Skip to main content
Spring 2023

Nothing Is Private

Experts say it’s time to enact comprehensive consumer privacy legislation in the United States. By Sean Hargadon

Image: Illustrations by Deena So’Oteh

Identity theft can have devastating effects. In one recent example, a retired couple in the Chicago suburbs came within hours of losing their life savings to a sophisticated attack. 

The attackers worked for months to gain access to the couple’s retirement accounts. After obtaining one of the individuals’ Social Security numbers from a prior data breach, the attackers contacted the couple’s cellphone company, impersonated one of them, and then diverted text messages and calls to the attackers’ cellphone to intercept multi-factor authentication codes from the couple’s bank. 

With help from privacy professionals, the couple was able to recognize the cloning attack and immediately contacted the cellphone carrier and the banks. It was a Friday afternoon, and the attackers had placed an order to sweep the couple’s life savings into a separate account first thing on Monday morning. The couple was able to get the transfer order canceled, but they came within 72 hours of losing much of their retirement savings. 

Financial and identity theft is just one of the many dangers of personal information falling into the wrong hands. Location data from your cellphone, even when anonymized, can reveal personally identifiable information that could be used for surveillance, and scammers can piece together bits of information from social media accounts to do online phishing. 

Technology has made life undeniably more convenient. But how much has this convenience put our privacy and personal information in peril?  

“We’re all generating an exponential amount of data all the time,” says Caitlin Davitt Fennessy ’04, vice president and chief knowledge officer at the International Association of Privacy Professionals (IAPP). The abundance of personal information — and the ability to connect the dots between those bits of data — is cause for concern. 

“Anything that allows data to be collated and well organized turns a few incidental web searches here and a few purchases there into knowledge about your personal life that would otherwise be very difficult to obtain,” says professor Matthew Kugler, who teaches a popular course on privacy law at the Northwestern Pritzker School of Law. “If someone put your TikTok history next to your Amazon history next to your Google history, they might be able to learn a lot about you that you didn’t mean to tell them. 

“And if I give an app data to provide some basic service … and they sell it, that data could then be used for hundreds of purposes that I can’t even imagine. It is that vast, unknowable possibility that is particularly scary in the privacy space.” 

The protection of personal information is a growing concern among Americans. According to a 2019 Pew Research Center survey, 81% of respondents felt they had very little or no control over information about them collected by companies — and a similar percentage were very or somewhat concerned about how that information was used. Other surveys reveal that most U.S. consumers believe companies should take additional steps to protect their privacy. And, importantly, two-thirds of Americans want the government to do more. 

“Privacy underpins all that we do and experience in today’s increasingly digital world.” — Caitlin Fennessy

“Organizations and governments are working through how to manage the vast quantity of data that is out there,” Fennessy says. “How do you provide the space for organizations to use it in innovative ways while also preventing and avoiding harmful or surprising uses of data? And how do you erect those guardrails in ways that are manageable both for individuals and for companies?” 

Caitlin Fennessy

Fennessy, who lives in Concord, N.H., manages the IAPP’s content and knowledge products, which are shared with more than 75,000 privacy professionals around the world. 

Lara Leniton Liss ’99, global chief privacy officer at Walgreens Boots Alliance, manages the Walgreens team responsible for protecting the privacy of hundreds of millions of prescriptions per year as well as customer loyalty programs in the U.S. and the United Kingdom. 

Liss is also a member of the IAPP’s educational advisory board. The board helps develop programming for IAPP’s privacy conferences around the world, gathering speakers to educate privacy professionals on the latest threats to privacy, emerging privacy-enhancing technologies and new regulations that require companies to update their compliance frameworks. 

“Privacy underpins all that we do and experience in today’s increasingly digital world,” says Fennessy. “How our personal data is handled affects everything from the information we can access online to our personal health to the business model underpinning online services to how freely we express ourselves to the functioning of our democracies.” 

Fennessy and Liss are two of several Northwestern alumni working to protect your privacy. They agree that privacy is a serious matter and that comprehensive federal legislation is needed to set reasonable expectations for individual data protection rights and harmonize the growing patchwork of state rules that protect only a subset of the U.S. population. 

WHO’S RESPONSIBLE?

“If you wanted to protect your privacy completely, you would have to opt out of large parts of the modern information economy,” says Kugler. “To get rid of every data tracker, every last company trying to invade your privacy, would involve drastically changing your life.”  

Most privacy protection protocols rely on “notice and consent” policies, which require notification and approval for the organization to collect and utilize an individual’s personal data. 

