Following a string of data breaches that touched tens of millions of consumers, and revelations of user data exploitation by popular social media platforms, there’s a broad national consensus: It’s time for internet users to have guarantees about privacy and data protection. Legislation is long overdue.
Some states, such as California, have already taken action. One year ago, California passed a sweeping privacy protections law. Other states have expressed an intention to do so, and Congress is expected to consider legislation. What’s the best way forward?
Congress must take its responsibility to protect user privacy and data seriously. At a minimum, any new federal law should provide internet users with the knowledge of which personal information is collected by the websites they visit and how that information is used. They should have a meaningful opportunity to opt out of these collection and use practices.
Congress should also ensure that any user’s sensitive personal identification information — such as a driver’s license, credit card number or Social Security number — can be collected and retained only with that user’s consent. Reasonable rights to access and correct user-provided information should also be afforded.
But it’s important to realize that web services are offered on a national basis and many would be disrupted by a multiplicity of diverse and contradictory state privacy requirements. The compliance costs could be enormous, particularly for small and startup businesses. There may be situations where it’s literally impossible to comply with the conflicting requirements of different states’ laws.
Not only would compliance with various state requirements be exceedingly difficult, consumers would be constantly unsure about which state’s privacy requirements apply. Consider the mobile service provider whose customer lives in one state, travels to another state and accesses an e-commerce site headquartered in a third state. The service provider is headquartered in a fourth state and uses a server data center in a fifth state.
Whose law applies — the state of residence of the customer or internet edge provider? The state of location of the customer or that of the service provider? Or the state where a server sends and receives customer messages?
To avoid this obvious confusion, it’s far better for Congress to adopt one strong, clear national privacy standard that would be applicable across the entire internet ecosystem, from the service provider to content-providing companies. In order to prevent disruption and consumer confusion in the application of an internet privacy law, Congress should pass its own privacy standard that preempts the states from their own regulation.
Such action would certainly not be new. Congress routinely preempts states in instances where a single uniform national standard is called for.
For example, in the Energy Policy and Conservation Act, Congress preempted state (and local) action on the energy efficiency of appliances where a national standard is in place. In the Toxic Substances Control Act, Congress preempted state action in favor of national regulation of chemicals covered by Environmental Protection Agency rules. Congress has also been quite clear that action by the Food and Drug Administration preempts conflicting state standards in the area of approval of new pharmaceuticals and medical devices.
Appliances, chemicals, prescription drugs, medical devices — all of these are goods of major importance to the national economy. So too is e-commerce involving the sale of both physical and digital goods. Federal preemption was right in the areas referenced above and, to avoid harming the internet economy and preventing consumer misunderstanding, is also right for data privacy standards.
It would be a critical mistake for Congress to enact a data privacy law that only provides a base from which the states can add additional requirements. Through the resulting disruption and chaos, harm would come to the internet economy while doing little if anything to advance real privacy for internet users.
A single, strong national data privacy standard would provide clear rules for companies to follow while fostering consumer understanding of the privacy assurances that have been extended to them.
Fortunately, the need for data privacy protection enjoys rare, widespread bipartisan support. It’s now Congress’ turn to act.
Originally published at San Francisco Chronicle