Privacy

Articles and publications written by the CCC about Privacy.

A Consumer-Focused National Data Privacy Framework

 April 7, 2025

Rep. Brett Guthrie (KY-02), Chairman

Rep. John Joyce, Vice Chairman

House Committee on Energy and Commerce

Rayburn House Office Building, 2125, 

Washington, DC 20515

Response to the Request for Information for a Data Privacy and Security Framework

The Consumer Choice Center is an independent, non-partisan consumer advocacy group championing the benefits of freedom of choice, innovation, and abundance in everyday life. We champion smart policies that are fit for growth, promote lifestyle choice, and defend technological innovation.

Herein, we will offer our comments on a future data privacy and security, albeit from a consumer-focused perspective.

The APRA

The previous attempt at comprehensive privacy legislation, the American Privacy Rights Act, was flawed for several reasons. 

While this privacy bill addressed important principles, such as requiring transparency of data collected, the ability for consumers to have portable access to their information, and mechanisms for punishing bad actors, it went too far in granting government agencies power over private contracts and business models while exempting any agency from those same privacy rules.

The particular provision creating a new private right of action, unheard of in any other global privacy bill, inevitably would have created a quagmire that would litter our justice system with bogus and outrageous claims, all the while empowering politically connected trial attorneys who stand the most to gain. This would only further increase the $500 billion “lawfare liability” tax on our economy. This ultimately would have degraded the quality and raised the prices of goods and services that consumers depend on and would do nothing to safeguard user privacy.

OUR RECOMMENDATIONS:

  • Champion Innovation
  • Defend Portability
  • Allow Interoperability
  • Embrace Technological Neutrality
  • Avoid patchwork legislation
  • Promote and allow strong encryption

WHAT TO AVOID

In California, the Consumer Privacy Act of 2018 requires that companies calculate the value of individual data, provide opt-outs, require companies to inform consumers if their data is being sold, allow consumers to request data be deleted (right to be forgotten), and allow consumers access to the data collected by said firms in readable formats.

Vermont’s privacy law requires companies to inform consumers of data breaches directly, and also prohibits some forms of targeted advertising specifically when it comes to students.

Both of these laws contain elements of the EU’s GDPR, which has now been in effect for close to 9 years. As has been noted by several analysts, the enormous compliance costs and efforts have meant a significant reduction in both investment and market activity from small and medium-sized firms that relate to data. What’s more, European users have since been cut-off or blocked from using many services outside EU jurisdiction as firms are avoiding running afoul of the strict regulation. That has resulted in fewer products and services available to European citizens.

These previous attempts at privacy laws are flawed for the following reasons:

First, many parts of these laws stymie and prevent innovation. By making it more difficult and costly for firms to handle consumer data, companies are less incentivized to invest resources in innovative consumer services and offerings, resulting in less consumer choice and a higher barrier of entry for new competitors.

Second, at least in the cases of Vermont and California, these laws create a patchwork of regulation that makes compliance difficult or nearly impossible for firms operating in both the national and global marketplace, thereby driving up 

costs and depriving consumers of these firms’ services irrespective of which state they reside in. A national law or widely adopted (and ideally global) industry self-regulation, which protects consumer privacy and also champions innovation, would be preferred.

Third, calculating data value for each and every firm’s customer and detailing every aspect of how that data is used is nearly impossible, vastly increasing costs for services that will inevitably be passed on to consumers.

Fourth,  these laws do not take into consideration existing business practices that already provide adequate consumer and data protection, and have thus been used as industry standards. They also thwart innovation practices such as targeted advertising, geo-targeting, and personalization, which consumers prefer.

Last, each of these privacy laws further emboldens litigiousness, sparking new lawsuits and trials that would serve to vastly increase the cost of normal consumer products and services.

CHAMPION INNOVATION

Considering that thousands of firms have both safeguarded and used consumer data responsibly, lawmakers should seek to create clear and uniform rules that respect current standards, allow innovation, and provide clarity to both firms and consumers. Privacy rules that place an undue burden on companies following the law, rather than target the most blatant examples of data breaches and impropriety, will end up raising the cost of doing business and thus raise prices for consumers.

There should be recognition that consumers willingly give data to firms in order to receive a final service or goods that will be useful to them. As long as proper procedures are followed, and no data is leaked or changes hands without authorization, there should be no additional regulatory requirements that would serve to complicate a consumer’s voluntary relationship with a firm.

