In general, most Americans have integrated the use of the internet, smartphones, and apps to their lifestyles. The submission of private information comes as part of this integration.
Though it is common practice for companies to collect data, some critical questions are being asked: How much data is too much? Is all the data being provided necessary for companies to operate? Is this data being used for dastardly reasons other than what we’re signing up for? Is sensitive personal information being sold to advertisers?
“Is it really reasonable to turn over all my financial data and all my location data just to use [the flashlight] app? I would say no,” said Neema Singh Guliani, of the American Civil Liberties Union, during this month’s hearing held by the Senate Committee on Commerce, Science & Transportation.
Lawmakers have heard these cries and are responding with the proposed legislation. California set a precedent for consumer data protection with the passage of the Consumer Privacy Act (CCPA), which will take hold in January 2020, according to The Hill.
Though the law is imperfect and in need of tweaking, it gives internet users more control over their data and requires companies to be more transparent with their intentions.
“California has taken the first real steps in the nation to protect people’s privacy,” reads a statement by California Attorney General Xavier Becerra.
In the wake of the CCPA, different federal data protection bills are in the works. Chief among them is the Privacy Bill of Rights Act, which was introduced by Sen. Edward Markey (D-Massachusetts) last month.
Markey was moved to draft such a bill in response to the plethora of companies accused of sharing customers’ data without consent, and breaches that compromised the data of millions. The bill would enact policy for businesses online and offline to follow, among others.
“[The bill] bans the use of individuals’ personal information for harmful, discriminatory purposes, such as housing and employment advertisements targeted based on demographics like race and gender,” reads the bill.
Furthermore, the bill would:
-
Require companies to protect and secure the personal information that they hold
-
Establish a centralized Federal Trade Commission (FTC) website that tells consumers about their privacy rights and requires companies to use easy-to-read short-form notices provided directly to consumers
-
Ensure companies collect only the information they need from consumers in order to provide the requested services
-
Enables state attorneys general to protect the interest of their residents and bring action against companies that violate the privacy rights of individuals. Individuals will also have a private right of action which will enable them to bring lawsuits against violators
“America’s laws have failed to keep pace with the unprecedented use of consumers’ data and the consistent cadence of breaches and privacy invasions that plague our economy and society,” Markey said on his website. “I have long advocated for privacy protections that include the principles of knowledge, notice and the right to say ‘no’ to companies that want our information.”
However, as mentioned before, Markey’s bill is not the only one in play, and shares vital elements with others. Recently, Sen. Catherine Cortez Masto (D-Nevada) introduced legislation requiring non-HIPAA companies to allow patients to opt into or out of data collection.
Also, Sen. Marco Rubio (R-Florida) proposed a similar bill that would override state law.
The number of bills currently in the works is an issue in itself, but, the preemption aspect of Rubio’s proposal is an example of one of the fears expressed by privacy advocates.
Following California’s example, consumer privacy bills have been introduced in 31 states and federal legislatures, according to legal intelligence resource JD Supra. Examples include Illinois’ Biometric Privacy Act and Vermont’s Data Broker Act. The concern is a “watered down” federal policy will render potential local laws obsolete and debilitate protection of consumers.
“The last thing we want to do is weaken the ability of [state governments] to have a seat at the table to enforce and create new laws,” Guliani said.
Another issue privacy advocates want to address is the “notice and consent” paradigm companies use to collect data.
The notice is a presentation of the terms to which users are agreeing. Much of the time, due to lengthy, hard-to-understand notices, users will blindly agree to terms they would/should think twice about.
The Washington Post recently published a report about a period/pregnancy tracking app that shares data with users’ employers, unbeknownst to most. Apps like that (i.e., fitness trackers, productivity monitors) cannot function without users’ sensitive personal data.
Currently, there is nothing in place to bar companies from sharing or selling that data to employers, advertisers, or insurance companies. Advocates want companies to be transparent about what they are doing with the data, but obtaining consent is not enough.
As it stands, users are left with two options: give the data or don’t use the service. One solution could be to limit what companies use data for, which Markey has included in his bill.
“A federal privacy bill must build on the notice and consent framework by explicitly prohibiting certain types of data use,” Markey said.
Though it appears consumer data protection is on the table, for now, the task is far from finished. For one, members of Congress should come together and agree on one substantial bill that would best suit Americans.
Once that is decided, the federal bill — as well as most of the ones introduced on the state level — has to pass through the necessary channels to become a law. For now, users should thoroughly read all notices to the best of their ability and proceed with caution.
Business owners should not fret but should try to do better by their customers.