October 11, 2018
While the European Union and the state of California have been devising comprehensive privacy protection systems within their regulatory borders, the United States government has chosen not to regulate, or to regulate only a limited number of data controllers (the FCC’s short-lived regulations governing privacy practices of internet service providers, e.g.). It is time for Congress to create a unified privacy law that applies to all players equally.
We use the internet so seamlessly that it is easy to forget that the accumulation of data from our choices and habits is essentially a business model. This data can be used to predict trends and assist consumers or it can be hacked by those who use it to prey on internet users. The recent spate of data breaches is a sign and a symptom of the need to protect the privacy and trust of individual users, which must be equally balanced by the need to allow innovation and creativity in the internet ecosystem.
At the end of September, Facebook experienced another data breach impacting 50 million Facebook users. This was in that same week that the Senate Committee on Commerce, Science, and Transportation convened a hearing titled, “Examining Safeguards for Consumer Data Privacy.” The Committee, chaired by Senator John Thune, focused on the methodologies used by both network operators and companies including Google, Amazon, and Apple. Each testified on what they currently do to protect consumers’ data in a world where that data has been treated as a commodity rather than the sensitive personal data of individual users.
All of the companies testified that the time has come for Congress to act. But beyond this level of basic agreement, it is important to get the framework right. This means avoiding being underinclusive (essentially giving some companies a free pass on data privacy) and being overinclusive (which would harm innovation online and prevent consumers from getting some information or benefits they want). This hearing merely highlights the need for Congress to take action.
The differences in how consumers access and use the internet do not change the fact that regardless of the platform, consumers’ expect that their data will not be exposed for unintended uses. As Senator Thune put it, “Consumers deserve clear answers and standards on data privacy protection.”
We have passed the time when one can seriously argue that an edge provider is somehow special and deserves different rules than other companies. The reality is that edge providers are most likely to use data as their ultimate product, resulting in harm when this information is either misused, mishandled or, as we have seen in the news, stolen.
“Special,” in this context, would result in confusion among consumers, patchwork rules, and ultimately harm to individual privacy. The goal has to be rules that balance the need to protect consumers and the need to innovate and invest in the internet ecosystem.
Senator Thune promised more hearings with privacy activists and leaders from Europe. As of now, Americans are caught between new digital privacy laws in the European Union and California. These laws have taken different but expansive (in California’s case, extremely expansive) approaches to privacy protection.
These approaches are not the way forward. Both privacy regimes entail huge administrative burdens, and California’s has provisions that would harm innovation. State-by-state regulation will lead to misunderstanding, inability to enforce the provisions effectively, and lots of lengthy, expensive litigation. Litigation—costly, innovation-sapping, and time-consuming—is not the way to resolve these issues.
Instead, Congress can do something simpler, which is to set up one standard for consumer privacy that applies to all companies no matter where they are in the internet ecosystem and no matter how consumers access the internet. In other words, “keep it simple, Senators.”
A national consumer data privacy law for the U.S. should stick to a basic principle: one standard for everyone, so that consumers have one set of expectations concerning how their data and privacy are treated when they are online, whether it’s for e-commerce, social media, simple browsing, or anything else that consumers do online. Of course, certain types of online interactions (notably, with physicians and other healthcare providers) are subject to heightened privacy rules and other rules. I’m far less worried about protecting privacy in the patient/doctor relationship—something doctors have been doing for centuries—than about those who hold large amounts of consumer data and virtually no restrictions on how that data can be used.
The simple truth is that Internet Service Providers (ISPs) have far less visibility into what consumers do online than the large social media and search companies. Simply typing “https” rather than “http” or going to a secure site reduces the data your ISP can see. Ultimately, the ISP model is based on service, not on the data that is accumulated. So, as the debate moves forward, the focus should be on bright line rules applicable to every internet company that promote transparency to consumers, protect sensitive data, and encourage innovation.
According to Senator Thune, “The question is no longer whether we need a federal law to protect consumers’ privacy. The question is what shape that law should take.” That’s absolutely true—and the best way is to have a single standard that applies to everyone. The challenge is to advance consumer privacy without harming innovation. There’s still time to act; California’s law does not come into full effect until 2020. Rhetoric is long; time is short … keep it simple. Take a page from Nike: Just Do It.
Download the article: INSIGHT: The Internet is Waiting for Congress to Take Action on Privacy
Originally published at Bloomberg BNA