DEFEND PORTABILITY

Consumer-friendly data portability should be a reasonable standard applied to most firms that complete data transactions. Most of today’s firms allow personal data to be exported for review, but should also remain confidential and secure to avoid potential exploitation. If portability standards are kept too lax, this would be an 

invitation to hackers and pirates looking to profit from identity or intellectual property theft. 

Given the fast pace this environment changes, industry standards might be a more agile way of enforcing portability as compared to regulation.

ALLOW INTEROPERABILITY

Where necessary, firms should be incentivized to maintain open data standards that can be used between platforms where necessary. However, considering the fast-moving nature of data structures and standards, lawmakers should avoid favoring a particular method of data collection or export, whether that be JSON, HTML, or otherwise. 

Rather, a broad principle of “technological neutrality” would allow the best standards to naturally evolve rather than be arbitrarily determined by regulatory bodies. Enforcement of interoperability standards would therefore be agreed to by firms handling data, and not necessarily determined by law. Consumers should ultimately decide if they want a service or product that either allows interoperability or not. The wide acceptance of apps and standards such as Apple CarPlay shows that most companies favor such standards that allow consumers to benefit by “plugging in”.

EMBRACE TECHNOLOGICAL NEUTRALITY

Because standards and technologies change so quickly, lawmakers should avoid legislation that favors a particular method or technology in data privacy rules. Applying a uniform rule on the format or process of technology would serve to limit the amount of innovation and natural evolution that currently defines our existing tech sector. 

In all cases, legislation should embrace and encourage competition and consumer preference to determine the best technology. Technology changes too quickly and too much regulation might limit new technologies and standards from emerging as fast as they could within a more flexible framework.

AVOID PATCHWORK LEGISLATION

Due to the ever-growing consumer base across both state lines and international borders, state-by-state regulations that would impose different rules on different 

residents should be avoided. This patchwork of legislation would increase the cost of delivering services in an efficient manner, and would likely stunt the availability of various products or services to consumers in various jurisdictions. As such, a broad and agile uniform standard should be agreed to at the federal level, rather than individual states or municipalities.

PROTECT AND ALLOW STRONG ENCRYPTION

The use of encryption by both individuals and firms is essential to our digital rights online. Many legislative proposals since the 1990s have attempted to outlaw cryptographic methods of securing and encrypting data. Most of these proposals have been justified on national security and law enforcement grounds. That said, existing laws on judicial warrants and Fourth Amendment protections apply to firms, and there is no reason to believe that a ban on encryption would make this easier or more productive.

Lawmakers should recognize citizens’ rights to encrypt and protect information and should extend this to the proprietary encryption methods that firms and companies use that serve their customers. Protecting rights to encryption is a safe and effective method to ensure consumer and data privacy can be upheld, whether that be medical data, personally-identifiable information, or financial data.

CONCLUSION

As we have outlined, there are examples of existing laws on data and consumer privacy that go far beyond the scope of consumer protection. Often, these laws serve to thwart innovation and slow down the progress that firms and companies can deliver to their customers. 

What’s more, a regulatory approach that is far too restrictive or cumbersome will serve large incumbent players that can afford the additional costs while locking out start-ups and new competitors.

While we cheer the focus on data and privacy framework that would benefit consumers, we hope these recommendations are taken into account.

READ OUR RESPONSE FOR INFORMATION HERE

Lee introduces the Saving Privacy Act for 119th Congress

Senator Mike Lee (R-UT) introduced the Saving Privacy Act, a bill to end government abuse of Americans’ financial information. For years, federal agencies have been overreaching in their surveillance, collecting vast amounts of personal financial data from law-abiding citizens without just cause. Senator Rick Scott (R-FL) is an original co-sponsor of the bill.

The federal government has no business surveilling the financial activities of millions of innocent Americans,” said Senator Lee. “The current system erodes the privacy rights of citizens, while doing little to effectively catch true financial criminals. My Saving Privacy Act ensures that Americans’ personal information is protected and that government agencies operate within the bounds of the Constitution.” 

Big government has no place in law-abiding Americans’ personal finances. It is a massive overreach of the government and a gross violation of their privacy,” said Senator Rick Scott. “That is why I am teaming up with Senator Lee so that we can protect Americans’ personal financials for good. Our Saving Privacy Act will allow federal agencies to go after criminals while also protecting innocent Americans’ data. This is commonsense legislation, and I am urging my colleagues to support its immediate passage.”

