All over the world, government officials are trying to figure out how to craft laws and regulations about privacy – especially for digital data and online activity. The European Union’s General Data Protection Regulation took effect in May 2018; about a month later, California’s new Consumer Privacy Act did, too. Both impose stringent new legal requirements on organizations that collect and use personal data.
In the U.S., lawmakers and an increasing number of voters are starting to wonder if it is time for a comprehensive U.S. privacy law. State legislatures are considering more than 90 privacy-related bills, and Congress has more than a dozen bills of its own. Meanwhile, in April 2019, the Federal Trade Commission held the latest in a six-month long series of privacy and security hearings.
Everyone agrees something needs to change: Consumers want better protection for their data, and businesses want clear national laws instead of 50 different state standards. Yet there is virtually no consensus about what a broad privacy law should entail. Fortunately, almost 50 years of experience with laws adopted in other countries and various U.S. states, suggest three key elements that any comprehensive privacy law should include.
Change who’s responsible
For decades, U.S. laws have made people individually responsible for protecting their own privacy. Businesses can legally use personal data for almost anything, provided they at least tell consumers what they’re going to do, and give people a chance to object. That is why many websites and software packages have long, complicated privacy policies in incomprehensible legalese that customers are required to agree to before they can use the system. For instance, the current Apple privacy notice takes up about 74 iPhone screens.
Consent has never provided strong privacy protection, as privacy regulators around the world have acknowledged. People rarely read, much less understand, privacy notices. They definitely don’t keep track of everything they’ve allowed each company to do with their information, and take legal action to enforce any limits or punish any violations.
Advancing technologies have made the problem much worse, enabling nearly ubiquitous data collection. Cameras, phones, cars, refrigerators, smart TVs, networked thermostats and thousands of other internet-connected sensors record the steady trail of what has been called “data exhaust” that people generate as they live their lives.
It is absurd to expect people to be aware of, understand and make intelligent choices about how their data are used. And it is unconscionable to make those individuals responsible for the consequences of choices they did not know they made and couldn’t have understood if they had tried.
Effective data protection laws should require anyone who uses personal data to bear both responsibility and liability for its misuse. The goal is simple: to ensure that companies and government agencies are accountable for how they collect, store, use and share information – just like equipment manufacturers are when they make an unsafe product. The threat of legal consequences helps executives and other leaders make sensible choices about how much data to collect, how long to keep it and how to protect it.
The law should also stop focusing so much on data collection. Sure, there are some types of collection that should be regulated or banned – like putting hidden cameras in bathrooms or changing rooms, or collecting data after specifically promising not to.
Yet there is almost always a legitimate reason to collect data. Moreover, an increasing volume of data is inferred or calculated – like credit scores and machine-learning algorithms’ decisions on who should get a loan or be granted bail after being arrested.
The real focus for data protection should be on how data is used and shared. Some uses might be permitted, some might be prohibited. Then people could focus more attention on the hard areas in between.
For example, using data to prevent fraud or conduct research might be freely allowed, and someone claiming to have been harmed would have to meet a high legal bar to prevail. On the other end, using data to harass, annoy or stalk someone might be considered harmful by definition – and all a court would need to find out is who did it. The clearer things are at the extremes, where making judgments is comparatively easy, the more people can focus on the middle ground – where lawmakers, regulators and judges solve problems every day in other areas.
Personal data has real value, on which much of the U.S. economy has been built, not to mention companies’ and entrepreneurs’ fortunes. The data will only get more valuable the more of it exists and the more it’s stored and analyzed over time. It’s important not to overregulate, but that should not prevent policymakers from addressing uses of data that are widely accepted as inappropriate or even dangerous.
Create strong enforcement
Many privacy violations already break existing laws. But there isn’t enough time or energy to catch everyone. In the U.S., the primary federal privacy regulator is the Federal Trade Commission, which has only 40 employees working on privacy protection. European countries have more than 10 times as many workers to cover a similar population.
If the FTC had more people, and more authority, it could do more than just bring actions when big companies break promises in headline-grabbing ways. This is especially important in areas where consent is appropriate and does play a role – like if a social media platform or smartphone app asks to access your contacts, but then sends them all a spam text.
The goal is not just catching people and companies who violate others’ privacy and misuse their data. The point is to make clear what the public and policymakers agree on: Personal data has real value, and privacy is important, today perhaps more than ever.
Fred H. Cate is a Distinguished Professor and C. Ben Dutton Professor of Law at Indiana University.