Incognito — August 2024: State and Federal Privacy Laws

Welcome to the August 2024 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month: 

• Privacy laws: State laws, and the American Privacy Rights Act (APRA)
• Recommended reads, including “Users’ X Posts Used to Train AI Model.”
• Q&A: Can people find my accounts if I use different usernames?

“The United States Moves Toward a Comprehensive Privacy Law (One More Time),” an international law firm wrote earlier this year. 

“(One More Time)” is the key phrase here. Since the Federal Trade Commission (FTC) called on Congress to enact a federal privacy law in 2000 (24 years ago!), various proposed U.S. national privacy standards have come and gone. None have made it into law.

The American Privacy Rights Act is the latest contender but it probably isn’t going to enter law any time soon—at least not this side of the November election.

States haven’t let this stop them. In 2024, state legislation looks like everyone’s best hope.

But although more than a dozen state legislatures have adopted privacy laws like the CCPA, they might not be as effective as promised at protecting America’s privacy. 

Where Are We On That Federal Data Privacy Bill Again?

On hold. 

A markup session (where proposed legislation is debated and potentially amended) of the American Privacy Rights Act (APRA) was scheduled for June 27th. Then, in a twist that will not surprise anyone following this space, it was…canceled at (literally) the last minute.

Prior to the proposed session, the APRA had already been weakened. Some provisions in the bill, such as protection against data discrimination and algorithmic bias, have even been deleted, rightly angering civil rights and privacy groups.

“The new draft strips out anti-discrimination protections, AI impact assessment requirements, and the ability to opt-out of AI decision-making for major economic opportunities like housing and credit,” said the Lawyers’ Committee for Civil Rights Under Law.

Republicans were starting to turn against the APRA, too. House Majority Leader Steve Scalise criticized the bill for granting consumers the right to sue companies for violations. Republican pushback may have been why the markup session was canceled. 

Whatever the reason, don’t hold your breath for a rerun—a markup session for APRA has yet to be rescheduled, and the bill may change further in the meantime. 

Conversation starter: The U.S. is the only one of the top 10 developed nations without a federal privacy law.

Surely State Laws Are Doing Enough?

As states zoom in on their citizens’ privacy worries that the federal government doesn’t seem in a rush to address, some interestingly specific privacy laws have started to appear. 

Illinois led the way in 2008 with biometric security legislation. Today, it’s Colorado’s turn. The state’s citizens will soon be covered by a specific state-level privacy regulation about artificial intelligence. The Colorado Artificial Intelligence Act, or the CAIA, (starting in 2026) protects consumers against algorithmic discrimination.

Colorado also became the first U.S. state to classify neural data as sensitive personal information this year. Plus, it recently released a state-approved privacy browser extension.

It’s not the only state tackling privacy. Last month alone, we saw the following privacy laws take effect:

• The Oregon Consumer Privacy Act. Includes the right to request a list of third parties receiving your data. The law also expands the definition of “sensitive personal information” to include national origin, transgender or non-binary status, and biometric data (meaning businesses must obtain opt-in consent to process this data).
• Texas Data Privacy and Security Act (TDPSA). Provides similar rights as other state laws, but has one major difference: the applicability criteria. Instead of the usual “how much annual revenue they [businesses] make, data they process or revenue they make from the sale of this data,” the law has a new set of guidelines. As a result, it might apply to more (or most) companies that do business in Texas. 
• The Florida Digital Bill of Rights. Again, this law grants similar rights as other state laws but has a limited scope because it only applies to the largest companies (i.e., that have at least one billion dollars in global gross revenue and meet one of the other three requirements). 

Other notable mentions include: The Minnesota Consumer Privacy Act, which provides unique rights like the right to question the result of a profiling decision, and the Maryland Online Privacy Act, which has been described as “one of the strongest data privacy laws in the nation.”

There are some really good privacy laws in the US; it’s just a pity they don’t apply to everyone. US privacy legislation is extremely fragmented, and lobbyists have taken note. 