“For decades, outdated banking regulations have subjected citizens to excessive financial surveillance, compelling institutions to enforce intrusive measures that directly led to the debanking of innocent Americans spending their own money. The Saving Privacy Act offers comprehensive reforms, striking a balance that restores consumer rights, establishes sensible standards for innovators while curbing illicit activities, and reinvigorates the commitment to sound consumer financial privacy. –Yaël Ossowski, Deputy Director at the Consumer Choice Center.

Read the full text here

THE US CONGRESS STANDS UP FOR APPLE AND CONSUMER PRIVACY EVERYWHERE

MARCH 13, 2025 | Today a bipartisan group of US lawmakers signed onto a joint letter calling on the UK’s government to immediately bring transparency to their upcoming hearing for Apple on March 14th. The American technology company has found themselves in a standoff with the UK’s Home Office, which demanded backdoor access to encrypted Apple iCloud data under the Investigatory Powers Act. 

Stephen Kent  of the Consumer Choice Center, an international consumer advocacy group based in Washington, D.C., London and Ottawa reacted to the letter from Congress:

“British authorities are actively harming their own people’s privacy and data security by pursuing backdoor access to Apple’s consumer encryption. The United States correctly sees this as a domestic threat, because a backdoor in the UK means a backdoor for access to Apple users’ cloud data everywhere.”

The demand by US Senators Ron Wyden and Alex Padilla, as well as Congressmen Andy Biggs, Warren Davidson and Zoe Lofgren, is that the UK make their March 14th hearing public so that its proceedings can be analyzed by cybersecurity experts and the US Congress. 

“The US government has changed its tune in recent years on the issue of encryption. They went from being outright hostile to encryption like the kind Apple provides, over concerns about countering terrorism, to then realizing it was the only thing keeping consumers safe whatsoever from massive foreign hacks,” Kent continued. 

Mike Salem of the Consumer Choice Center’s UK office told media in February about the clash between British authorities and Apple, saying “This marks a very sad day for the basic principle of consumer privacy in the 21st century, depriving users of the tools that leave UK citizens exposed to governments, criminals and malicious hackers. The fact this has been done without debate, oversight or advance warning to UK Apple users is extremely concerning.”

The Consumer Choice Center applauds Republicans and Democrats of the US Congress, as well as the Trump Administration, in their vocal defense of consumer privacy in the case of Apple vs the UK’s Home Office. We hope the Investigatory Powers Tribunal yields to the request of the US Congress and makes their hearing public, before taking steps to walk back this disastrous attack on encryption which has left UK consumers without the protection of Apple’s Advanced Data Protection tool. 

###

FOR UK or US MEDIA QUERIES and INTERVIEWS PLEASE CONTACT:

Stephen Kent

Consumer Choice Center

stephen@consumerchoicecenter.org

The Consumer Choice Center is an independent, nonpartisan consumer advocacy group championing the benefits of freedom of choice, innovation, and abundance in everyday life for consumers in over 100 countries. We closely monitor regulatory trends in Washington, Brussels, Ottawa, Brasilia, London, and Geneva. Find out more at www.consumerchoicecenter.org.

Experts Slam Government After “Disastrous” Apple Encryption Move

Security and consumer rights experts have urged lawmakers to hold the UK government to account, after Apple removed end-to-end encryption (E2EE) in iCloud following data access demands from the Home Office.

Although the access request was made in secret under the controversial Investigatory Powers Act (IPA), also dubbed the ‘Snooper’s Charter’, it was widely reported as happening earlier this month.

However, as long argued by Apple and other tech companies, it’s impossible to create an E2EE “backdoor” for government and law enforcement without putting all customers at risk.

That’s why Apple has taken the decision to remove the opt-in Advanced Data Protection (ADP) feature for UK customers.

“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy,” Apple said in a statement.

Read the full text here

Apple axes data protection tool after government security row

Apple has removed its advanced data protection (ADP) feature from the UK, following a dispute with the UK government over encryption and access to user data.

This comes after the Home Office requested access to encrypted iCloud data under the investigatory powers act (IPA), a law that requires leading tech firms to provide information to law enforcement when required.

ADP, which ensures that only account holders can access their stored data using end to end encryption, will no longer be available to UK users, making them more vulnerable to cyber and malware attacks.

From Friday afternoon, those trying to activate the feature received an error notification, while existing users will have their access revoked.

