Candidates want data privacy rules, except for their own campaigns
In this divisive election season, there’s one thing we can all agree on: We HATE robocalls. Lately, my home has been targeted with an onslaught of fundraising robocalls from presidential candidates, including the incumbent, sometimes up to several times a day. We all deserve the right not only to request that any organization stop robocalling our home or texting our mobile, but also to ask for the deletion of the personal information that led to their unwanted calls in the first place.
In addition to the mild nuisance of robocalls and spam, constituents also face the more serious specter of data breaches. Even if we assume good intentions on the part of campaigns to reach and educate voters, the fact remains that these organizations are optimized for speed, not caution. One can easily imagine dangerous collections of personal information ending up in the wrong hands as the result of fast-and-loose handling by relatively untrained and short-sighted campaign staff. A constituent who wishes to minimize his or her risk by requesting data deletion should have that right.
As a California resident and the head of an online privacy company, I considered the possibility that the new California Consumer Privacy Act (CCPA) might save me. The CCPA, which took effect on Jan. 1, 2020, gives Californians the right to request that a business provide all the personal information that it is storing about them and to request its deletion.
I wondered whether this law applied in letter — or at least in spirit — to political campaigns such as the ones that have been targeting me. A couple weeks before the Democratic field narrowed on Super Tuesday, as an experiment, I looked up the privacy policies of all the major Democratic presidential campaigns at the time, as well as President Donald Trump’s campaign. Privacy policies for Joe Biden, Pete Buttigieg and President Trump appeared to address Californians’ privacy rights with a dedicated section indicating an email address for requesting details on how their information is shared with third parties, or in Trump’s case, for exercising third party disclosure choices. The Bernie Sanders campaign stated that the CCPA doesn’t apply to their campaign, as it is a non-profit organization and not defined as a “business” under the CCPA, but they would nevertheless make efforts to respect my privacy upon request. The other remaining candidates at the time remained silent about the CCPA in their privacy policies — Elizabeth Warren, Tom Steyer, Amy Klobuchar and Mike Bloomberg.
As we all know, policies are one thing, actions are another. I followed the instructions in the privacy policies to make a polite CCPA request to each campaign at their designated email addresses asking what personal information they were storing about me.
Not one of the presidential campaigns fulfilled my request — including those that said they’d respect such requests.
The Sanders campaign’s interpretation is technically accurate, if not fundamentally sound. Presidential campaigns are non-profit organizations under Section 527 of the Internal Revenue Code, which means they are not “businesses” as defined in the CCPA and not obligated to respect my request. I evidently do not have the right to know what each campaign knows about me and request deletion.
To their credit, I received timely and technically accurate rejections from the legal counsel for Mike Bloomberg and a campaign staffer for Elizabeth Warren. They might not have agreed much on the debate stage, but their positions on this matter were fairly consistent. Prior to dropping out of the race, the email address referenced in Sen. Amy Klobuchar’s policy bounced, and all other campaigns failed to reply at all.
No candidate wants to be running the only privacy-conscious campaign while others are raising more funds or enlisting more supporters by throwing privacy to the wind. In politics, as in business and Big Tech, personal information is more valuable than oil.
At the same time, consumer data privacy is a massively popular cause, uniting people on all parts of the political spectrum. As rarely as this occurs in America these days, Congress and the Trump White House have fundamentally agreed that a new federal law to protect consumer data privacy ought to be passed (although they’ve been gummed up on the details).
The major candidates, all the way from Sanders on the left to Trump on the right, have stated their strong support for consumer data privacy in one form or another. Some, like Sen. Warren, have made a sport of attacking Big Tech for its mishandling of our personal information. And Mayor Pete, who suspended his campaign immediately after South Carolina, had gone even further, telling Kara Swisher that he supports a Right to be Forgotten for Americans — a noble sentiment, even if it’s not entirely clear that he knew the full meaning and implications of such a policy.
To be clear, campaign speech rightfully is protected by the First Amendment. Reasonable minds could disagree on the question of whether privacy laws should apply to campaigns, as they might have the effect of deepening the echo chambers in which many of us live these days, hearing only voices that reinforce our pre-existing beliefs.
It’s mainly the hypocrisy that bothers me. Politicians’ words about privacy say one thing, but their actions tell another story.
As part of a wide set of needed reforms, we should consider the role that personal data plays in modern political campaigns. People should have the same rights to privacy from political campaigns as they now demand from Big Tech companies. Candidates need to stop giving lip service to the protection of our personal information, while their own campaigns continue to lay waste to our privacy on a daily basis.
Rich Matta is chief executive officer of ReputationDefender, a global firm in the field of digital privacy and online reputation management and an advocate of right to be forgotten legislation in America.