that offers specific technical and social phenomena that the reader can learn about while also learning what, from your point of view, they mean. Perhaps we can gain insight into how a regulatory system comprehensive enough to effect the environmental harms you describe could work, and how the politics of enacting it might be arranged. Any one of those would probably be a route to significant improvement over the current draft.

---