Read the full text here

The Government’s Spying Requests Force Apple to Phase Out Encryption for UK Users

As of 15:00, new Apple users in the UK can no longer enable Advanced Data Protection (APD) of their data, an end-to-end encrypted backup. In response to the government’s requests to secure a backdoor to Apple’s encrypted ecosystem, the company has decided to abandon this feature, and will still only provide data with law enforcement, if they have a warrant

In a statement, Mike Salem, UK Country Associate for the Consumer Choice Center (CCC), reacted to the news: 

This unfortunate move is a direct result of the government’s own decision to force tech companies to hand over the keys to our data, giving them a blank cheque to access any of our information without proper due process.”

“Everyone in the UK should be extremely worried about what the government aims to access not just in the UK, but across the world. Over 40 public authorities, including police, intelligence agencies, HMRC, and even local councils can apply for such warrants with broad powers for communication and data surveillance, and with almost always guaranteed approval.”

Read the full text here

DNI Director Gabbard Stands Up For Apple & Consumer Privacy 

FEB 27, 2025 | Tulsi Gabbard, now U.S. Director of National Intelligence, has confirmed that U.S. officials and DNI lawyers are now reviewing whether the United Kingdom breached a bilateral treaty known as the CLOUD Act. Under the agreement, the UK is prohibited from demanding access to the data of U.S. citizens or individuals within U.S. borders. 

Stephen Kent, Media Director for the Consumer Choice Center, an international consumer advocacy group based in Washington, D.C., reacted to news of Gabbard’s invoking the CLOUD Act:

“Gabbard is spot on in her defense of American consumers at home and abroad being threatened by the UK’s effort to break Apple’s encryption for users. The nature of consumer encryption tech is that if it’s broken anywhere, it’s broken everywhere. The UK is acting more like China and less like a democratic ally of the US.”

The UK’s Home Office demanded access to encrypted Apple iCloud data under the Investigatory Powers Act (IPA, which would create a “backdoor” for the UK to Apple’s encryption for all its consumers worldwide. As a result, Apple has opted to suspend its Advanced Data Protection encryption feature for UK users. 

“This mode of thinking is why Europe was taken off guard last week by Vice President JD Vance’s speech at the Munich Security Conference. What Gabbard is pointing out in her defense of encryption is that an ally of the United States is trying to violate their citizens’ privacy in a way that compromises consumers in the United States,” Kent continued. 

“The FBI under former Director Christopher Wray used to advocate for the same ‘backdoor’ access to encryption, but they’ve since changed their tune about encryption because of the rising threat of foreign data hacks, which pose huge risks to American consumers and companies.”

Cybersecurity analysts have long warned that any backdoor created for a government could eventually be discovered and misused by cybercriminals and hostile foreign actors. The UK’s push to weaken encryption disregards these risks, potentially exposing sensitive data to hackers and bad actors worldwide.

Kent concluded, “There are few consumer privacy issues as important in the world today as maintaining the integrity of encryption technology and services. The Trump Administration should pull no punches in letting Keir Starmer’s government know that this kind of ‘big brother’ behavior won’t be tolerated and makes our people worse off.” 

FOR MEDIA QUERIES OR INTERVIEWS PLEASE CONTACT:

Stephen Kent

Consumer Choice Center

stephen@consumerchoicecenter.org

###

The Consumer Choice Center is an independent, nonpartisan consumer advocacy group championing the benefits of freedom of choice, innovation, and abundance in everyday life for consumers in over 100 countries. We closely monitor regulatory trends in Washington, Brussels, Ottawa, Brasilia, London, and Geneva. Find out more at www.consumerchoicecenter.org.

The UK Government’s spying requests force Apple to phase out encryption for users

A logo with orange and blue letters Description automatically generated

London, UK – As of this afternoon, new Apple users in the UK can no longer enable Advanced Data Protection (APD) of their data, an end-to-end encrypted backup. In response to the government’s requests to secure a backdoor to Apple’s encrypted ecosystem, the company has decided to abandon this feature, and will still only provide data with law enforcement, if they have a warrant

In a statement, Mike Salem, UK Country Associate for the Consumer Choice Center (CCC), reacted to the news: 

This unfortunate move is a direct result of the government’s own decision to force tech companies to hand over the keys to our data, giving them a blank cheque to access any of our information without due process.”

