For several years now, it’s been widely known how Google and Facebook abuse the privacy of users. Apple Inc. always insisted it was different. A recent ad proclaimed “What happens on your iPhone stays on your iPhone” and CEO Tim Cook once boasted in a talk “We’re not Google.”

It turns out that may not be true. Twice during the last week of May, 2019, Apple got bruised for doing about the same thing as its Silicon Valley neighbors: Secretly selling user data to third parties without the knowledge or specific consent of its customers.

Ironically, the two items hit the headlines during the same week as the European Union’s General Data Privacy Regulations (GDPR) marked its first anniversary.

Two Bites of Apple

First, a class action lawsuit was filed in San Francisco by three iTunes buyers on behalf of all such customers, claiming damages resulting from Apple selling very detailed information about their listening, buying and lifestyle habits to third parties including full names and home addresses. The plaintiffs allege that this was done solely to enhance Apple’s revenue and profits, and without their permission.

Then, a few days later, The Washington Post’s technology reporter revealed his iPhone sent 5,400 data trackers out in a single week to marketing companies, research firms and other personal data collectors with information about his phone number, email, exact location, and a digital fingerprint of the phone. When one company received a way to identify his phone, it sent back a list of other trackers to pair up with. The reporter notes that there is a way to turn off the function but it’s not disclosed to iPhone buyers and is difficult to locate on the device.

Apple’s legal and PR predicament highlights two key points: Any highly-regarded company can take it on the chin when what is says publicly is contradicted when evidence of it acting just the opposite becomes known. And, it is one more convincing piece of evidence that Congress needs to enact a GDPR-type law for the U.S.

Patchwork Quilt Being Stitched

There is no question that concerns about privacy are mounting. California’s new privacy law comes into effect on January 1, 2020, and has received a lot of attention because of its likely impact on businesses across the country. But 14 other states plus New York City and the District of Columbia have or are considering their own legislation.

What’s emerging is a patchwork quilt of laws with varying requirements and penalties that are likely to place an onerous burden on any business that is larger than a corner hardware store.

In February, 2019, the non-partisan Government Accountability Office sent a report to Congress saying the country needs a national privacy law. In part, this is because it is becoming a major issue for all citizens and in part because businesses will have real problems trying to comply with varying requirements from state-to-state.

The Interstate Commerce Clause of the Constitution gives Congress the authority to enact such legislation.

As a privacy and data security attorney, already we are receiving calls from nervous clients about what they’ll need to do to meet the California standards. Many are expressing concern about how they might be in compliance with the rules in one state yet be in violation of a contradictory rule in another.

There are two practical things businesses can do.

One is to write to their Representative and Senators explaining the problems a lack of a national law will create for them. The other is to ensure that their own privacy policies are transparent and easily accessible to customers including an “opt-out” opportunity to keep their information private.

If you have any questions about how to structure your company’s privacy policy or the impact the California law may have on your business, feel free to call us.