We are all familiar with the critique of state privacy legislation: that the states are creating a patchwork of incompatible laws that impose burdens and costs on business. California in particular has been criticized for enacting a large number of privacy laws -- more than 40 since 1999 -- some of which effectively set a national standard even though they do not preempt other state or federal laws.

In fact, the privacy quilt in the United States is even bigger and more complex. It emcompasses a number of federal sectoral laws as well as the numerous laws and regulations of other countries.

Seeing the Pattern

It sounds like a motley fabric indeed. There is, however, a pattern underlying the apparently random assemblage of laws. Just as a quilt is made up of patches of different fabrics arranged according to a pattern and sewn together to keep out the cold, so the patchwork of privacy laws is based on an underlying pattern designed to protect our personal information.

That pattern is, of course, the principles of fair information practice, which represent an international consensus on general guidelines for managing personal information. These principles, first formulated in 1973 by the U.S. Department of Health, Education, and Welfare, form the basis of information privacy laws enacted over the past three decades.

Like the major federal privacy laws, California’s laws are aligned with these principles. The law on notification of security breach and the law allowing individuals to “freeze” their credit histories are both responses to concerns about the harm that results from failures to comply with the principle of security safeguards. Even the controversial financial information privacy law, SB 1, may be understood as a reinforcement of the principles of transparency and use limitation. SB 1 requires a more effective, more transparent notice of a financial institution’s privacy practices than the Gramm-Leach-Bliley Act (GLBA) does. And it gives individuals more control over the secondary uses of their personal information, following the principle of use limitation, than the federal law provides.

Harmonization: Bringing Out the Pattern

The multiplicity of laws does pose challenges to those who must comply with them. International relations and commerce depend on respect for national laws and, increasingly, on harmonizing these laws. Harmonization means returning to the underlying principles of fair information practices -- applying the pattern, not the patches.

Some very recent California laws reflect this trend toward harmonization. The information security law (AB 1950 of 2004) promotes uniformity by applying the basic security principles contained in GLBA and HIPAA to sectors other than financial services and healthcare. The California Online Privacy Protection Act (AB 68 of 2003) extends a privacy notice requirement that is explicit in several federal sectoral laws and implicit in Federal Trade Commission rulings to all commercial Web sites that collect personal information on California residents.

The harmonizing movement is also being carried out in the development of industry guidelines and best-practice recommendations. As part of its mandate, the California Office of Privacy Protection facilitates the development of fair information practices by recommending privacy policies and practices, aided by representatives of many business and consumer organizations. We believe that organizations that take the high road -- following best practices based on fair information practices principles -- find it easier to comply with legislation emerging from the states, federal government, and other countries. For more on the California Office of Privacy Protection’s recommendations, visit www.privacy.ca.gov/recommendations.htm.

Joanne McNabb is chief of the California Office of Privacy Protection.

 

AppLabs Technologies