“Everyone in the UK should be extremely worried about what the government aims to access not just in the UK, but across the world. Over 40 public authorities, including police, intelligence agencies, HMRC, and even local councils can apply for such warrants with broad powers for communication and data surveillance, and with guaranteed approval.”

“The UK government has set a precedent, and cast a new reputation that underscores the erosion of personal liberties and privacy in a digital age where these values are needed more than ever.”

“This marks a very sad day for the basic principle of consumer privacy in the 21st century, depriving users of the tools that leave UK citizens exposed to governments, criminals and malicious hackers. The fact this has been done without debate, oversight or advance warning to UK Apple users is extremely concerning.”

The CCC calls on the government to once again outline its reasons for the necessity and proportionality of such measures as soon as Monday in Parliament, and to urge parliamentarians in opposition to hold the government to account so that consumers can once again elect to encrypt and secure their data.

The Consumer Choice Center is a non-profit organisation dedicated to defending the rights of consumers around the world. Our mission is to promote freedom of choice, healthy competition and evidence-based policies that benefit consumers. We work to ensure that consumers have access to a variety of quality products and services and can make informed decisions about their lifestyle and consumption.

The UK Wants a Backdoor into EVERYONE’S Apple Cloud Data

Hide your group chat history. The UK has demanded Apple build a backdoor to its encryption services, giving the British police full key access to any Apple consumer’s content stored on the cloud.

And yes that means Apple users everywhere. Not just specific British users, but you, me, and every boomer with an iPhone. And if they comply with the British on this, Apple won’t even be permitted to warn consumers that the security of data doesn’t include security from the British government. 

Break Apple’s Encryption For All Its Users

The British government has served Apple with a Technical Capability Notice under the Investigatory Powers Act of 2016, also known as the Snoopers’ Charter—a fitting name, considering its intent. This law gives law enforcement the power to demand access to encrypted communications, overriding any security measures tech companies put in place.

But here’s the kicker: Apple wouldn’t even be allowed to warn its users that this is happening. We only know about this development because of leaks being reported by tech journalists at the Washington Post. This isn’t about targeting specific criminals with a warrant. The UK wants Apple to create a master key, a built-in vulnerability that would let the government unlock any iPhone’s cloud-stored content at will. And if Apple complies? The floodgates open.

Mike Salem of the Consumer Choice Center’s UK team put it well by saying,

“This is far beyond proportional as a response to national security threats, and sets an extremely dangerous precedent. Notices such as these will be served to other companies and other countries will want access to the same data the UK is trying to access. Crucially, it leaves all iCloud users in a vulnerable position, with information such as their personal details and photos exposed and un-encrypted, allowing criminals and foreign adversaries full access.”

Why Encryption Matters

Encryption is the bedrock of digital security.

At its most basic, it’s no different than when you’re in school and passing a note in class but every word is coded to mean something else so that the contents are a secret. See You After Class For Football Practice could be coded 10 thousand different ways and actually mean This Teacher Is Super Weird OMG Cringe. Like with ciphers or coded messages, letters are scrambled, but with digital encryption, the code – or key –for the note passed in class, changes after every single use. In the real world, that is the foundation of encrypted chat like WhatsApp, Signal, or iMessage on an Apple device or even HTTPS on your browser. 

Governments have long been frustrated by this. Former FBI Director Christopher Wray once argued before Congress that they should legislate a ban on commercial and personal encryption to help law enforcement catch criminals. He later reversed his position to encryption being the best consumer bulwark against Chinese hacks. The argument is always the same: they need access to encrypted devices to investigate crimes.

What the UK Is Demanding

Here’s the problem—weakening encryption for one case weakens it for everyone. If Apple builds a backdoor for the UK government, it’s only a matter of time before other governments demand the same access. And once an encryption backdoor exists, it’s a security risk that bad actors could exploit.

Rather than requesting access to specific user data through proper legal channels, the UK government is demanding a built-in backdoor that would allow authorities to unlock and access any Apple user’s stored data at will.

Apple has long resisted such demands, particularly when it comes to iPhone security. The company introduced Advanced Data Protection (ADP) in 2022, allowing users to fully encrypt their iCloud backups—meaning not even Apple could access them. It was a long-awaited move, especially after the FBI pressured Apple to delay rolling it out years earlier during Trump’s presidency.

Most iPhone and Mac users don’t enable ADP, but those who do gain significantly stronger protections against hacking, unauthorized surveillance, and data breaches. If Apple complies with the UK’s order, this level of security could be erased overnight.

