A new national data privacy legislative framework proposed by Privacy For America, a lobbying coalition that counts the biggest names of both Silicon Valley and advertising companies among its ranks, reveals exactly which points the broader data collection industry is willing to concede on. The centerpiece of the group’s vision for data privacy protection in the United States is a model that mostly limits notices and opt-ins to certain protected groups and circumstances, instead relying on increased regulatory power to the FTC and state governments to protect individuals.
In addition to documenting the points that member companies such as Facebook and Google appear to feel are inevitable, the new privacy legislative framework also shows which practices the industry is hoping to keep in place and avoid being regulated more tightly on.
Big data’s privacy legislative framework
America’s biggest data companies have heavily involved themselves in the national conversation about federal data privacy protections, even calling for regulation at times. This is not out of altruism or concern for the end user, however, so much as it is an attempt to establish an early outsized influence over the process and steer this seemingly inevitable federal law in a direction that is favorable to them.
This new data privacy legislative framework that Privacy For America has proposed has all of the hallmarks of that approach. It is centrally defined as being in opposition to the “notice and choice” model, the current general framework under which the end user is expected to be notified of how their data is being used and to tick a box indicating their consent.
While notice and choice has its issues, including confusing “legal-ese” end user agreements and lack of control over stored data after it has been given up, most privacy advocates would likely agree that the model is an important component of a data privacy protection strategy and needs to be strengthened and improved rather than disposed of. This proposal would replace notice and choice conventions with a set of “norms” governing data practices backed by a combination of federal and state enforcement.
The Privacy For America proposal focuses heavily on baked-in regulatory protections to prevent the use of data for the purposes of marginalization. For example, it calls for added prohibitions against the use of data for discriminatory evaluations (job applications and housing, for example) and for “selective pricing” based on stored demographic information. It also particularly focuses on the protection of “tweens” (age 12-16) who are heavy internet users but not always subject to parental oversight. The proposed privacy legislative framework also includes provisions for simplifying the language of privacy policies, and rights to greater control of stored data.
Some elements of the group’s privacy legislative framework are conspicuous by their absence, however. Most notably, that data considered “non-sensitive” (which would include the web browsing data that is the bread-and-butter of the targeted advertising industry) would not be subject to opt-in requirements. Also, only the protected tween group would have clear access to a “right to be forgotten” eraser function allowing them to remove any information volunteered while they were a minor. The proposal only provides the right to “request access to” or “request deletion of” data for other groups, the only concrete offering being a once-per-year report of the company’s data use similar to an annual free credit report.
The privacy legislative framework would also allow companies to collect “sensitive” information (financial, biometric, location and health information) on an opt-in basis, potentially circumventing existing state regulations on the collection and storage of these special data categories. It is also important to note that the proposal calls for the simplification of language of privacy policies, but not necessarily the actual opt-in or opt-out notification the end user would be clicking on to communicate their consent.
Other important points of note include:
Expanded FTC authority over non-profit organizations and common carriers
Unspecified “exceptions” to the prohibitions against the use of stored data for predictive purposes
The data protection regulation appears to limit enforcement to “civil penalties”
Reports addressing the effectiveness of the law would only be prepared and put before Congress once every five years
Pre-emption of all similar state legislation enacted after June 2018, and a requirement that states no longer attempt to draft their own data data privacy protection laws
No mention in the proposal of how offline data gathering would be handled
An end run around state data privacy protection laws?
A cursory examination reveals that these proposed data privacy protection rules appear to be an attempt to head off stronger state laws and future federal bills at the pass, particularly the new California Consumer Privacy Act. The proposal’s prohibitions mostly address things that are already illegal or enforceable at either the state or federal level, while codifying existing “business as usual” web-based data collection practices. It does not go nearly as far as European Union’s GDPR, which a member letter to Congress dismisses on the basis of “regulatory costs and uncertainty.”
The proposal goes before Congress as several competing data privacy protection bills are either being drafted or considered; these mostly contain stronger protections for consumers that would put more of a burden on data collectors, up to criminal penalties for CEOs in the case of at least one bill.
Provisions for vendor compromise
Interestingly, a small section of the industry’s online privacy protection act proactively addresses the issue of third-party data breaches and the need for improved vendor security.
The proposal would require any company that shares consumer data with vendors to develop a contract governing the data sharing terms and to conduct ongoing “due diligence” to ensure the data is being used appropriately and lawfully. This would require the originating company to play a greater role and take on greater obligations in policing the transfer, storage and use of customer data by vendors.
Summing it up
While the proposed privacy legislative framework contains useful terms, in some areas it is essentially an even weaker version of the more lax federal data security bills already being considered by Congress. While it may have some influence on the legislative process, as-is this framework seems unlikely to be adopted in a regulatory environment in which consumers are increasingly concerned about data privacy protection and how their personal information is being handled.