Comments to the National Telecommunications and Information Administration (NTIA) on the intersection of privacy, equity and civil rights

March 6, 2023

National Telecommunications and Information Administration

1401 Constitution Ave NW,

Washington, DC 20230

Re: Privacy, Equity, and Civil Rights Request for Comment, NTIA-2023-0001

Submitted Electronically

The R Street Institute respectfully submits these comments in response to the National Telecommunications and Information Administration (NTIA) request for comments, published Jan. 20, 2023, addressing issues at the intersection of privacy, equity and civil rights.

At the R Street Institute (R Street), we believe examining and discussing the issues at the intersections of privacy, equity and civil rights is important in ensuring the protection of individual rights and liberties in an ever-evolving technological landscape. The NTIA’s previous listening sessions illuminated the complex problems facing marginalized or disadvantaged communities and helped inform and guide our comments. We believe a comprehensive federal data privacy and security law is essential for addressing these issues.

1. Context

In the midst of a digital revolution, technological innovation has thrived, resulting in significant growth of the data economy. However, unlike many other countries, the United States operates without a comprehensive federal privacy and security law to protect individuals from potentially harmful data collection practices.

The R Street Institute’s Cyber Team undertook a year-long study of the roadblocks to passing comprehensive federal data privacy and security legislation, which focused on preemption, the role of the Federal Trade Commission (FTC) and a private right of action. The goal was to identify a consensus way for federal legislation to address each barrier through engagement with over 120 stakeholders across the ideological spectrum, from consumer advocacy to industry groups.^[1] The nexus between data privacy and security is an ongoing focus area of the team, which was conveyed during recent testimony by R Street Policy Director for Cybersecurity and Emerging Threats Brandon Pugh in the House Energy and Commerce Committee’s Innovation, Data, and Commerce Subcommittee.^[2]

The 117th Congress made significant progress with the American Data Privacy and Protection Act (ADPPA), which was a viable solution to the unequal consumer protection and inconsistency for industry arising from the state patchwork of privacy laws. Ultimately, the ADPPA failed to cross the finish line, but there is optimism that the 118th Congress will continue the discussion on passing a comprehensive federal privacy and security law.

2. Legislators should approach the civil rights and equity implications of data collection and processing by making a national standard that harmonizes data privacy and security laws across the United States, providing companies with a clear and consistent framework for protecting personal data. This will reduce compliance barriers and allow companies – big and small – to understand their obligations under the law better.

Corresponding to Question 1, harmonizing data privacy laws with a comprehensive federal privacy and security law will make industry-wide compliance more obtainable, which will result in better outcomes for consumers. Currently, the patchwork of state privacy laws creates economic barriers for small- to medium-size businesses, which often lack the resources to stay current on the constantly evolving privacy laws. In a 2023 study, the average privacy spending of small businesses (50-249 employees) was estimated to be $2 million, making compliance difficult or possibly unobtainable for most. ^[3] Further, recent research on the industry’s privacy law compliance with the California Consumer Privacy Act (CCPA) and the CCPA as amended by the California Privacy Rights Act (CPRA) revealed that 92 percent of companies were not CCPA compliant.^[4] Creating a standard national privacy and security law would allow the industry to efficiently and effectively allocate its resources to work toward compliance. Increasing the number of businesses that are compliant with a comprehensive federal privacy law would help protect against potential harms that can arise from data practices as they relate to civil rights and equity. 

The ADPPA, while not perfect in every aspect, had provisions that aimed to reduce discriminatory privacy harms. The bill would have restricted most covered entities from using covered data in a way that would discriminate on the basis of race, color, religion, national origin, sex or disability, along with other relevant provisions.

3. Data security is an area that should be focused on with its intersection of privacy, equity, and civil rights.

Corresponding to Question 1a, data security has been insufficiently prioritized in privacy law. It is important to include data security in any discussion on data privacy impacts because they are interrelated—having one without the other is futile. Any regulation implemented without addressing data privacy and security causes more harm than good because it provides a false sense of accomplishment and security.

R Street’s Cybersecurity team has a deep focus on data security and data privacy. We argue that data security is critical to data privacy. Online personal information continues to expand, increasing by 150 percent from 2019 to 2021, while increasing security threats also loom.^[5]  There were a record number of data breaches in 2021—68 percent more than in 2020.^[6] We have highlighted the nexus between privacy and security and how security breaches can cause significant and long-lasting consequences, such as employment and housing opportunity denials, financial harm and discrimination. ^[7]

To add to this, marginalized communities’ data continues to be at risk from foreign threats, like China, who collect it for intelligence or competition purposes—leaving Americans with a vague understanding of where their data is and how protected it is against malicious actors.^[8] In a practical sense, fixing the problem means ingraining data security standards into data processes to ensure security by design. However, it is difficult to understand what data security standards entail and how they are or should be defined, including how they might need to vary by entity.