Matthew Kugler. Credit: Randy Belice © 2016, Northwestern University

“How many years would it take you to read all of the privacy notices that you receive in your day-to-day life?” asks Liss, who lives in the Chicago area and is also an MBA student at the Kellogg School of Management. “Research that came out a decade ago showed that it would take the average person roughly a month each year to read all the privacy notices they were receiving at that time. That’s simply not practical. Given advances in technology in the last decade [and the growing number of] internet-connected devices in our homes and workplaces, the number of privacy policies the average person encounters in a year has increased as well.” 

She says the government “has a role to play in establishing clear baseline protections for everyone and providing standards that are easily actionable for consumers.” 

New statewide data privacy regulations in California, Colorado, Connecticut, Utah and Virginia — with more likely on the way in the next legislative cycle — are moving away from notice and consent toward an individual rights model, which provides a legal framework that all companies must follow to safeguard all personal data. The European Union’s General Data Protection Regulation (GDPR), which went into effect in 2018, is one such example; it requires organizations to have processes in place for the handling and storage of such data. Brazil, China, India and several other countries have recently proposed or enacted data privacy laws as well. (The ever-changing regulatory and legal landscape has increased the size of the privacy workforce. See “Consider a Career in Privacy,” below.) 

The new U.S. state laws focus, in part, on data lifecycle management. “You have to understand the inventory of data and the flow of data in order to be able to comply with state laws that are giving individuals the right to ask, ‘Where is my data? Who has my data? Please delete my data or correct my data,’” says Sheila Phillips Hawes ’76, ’79 JD, vice president, associate general counsel and chief privacy officer at AmerisourceBergen Corp. Hawes, who lives in Philadelphia, oversees global compliance with international privacy laws for the 42,000-employee pharmaceutical distributor, which operates in more than 60 countries. 

“If you wanted to protect your privacy completely, you would have to opt out of large parts of the modern information economy.” — Matthew Kugler

Some federal legislation already protects personal information in the U.S. The Health Insurance Portability and Accountability Act (HIPAA), for example, provides a national standard to protect patients’ personal health information, and the Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. But the nation lacks a comprehensive federal privacy law. 

“We have a fragmented, industry-by-industry, state-by-state system,” says Mitchell Granberg ’90, chief privacy officer at Optum, an information- and technology-enabled health services business. Granberg, who lives in Minneapolis, oversees Optum’s privacy program and is responsible for developing policies, ensuring members’ and patients’ privacy rights, and handling privacy issues.  

“I don’t think anyone is happy with the piecemeal approach,” says Kugler. “Privacy advocates, concerned that people in some states have more privacy rights than others, would like everyone to have a greater level of privacy. Those seeking to comply with the law — companies and law firms — are concerned about the complexity of these different state law regimes. 

“Having said that, the reason we have these different state regimes is because of the difficulty of passing a federal law. … Fundamentally, there is a split on what kind of rights should be granted and on how easy it should be for people to sue to enforce those rights, because companies are terrified of privacy laws that have a strong enforcement mechanism. And if you have a privacy law giving people a lot of rights, it will be easy for companies to make mistakes.” 

Lara Liss

U.S. companies that operate across international borders are building compliance programs in response to foreign data protection laws such as GDPR, Fennessy says. “And a lot of those programs are quite strong, but that doesn’t necessarily provide rights to millions of Americans who are asking, ‘Where are my protections in this space?’ But as more and more states pass laws, it becomes harder to take a holistic approach. … It feels, frankly, shocking that we don’t have a national privacy law yet.” 

In 2022 the U.S. House of Representatives considered the American Data Privacy Protection Act (ADPPA), which aimed to provide consumers with foundational data privacy rights. While ADPPA stalled in the House in fall 2022, “we actually saw the most significant coalition of interests come together to support passage of a national privacy law that we’ve seen in two decades,” says Fennessy. 

That coalition includes privacy advocates, academics and some of the largest companies in the world who view comprehensive federal privacy law — and a single national standard for how consumer data is treated in the U.S. — as an important development for the global economy. In 2018, for example, Business Roundtable, an association of chief executive officers of the United States’ leading companies, issued its proposed framework for federal privacy legislation.  

Liss partners with Walgreens’ government relations team to meet with federal and state regulators and legislators to advocate for consumer privacy laws. “Over the past three years, we have met with congressional staffers to talk through proposed comprehensive federal consumer privacy legislation and how it will benefit the American public and business community,” Liss says. “I am hopeful that within the next three to five years we will see comprehensive federal privacy legislation in the U.S.” 

 

Sean Hargadon is editor in chief of Northwestern Magazine. 

Share this Northwestern story with your friends via...

Reader Responses

  • Not enough on preventative functions. Too much verbiage on problems.

    Jack Erickson '72, Naples Fla., via Northwestern Magazine

Submit a Response