Congress Has a Thing or Two to Learn From These State Privacy Laws
When Congress feels the need to compromise Americans’ privacy in the name of security—as in the case of the Patriot Act in 2001 or the Cybersecurity Information Sharing Act last month—it moves remarkably fast. When it comes to protecting Americans’ privacy from the inexorable advancement of data collection and law enforcement technologies, on the other hand, it seems to act with no such urgency.
Now a collection of state legislators are tired of waiting. Last Wednesday, 16 states’ lawmakers, with the advice and coordination of the American Civil Liberties Union, introduced bills designed to shore up Americans’ privacy on a long list of issues that federal lawmakers have either ignored or allowed to become paralyzed in Congress’s endless gridlock. That collective legislative push, which the ACLU is calling Take CTRL, addresses everything from student and employee privacy to new police surveillance techniques.
The bills, together, would cover more than a 100 million Americans, by the count of the ACLU’s advocacy and policy counsel Chad Marlow. But he also hopes they might spur—or shame—Congress into action at the federal level. “What we were hearing more and more from people is that their privacy is being violated and taken for granted, and the federal government isn’t doing anything about it,” says Marlow. “The impact of these bills [on their own] would be dramatic. But if the states’ acting finally lights a fire under Congress and gets them to move, that would also be extraordinarily valuable.”
On practically every issue they cover, the new state bills would represent new measures limiting the collection, sharing or storage of data types that Congress has yet to address. In some cases, they also highlight how certain states, namely California, are already ahead of the feds on protecting Americans’ personal data. Here are the central ways the 16 states are trying to advance those new privacy protections:
In 2010, a school in the Philadelphia suburbs made national headlines for using a school-issued laptop’s webcam to spy on Blake Robbins, a student, in his home. The school went so far as to try to discipline Robbins for unexplained “inappropriate behavior” it caught via that snooping. Robbins’ family sued and eventually received a $610,000 settlement.
A bill in Minnesota and the District of Columbia would extend the lesson of that ruling to all sorts of data collection, preventing schools from gathering information like web browsing histories or emails sent from school-issued loaner devices. Another bill in Minnesota, Alabama and Nebraska would limit how all data that a school collects about a student can be stored or shared. This kind of information is myriad. For instance, schools collect data points ranging from how many gold stars or demerits a student receives to whether they required special counseling or free lunches. Under the proposed law, none of that could be handed over to a third party without the student’s or parent’s consent.
Since around the beginning of the decade, job applicants have been alarmed to find that some potential employers demand that they share access to their private social media accounts—whether by giving up a password or simply accepting a Facebook friend request. Dozens of states have already considered and in some cases passed legislation to protect job applicants and employees from that kind of intrusive demand. Bills introduced this week in Alaska, Hawaii, Michigan, Missouri, Minnesota, Nebraska, North Carolina, and West Virginia would add those states to the list. Most of those bills, and another in Washington, DC, apply the same protection to students whose teachers demand access to their social media secrets, too.
The surveillance gadgets known as cell-site simulators or “stingrays” have a controversial reputation: The law enforcement devices, which impersonate a cell tower to intercept phone communications, also slurp up the data of any unwitting bystander near the target, and have been used to track suspects’ calls and location in many investigations without a warrant. California has already passed a law that would require cops to get a warrant for any stingray use, and the Department of Justice also announced last year that it won’t let federal agencies use the devices without a warrant. Now Illinois and Michigan have both introduced their own state-level bills that would restrict stingrays, requiring a warrant for their use, demanding that all data not related to the target be deleted the same day it’s collected, and prohibiting the devices from being used to install spying software on the target device. A third bill in Nebraska goes further: It would outlaw the use of stingrays altogether.
Police have argued that automatic license plate reader cameras merely collect public information: the digits on a license plate and the car’s location. But with enough cameras installed in enough locations, the systems make it possible to track the car-based movements of entire populations of people in detail. Wednesday’s new bills include legislation in Nebraska and Michigan that would limit the use of the readers, the latest of dozens of states that have introduced laws to either restrict how the cameras are used or put a time limit on how long the data from them can be stored. (New Hampshire has banned the technology outright.) “When you create a record of where every person is driving, that can include an AA meeting, a church, a synagogue, or a mosque. When you know where someone drives, you know a lot about them,” says the ACLU’s Marlow. “You can’t collect data on everyone just because anyone could be a criminal.”
The Electronic Communications Privacy Act is overdue for an overhaul. The 30-year-old law was created to extend protections against unconstitutional wiretaps to digital communications. But ECPA’s still stuck in the ’80s, long before lawmakers imagined today’s cloud-based services full of personal data. Under the law, for instance, any email stored in a third party server—think Gmail or Hotmail—for more than 180 days is considered “abandoned” and subject to collection by law enforcement without a warrant. Last year, California passed its own update to ECPA, requiring that law enforcement get a warrant before it seeks any digital communications or location data from a third-party service. Congress is considering ECPA reform, too, with a pair of bills introduced last year—the second year in a row that the bills have been introduced without reaching a vote. Now Minnesota, New Mexico, New York, Virginia, Massachusetts, New Hampshire, and North Carolina are all proposing their own variations on an ECPA reform bill to protect stored data. If Congress doesn’t fix ECPA, these states may do it themselves. “These are big states. If they move along with California, you’d have significant portions of the country covered by high standards for law enforcement access,” says Chris Calabrese, a policy analyst at the Center for Democracy and Technology. “That begins to change the discussion.”