What Happens Next?

Right now, Apple is legally forbidden from confirming whether it received the UK’s demand. However, leaks suggest Apple’s likely response will be to end encrypted storage in the UK entirely rather than compromise its security model. That decision would impact millions of UK users, but it’s entirely in the hands of secretive review boards that Apple will be appealing to behind closed doors.

The Bigger Picture

This fight is part of a larger trend—governments worldwide are pushing for more control over encrypted services, whether it’s cloud storage, messaging apps, or even VPNs that let users bypass restrictive online regulations.

But here’s the reality: Apple knows that consumers expect privacy, and it has shown a willingness to fight for encryption when it matters. That’s why it’s crucial to speak up, vote with your wallet, and protect your data.

✔ Enable Advanced Data Protection
✔ Update your passwords regularly
✔ Stay informed on digital privacy laws

Because once encryption is gone, it’s gone for good.

Oops, your data’s been exposed. What can you do?

This week, I received a letter from an employer of mine from when I was in high school, a local car wash.

It turns out there was a “data breach” that resulted in “unauthorized access” to my social security number.

Millions of Americans receive letters like this each year. Usually, the company will offer free access to a credit monitoring service, allowing individuals to see if any new credit cards, loans, or other activity has happened in their name.

What should be the individual remedy in this situation?

As a society, we haven’t yet standardized encryption of sensitive employee data, and it’s obviously a problem.

Employers are required to collect SS data to verify work status and to issue pay. But shouldn’t this be a one-time verification, and not stored on an insecure database forever?

Leaked SS numbers are some of the main avenues for identity theft. Should the company be liable? Or the state and federal laws that require storage of this data without safeguards? Added to that, should I be able to practice right of action and sue if I can prove I’ve been harmed?

If my SS number leaks onto the dark web, criminal actors buy in bulk and will attempt all kinds of fraud. What current penalties exist for these fraudsters? Is it enough? Is the Federal Trade Commission fulfilling its mandate here, or is it too concentrated on trying to break up tech companies?

A national privacy law could enforce tools we need to protect sensitive data like this. But previous attempts at a national privacy law haven’t meaningfully addressed this, and have focused more on deputizing lawyers and trying to outlaw targeted advertising than empowering consumers who’ve been harmed.

Ideally, we would have a law that would protecting and standardize encryption while championing innovation and giving wronged consumers an avenue to be heard. But what else would be necessary?

The status quo of hacks, leaks, and data breaches happening without consequence is leading to hundreds of millions of people being harmed. Many existing rules enforced by states and the federal government require unnecessary collection of data that further puts us at risk.

Can we look to innovation to solve these issues? Zero-knowledge proofs, decentralization identify solutions, encryption, and more?

We’d love to see other ideas.

For now, we wrote up recommendations for data and consumer privacy at and we will expand this as we formulate more policy ideas. You can check them out here.

New Privacy Bill Aims to End Government’s Grip on Americans’ Financial Data

The Saving Privacy Act, aimed at curbing federal surveillance of Americans’ financial data, is gaining momentum. Backers argue the government has overreached, violating privacy rights without effectively targeting criminals. Provisions include repealing key financial reporting laws and strengthening Fourth Amendment protections. Supporters highlight the need to protect personal financial data while enabling authorities to pursue criminals within constitutional limits.

Saving Privacy Act Gains Support in Fight Against Financial Surveillance

The Saving Privacy Act has gained momentum with the backing of Senator Rick Scott (R-FL), who announced his support on Oct. 22 in Washington D.C. The bill, originally introduced by Senator Mike Lee (R-UT), aims to curb government overreach into Americans’ financial data, addressing what Scott called a “massive overreach” and a “gross violation” of privacy.

The senator from Florida described:

Big government has no place in law-abiding Americans’ personal finances. It is a massive overreach of the government and a gross violation of their privacy.

“That is why I am teaming up with Senator Lee so that we can protect Americans’ personal financials for good. Our Saving Privacy Act will allow federal agencies to go after criminals while also protecting innocent Americans’ data. This is commonsense legislation, and I am urging my colleagues to support its immediate passage,” he explained.

Read the full text here

Data breach exposes pitfalls of customer identification regulations

One of the most consequential bank hacks of the last few years was just revealed to the public. In a post uploaded to its website two weeks ago, the Arkansas-based Evolve Bank and Trust informed its customers that a “cybersecurity incident” involving Russian ransomware group LockBit resulted in the theft of an unspecified amount of customer information.

