With Europe passing the General Data Protection Regulation (GDPR) — a significant piece of data protection legislation with global implications — and now California implementing a new privacy law, coupled with several high-profile incidents involving companies exposing consumer data, there is a growing push for federal data privacy legislation in the United States.
What Is Data Privacy?
Data privacy laws define who is legally authorized to collect, store, and use one’s personal information. These laws are intended to protect individuals from three types of injuries that can result from the violation of their privacy. First, harm to one’s autonomy can result when information a consumer considers sensitive and would prefer to keep private becomes public through involuntary means. Second, discrimination occurs when personal information is used to unfairly deny a person access to something, such as housing, credit, or employment. Finally, economic harm occurs when a consumer suffers a financial loss because of the misuse of his or her personal information, as happens in cases of identity theft or fraud.
The Digital Economy Runs on Data
Creating stronger privacy laws is simple. But creating stronger privacy laws that do not undermine the digital economy is much harder.
One reason it is difficult is that a significant share of U.S. tech companies — both big and small — have business models that use personal data. Contrary to what is often claimed, most companies do not actually sell personal data. Instead, they sell advertisers access to users without revealing their personal information. For example, Facebook sells advertisers access to users’ newsfeeds. Advertisers pay to reach an audience, such as middle-age women in Nevada who like dogs and running. In most cases, advertisers do not know who has seen their ads, only that their ads have been placed in front of a specific group of people.
Consumers get many benefits from this arrangement. Most importantly, these online ads subsidize the costs of most of the free and low-cost online services most consumers enjoy, such as email, news, social networks, games, music, and video. And consumers see relevant ads that they are more likely to be interested in.
The U.S. Approach to Data Privacy in the Private Sector
The United States does not have a single federal data privacy law for the private sector. Instead, the United States has multiple privacy laws and regulators. Some laws create privacy rules for a specific sector, like health care or financial services, whereas others focus on providing specific safeguards, such as protecting children’s privacy.
The Federal Trade Commission (FTC) is the primary regulator for consumer privacy. It has authority to take action against companies who engage in “unfair or deceptive practices.” When companies do not keep their promises to protect consumer data, the FTC can pursue enforcement actions against them.
Many stakeholders want to update federal data privacy laws to give consumers new rights and to address problems with the new laws in the EU and California. There are five important policy goals that Congress should consider.
First, Congress should improve transparency. Unfortunately, privacy policies are written for lawyers — not consumers — because doing otherwise often exposes companies to penalties for non-compliance. Federal privacy rules should require clearer privacy notices.
Second, Congress should address concrete privacy harms, rather than hypothetical ones. Recent government surveys show U.S. consumers are primarily concerned about identity theft and credit card fraud — issues that are only tangentially related to the ongoing debates about the private sector’s collection and use of consumer data for online advertising. Any federal privacy law should put more weight on addressing consumers’ concerns, such as by phasing out the use of Social Security numbers and replacing them with a secure alternative.
Third, Congress should improve enforcement. While the FTC has shown leadership on data protection, bringing over 500 cases since 1998, it needs more resources. In 2015, the FTC had only 57 full-time staff working on these issues. Moreover, the FTC needs more authority to penalize actions that harm consumers to deter bad actors.
Fourth, Congress should consider the impact on innovation. If badly designed, as both the GDPR and California’s law are, certain provisions in privacy laws can actually reduce the supply of innovative technologies and services. For example, requiring companies to minimize the data they collect and only collect it for predefined purposes can severely restrict them from discovering innovative secondary uses of data. And high compliance costs coupled with lower ad revenue can undermine the business model for free online services.
Finally, Congress should preempt states from passing their own conflicting data privacy laws. Consumers should have the same protections regardless of which state they live in, and companies should not be faced with 50 different state laws.
Alan McQuinn is Senior Policy Analyst at the Information Technology and Innovation Foundation.