What You Can Do to Push for Data Privacy In Your Community

You’re not powerless. You can:

• Join advocacy groups. Joining or supporting organizations focused on digital rights and privacy can amplify individual voices. 
• Get in touch with local and state lawmakers. “Check with your local city council to see if they have a committee that is looking into data-privacy issues, or suggest that they form one. Ask for a citizen advocate to be part of that committee,” says analyst and senior media relations specialist at EFF Karen Gullo in a Wired article. 
• Elect privacy-friendly representatives. Vote for candidates who prioritize privacy issues and have a track record supporting strong privacy protections.
• Join/initiate class action lawsuits. This can set legal precedents and prompt legislative changes.
• Exert market pressure. By supporting businesses that prioritize privacy and boycotting those that don’t, consumers can create economic incentives for companies to advocate for stronger privacy laws.

We’d Love to Hear Your Privacy Stories, Advice and Requests

Do you have any privacy stories you’d like to share or ideas on what you’d like to see in Incognito going forward? 

Don’t keep them private!

We’d really love to hear from you this year. Drop me a line at laura.martisiute@joindeleteme.com.  

I’m also keen to hear any feedback you have about this newsletter.

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

Google to Keep Cookies, After All

Google is backtracking on a plan to eliminate third-party cookies, which track users’ web activity. Instead, the tech giant wants to introduce “a new experience in Chrome that lets people make an informed choice that applies across their web browsing.” The move is believed to have come because the advertising industry isn’t ready for the change.

“Nearly All” AT&T Cell Customers’ Call Records Exposed 

AT&T said hackers stole the call and text records of “nearly all” AT&T cellular network customers and some non-customers. The data, saved on a third-party cloud platform, was accessed in April and contains the numbers contacted and the length of interactions between approximately May 1 and October 31, 2022, and from Jan 2, 2023. 

USPS Shared Customer Addresses with Tech Giants like Meta

The U.S. Postal Service was sharing its online Informed Delivery customers’ addresses with advertising and tech giants Meta, Snap, and LinkedIn through a tracking pixel, found TechCrunch. It is not clear how many customers were impacted. The USPS said it was “unaware” of the practice and has now stopped it. 

Users’ X Posts Used to Train AI Model

X discreetly changed its data settings to automatically opt users into the training of its new artificial intelligence (AI) model, Grok. Users can opt out by unchecking the relevant box in settings or making their accounts private, but this can only be done on a desktop. Data regulators have expressed concern over the default nature of the practice. 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: Can people find my accounts if I use different usernames?

A: Yes, they can.

Even though they probably won’t be able to find your accounts by Googling your username, there are other methods they could use if they really wanted to find you, including (but not limited to): 

• Running any images you’ve uploaded through reverse image search to see where else they show up. 
• Searching for your email through HaveIBeenPwned. If possible, use a different email address/email alias for every online account and also opt out from HaveIBeenPwned).
• Cross-referencing phrasings, mannerisms, etc. (I’ve seen this happen on online forums like Reddit).

Q: Does the CCPA apply when traveling?

A: Yes, the State of California Department of Justice says the CCPA applies to persons who reside in California “even if the person is temporarily outside of the state.”

Q: Is deactivating an account the same as deleting? Some services only give this as an option. 

A: That’s a great question. Some services make it easy to deactivate an account but not delete it, which can be incredibly frustrating. 

Generally, deactivating is different from deleting in that it means other users won’t be able to find your account, but it still exists and can be reactivated if you change your mind. This is the case with Facebook, for example. 

Other services only give you the option of deactivating your account, but if you don’t log in for a specific number of days or months, they delete it. This is the case with X (Twitter). 

If you’re unsure, check the service’s terms of service or privacy policy. If that fails to give you a clear answer, contact customer support. 

By the way, we recently added new account deletion guides to our blog, so check those out if you’re culling your accounts and could use some help. 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.