A look at the growing consensus on online privacy legislation: What’s missing?

Cindy Ponder-Budd

Six years seems like a century in tech policy. While there is now a growing consensus among the tech industry, regulatory advocates, and policymakers on the need for comprehensive privacy legislation, a blueprint proposed in President Barack Obama’s 2012 Consumer Privacy Bill of Rights proved unsuccessful. Had Congress taken up legislation in 2012, it may have forestalled the egregious regulations the EU and California adopted.

In any case, the principles agreed on today generally align with those proposed in 2012. They’re hardly controversial: individual control, transparency, security, accountability, and strengthened enforcement at the Federal Trade Commission (FTC). The 2012 proposal supported using multi-stakeholder processes to develop enforceable codes of conduct through Section 5 of the FTC Act and global interoperability. Importantly, the Obama administration was adamant about the need for preemption of state laws that would contradict the national standard. It expected states to participate in multi-stakeholder processes and believed that states proposing more stringent requirements would diminish incentives for firms to adopt the codes of conduct.

Moreover, the administration wanted Congress to codify forbearance from enforcement of state laws for companies already compliant with the FTC’s codes of conduct. Fortunately there is bipartisan agreement in Congress — Sens. Amy Klobuchar (D-MN) and John Kennedy’s (R-LA) bill — offering a win-win for both parties and a common set of rules for all consumers online. This blog briefly reviews the areas of policy agreement and unresolved issues.

A growing consensus on the principles of consumer online privacy

Reviewing the statements of principles from many in the industry (US Chamber of Commerce, Information Technology Industry Council, Verizon, and Spectrum, to name a few) shows common ground:

  • Transparency. Enterprises must provide clear, easy to understand information about their practices for the collection, use, and sharing of information. And they must be able to make available to the consumer, without undue cost or delay, the information the consumer provided to the enterprise and a description of the types of additional information the enterprise may have about the user.
  • Accountability. Companies must put in place reasonable security measures to protect consumers’ information and should notify consumers when breaches occur and threaten harm. Companies have also offered to establish rigorous governance procedures to ensure compliance with legal requirements.
  • Safe harbor. There is agreement that legislation should give firms that follow the law confidence that they are not in danger of arbitrary prosecution. Moreover, companies need to have the ability to experiment with and improve on data privacy systems without fear of punishment. Policymakers should also consider the role of incentives for design and experimentation with privacy-enhancing technologies, such as grants, awards, prizes, and competitions. Better privacy enhancing systems will drive competition and global preeminence.
  • Opt-in requirements for “sensitive” personal information. Categories of data such as health, financial, age (for children), and precise geolocation are deemed “sensitive personal information,” and many are already regulated under existing laws. Any online entity collecting this information would need to provide a clear opportunity for consumers to affirmatively opt in to the collection, use, and sharing of this information. (Note that while the Federal Communications Commission’s 2015 online privacy rules required internet service providers to get opt-ins for all information collected, even if it was not sensitive, no such obligation was required for search engines, social media, or other online entities. Congress wisely struck down these arbitrary and asymmetrical rules that confused consumers about which protections were offered for competing services.)
  • Consistency. Another consumer-centric principle is a common set of rules for all Americans for all online entities, enforced by the FTC with the support of state attorneys general under federal law.

Issues to be resolved

The FTC is best equipped to handle these new responsibilities because of its experienced staff, mature processes, and deep privacy and security expertise: There should be a glide path to integrate the duplicative consumer protection functions from other federal agencies into the FTC to maximize the value of federal dollars and enforcement effectiveness.

In the meantime, the FTC can learn from the current multi-stakeholder efforts to develop codes of conduct, such as the one on artificial intelligence and algorithms the Brookings Institution supports This represents another key opportunity for any potential federal policy to leapfrog ahead of the EU’s General Data Protection Regulation, which involves regulations so onerous that on strict reading they effectively nullify next generation information processing.

A proper national policy removes rent-seeking incentives for states and litigants. Sadly, many US states are under financial distress because of historically bad management, and America’s connected digital industries offer an untapped source of revenue even if they have not violated privacy rules. However lucrative it may be to sue these companies, the better option is for states to make their economic environments friendlier to enterprise and to earn revenue by taxing legitimate business activity. If we do nothing, California’s misguided rules will become the standard. Even worse, US policy could devolve into 50 sets of rules, frustrating the seamless, connected digital economy we enjoy today. We need good legislation to keep bad regulation away.


The View