The hacker group, which has been the target of an international law enforcement operation for years, had originally claimed the hack was of the Federal Reserve, raising some eyebrows on Wall Street.

Instead, as the group’s dark net website reveals, the stolen cache of records allegedly relates to Evolve Bank and Trust customers and those at partner FinTech companies, reportedly including names of customers, Social Security numbers, dates of birth, and scans of driver’s licenses and IDs.

While we do not know the full extent of the hack and the leaks, the bank’s unique positionas a bridge between traditional finance and the startup FinTech, neo-banks point to a much more dire situation than many would like to admit.

Many key financial services firms, including big names like Wise, Mercury, Stripe, Affirm, and many more, have already communicated to their customers that some of their datamay have been included in the hack. I have personally received some of these emails from other accounts.

This relates to the looming bankruptcy of related banking provider Synapse, which acted as a middleman between FinTech firms and traditional banks like Evolve. Sens. Sherrod Brown (D-Ohio), Ron Wyden (D-Ore.), Tammy Baldwin (D-Wis.), and John Fetterman (D-Penn.) sent a letter on July 1 to the company demanding it make its customers whole. Evolve Bank, a major partner of Synapse, was also addressed in the letter. The alleged hack will now only escalate the situation.

Two factors make this alleged Evolve hack so devastating.

First, the scale and scope of the companies involved. The list of FinTech partners using Evolve’s banking license to issue financial accounts includes some of the largest institutions in the country, serving hundreds of millions of Americans. We will only know the true number of people affected once companies disclose whose data was compromised.

Second, federal laws required each company to collect significant personal and private data from its clients to provide to Evolve. Whether under the Bank Secrecy Act, the PATRIOT Act, the FDIC Customer Identification Program, Dodd-Frank Act, or the newly passed Corporate Transparency Act, the federal government mandates that customers hand over vast amounts of information and data that banks and financial institutions must retain to track down crime.

To comply with the myriad Know Your Customer and anti-money-laundering laws the government has imposed on financial institutions, each of these companies must collect and store the names, addresses, Social Security numbers, and ID scans of their customers to report to the Treasury Department. A nefarious Russian hacking group may now possess this information.

The scale of potential identity theft will only grow once criminals match this information with recent online breaches.

Some users have already reported phishing scams made possible by information from the hack, and yet more information may soon become available.

FinTech Substack writer Jason Mikula is one of the only journalists to cover this breach from the start. Evolve Bank sent him a cease-and-desist letter last week and threatened legal action if he reveals any information from the hacks.

Beyond the worries about a broader industry collapse surrounding FinTech, this episode should prove as a cautionary tale for those who push excessive Know Your Customer and anti-money-laundering laws for services that consumers use every day.

As I’ve previously reported on Return, one pending bill in the U.S. Senate would like to crack down even more on Bitcoin and cryptocurrency exchanges, requiring yet more personal data and even limiting the amount customers can withdraw without being labeled “suspicious.”

While attempts at a national privacy law are commendable, Congress and the Federal Trade Commission have focused too much on specific business models of various online companies rather than on creating legally enforceable penalties for hacks that endanger our private information and put us at risk of identity theft.

Instead of introducing more restrictions or requirements for companies to collect information to combat crime, we should ask whether the existing laws are putting us in greater danger. Common-sense rules that promote encryption, penalize bad actors, and minimize data collection would go a long way in protecting consumers from future harm.

Originally published here

en_USEN
it_ITIT pt_BRPT fr_FRFR es_ESES de_DEDE en_USEN

Follow us

Facebook-f Twitter Instagram Linkedin Youtube Spotify

WASHINGTON

712 H St NE PMB 94982
Washington, DC 20002

BRUSSELS

Rond Point Schuman 6, Box 5 Brussels, 1040, Belgium

LONDON

Golden Cross House, 8 Duncannon Street
London, WC2N 4JF, UK

KUALA LUMPUR

Block D, Platinum Sentral, Jalan Stesen Sentral 2, Level 3 - 5 Kuala Lumpur, 50470, Malaysia

OTTAWA

718-170 Laurier Ave W Ottawa, ON K1P 5V5

info@consumerchoicecenter.org

© COPYRIGHT 2025, CONSUMER CHOICE CENTER

Also from the Consumer Choice Center: ConsumerChamps.EU | FreeTrade4us.org