All over the world, government officials are trying to figure out how to craft laws and regulations about privacy – especially for digital data and online activity. The European Union’s General Data Protection Regulation took effect in May 2018, prompting not shortage of companies – fashion and luxury brands included – to address how they collect, store and remove data. About a month later, California’s Consumer Privacy Act came into fruition. Both impose stringent new legal requirements on organizations that collect and use personal data.
In the U.S., lawmakers and an increasing number of voters are starting to wonder if it is time for a comprehensive U.S. privacy law. State legislatures are considering more than 90 privacy-related bills, and Congress has more than a dozen bills of its own. In April, the Federal Trade Commission (“FTC”) held the latest in a six-month long series of privacy and security hearings, which asked, among other things, “What are the actual and potential benefits for consumers and to competition of information collection, sharing, aggregation, and use? To what extent do consumers today, or are consumers likely to, realize these benefits?”
The general consensus is something needs to change: Consumers want better protection for their data, and businesses want clear national laws instead of 50 different state standards. Yet there is virtually no consensus about what a broad privacy law should entail. Fortunately, almost 50 years of experience with laws adopted in other countries and various U.S. states, suggest three key elements that any comprehensive privacy law should include.
Change who is responsible
For decades, U.S. laws have made people individually responsible for protecting their own privacy. Businesses can legally use personal data for almost anything, provided they at least tell consumers what they’re going to do, and give people a chance to object. That is why many websites and software packages have long, complicated privacy policies in incomprehensible legalese that customers are required to agree to before they can use the system or website.
Consent has never provided strong privacy protection, as privacy regulators around the world have acknowledged. People rarely read, much less understand, privacy notices. They definitely do not keep track of everything they have allowed each company to do with their information in exchange for the right to use a social media app or a brand’s e-commerce site. And they rarely – if ever – take legal action to enforce any limits or punish any violations.
Advancing technologies have made the problem much worse, enabling nearly ubiquitous data collection. Cameras, phones, cars, refrigerators, smart TVs, networked thermostats, and thousands of other internet-connected sensors record the steady trail of what has been called “data exhaust” that people generate as they live their lives. Websites track exactly what you have browsed and what you have – or have not – purchased.
At the same time, “Retailers also use wifi and Bluetooth sensors to track your mobile device (and, therefore, whoever is in possession of it: you) without you ever having signed in or asking for your permission to do so,” per Vox. Called passive tracking, the practice uses you (or maybe better yet, your phone) to get “aggregate data, like which areas of the store are more popular than others, the busiest times of day in a location, or even how many people pass by the store without stepping inside.” (Vox says that some retailers, such as Nordstrom, have stopped passive tracking after public outcry when the practice came to light).
It is absurd to expect people to be aware of, understand and make intelligent choices about how their data are used. And it is unconscionable to make those individuals responsible for the consequences of choices they did not know they made and could not have understood if they had tried.
Effective data protection laws should require anyone who uses personal data to bear both responsibility and liability for its misuse. The goal is simple: to ensure that companies and government agencies are accountable for how they collect, store, use and share information – just like equipment manufacturers are when they make an unsafe product. The threat of legal consequences helps executives and other leaders make sensible choices about how much data to collect, how long to keep it and how to protect it.
The law should also stop focusing so much on data collection. Sure, there are some types of collection that should be regulated or banned. Yet, there is almost always a legitimate reason to collect data. Moreover, an increasing volume of data is inferred or calculated – like credit scores and machine-learning algorithms’ decisions on who should get a loan or be granted bail after being arrested.
The real focus for data protection should be on how data is used and shared. Some uses might be permitted, some might be prohibited. Then people could focus more attention on the hard areas in between.
For example, using data to prevent fraud or conduct research might be freely allowed, and someone claiming to have been harmed would have to meet a high legal bar to prevail. On the other end, using data to harass, annoy or stalk someone might be considered harmful by definition – and all a court would need to find out is who did it. The clearer things are at the extremes, where making judgments is comparatively easy, the more people can focus on the middle ground – where lawmakers, regulators and judges solve problems every day in other areas.
Personal data has real value, on which much of the U.S. economy has been built, not to mention companies’ and entrepreneurs’ fortunes. The data will only get more valuable the more of it exists and the more it is stored and analyzed over time. It is important not to overregulate, but that shouldn’t prevent policymakers from addressing uses of data that are widely accepted as inappropriate or even dangerous.
Create strong enforcement
Many privacy violations already break existing laws. But there is not enough time or energy to catch everyone. In the U.S., the primary federal privacy regulator is the FTC, which has only 40 employees working on privacy protection, and as Commissioner Rebecca Kelly Slaughter stated in an FTC consumer privacy hearing in April, “There are large categories of personal data that are not covered by our rules, what we share on social media, and what we share with many retailers, including our largest online retailers.” European countries have more than 10 times as many workers (and far more stringent regulations) to cover a similar population.
If the FTC had more people, and more authority, it could do more than just bring actions when big companies break promises in headline-grabbing ways. This is especially important in areas where consent is appropriate and does play a role – like if a social media platform or smartphone app asks to access your contacts, but then sends them all a spam text.
The goal is not just catching people and companies who violate others’ privacy and misuse their data. The point is to make clear what the public and policymakers agree on: Personal data has real value, and privacy is important, today perhaps more than ever.
Fred H. Cate is a Distinguished Professor and C. Ben Dutton Professor of Law at Indiana University. (Edits/additions courtesy of TFL)