4. Privacy and Security literacy

R Street believes data privacy and security literacy are imperative to an expanding digital society. Americans’ awareness of data privacy and security is a glaring need. Corresponding to Question 5, regulators, organizations, businesses and educators should consider data privacy and security literacy as a priority that can influence individuals’ success in protecting their personal information and assets. Research shows that 85 percent of Americans go online every day, with 31 percent of them reporting to be on “constantly” and 48 percent of them reporting to be on “several times a day.”^[9] Yet only 24 percent of Americans have heard about or are familiar with the CCPA.^[10] When regulations are not well understood, their effectiveness wanes.^[11]

If individuals are made aware of the importance of data privacy and security to their well-being and understand how their data can contribute to employment loss, housing discrimination and other risks, they may be more vigilant and better equipped to protect their personal data.^[12]

5. Conclusion

We support efforts to increase data privacy and security as it relates to the intersections of privacy, equity and civil rights. We are happy to be a resource on specific issues that arise, especially regarding data privacy and security.

Respectfully submitted,

The R Street Cybersecurity Team

POC: Steven Ward, Fellow

Cybersecurity and Emerging Threats

R Street Institute

[email protected]

R Street Institute

1212 New York Ave. NW Suite 900 Washington, D.C. 20005

^[1]Tatyana Bolton et al., “The Path to Reaching Consensus for Federal Data Security and Privacy Legislation,” R Street Institute and Harvard Belfer Center for Science and International Affairs, May 26, 2022. https://www.rstreet.org/2022/05/26/the-path-to-reaching-consensus-for-federal-data-security-and-privacy-legislation.

^[2] Brandon Pugh and Steven Ward, “House Subcommittee on Innovation, Data, and Commerce Hearing Overview Featuring R Street’s Brandon,” R Street Institute, Feb. 6, 2023. https://www.rstreet.org/commentary/house-subcommittee-on-innovation-data-and-commerce-hearing-overview-featuring-r-streets-brandon-pugh.

^[3] “Privacy’s Growing Importance and Impact,” Cisco 2023 Consumer Privacy Survey, 2023. https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-privacy-benchmark-study-2023.pdf.

^[4] “CCPA & GDPR Research Report Q3 2022,” CYTRIO, 2022. https://cytrio.com/ccpa-research-report-q3-2022.

^[5] “DeleteMe 2021 PII Marketplace Report,” DeleteMe, last accessed Feb. 25, 2022, p. 3. https://joindeleteme.com/wp-content/uploads/2022/01/2021-DeleteMe-PII-Marketplace-Report.pdf.

^[6] Aaron Drapkin, “Data Breaches That Have Happened in 2022 and 2023 So Far,” Tech.co, Feb. 17, 2023. https://tech.co/news/data-breaches-2022-so-far.

^[7] Steven Ward, “Data Privacy and Security Lessons from the Latest Law Enforcement Data Exposure,” R Street Institute, Jan. 26, 2023. https://www.rstreet.org/commentary/data-privacy-and-security-lessons-from-the-latest-law-enforcement-data-exposure; Steven Ward, “FTC takes a swing at protecting consumer health data,” R Street Institute, Feb. 14, 2023. https://www.rstreet.org/commentary/ftc-takes-a-swing-at-protecting-consumer-health-data.

^[8] Brandon J. Pugh, “Lessons for America from China’s Massive Data Breach,” RealClearPolicy, July 19, 2022. https://www.realclearpolicy.com/articles/2022/07/19/lessons_for_america_from_chinas_massive_data_breach_843154.html.

^[9] Andrew Perrin and Sara Atske, “About three-in-ten U.S. adults say they are ‘almost constantly’ online,” Pew Research Center, March 26, 2021. https://www.pewresearch.org/fact-tank/2021/03/26/about-three-in-ten-u-s-adults-say-they-are-almost-constantly-online.

^[10] Daniel Barber, “DataGrail’s 2020 Consumer Privacy Expectations Report,” Datagrail, Jan. 28, 2020. https://www.datagrail.io/blog/privacy-trends/data-privacy-day-survey.

^[11] Natasha Singer and Jason Karaian, “Americans Flunked This Test on Online Privacy,” The New York Times, Feb. 7, 2023. https://www.nytimes.com/2023/02/07/technology/online-privacy-tracking-report.html.

^[12] Tim De Chant, “Catholic priest quits after ‘anonymized’ data revealed alleged use of Grindr,” Ars Technica, July 21, 2021. https://arstechnica.com/tech-policy/2021/07/catholic-priest-quits-after-anonymized-data-revealed-alleged-use-of-grindr; Linda Morris and Olga Akselrod, “Holding Facebook Accountable for Digital Redlining.” ACLU, Jan. 27, 2022. https://www.aclu.org/news/privacy-technology/holding-facebook-accountable-for-digital-redlining.