Where We Stand: Congress Should Pass a Strong Privacy Law, Now
Consumer Reports’ advocates outline a plan for how lawmakers could protect consumer privacy in the wake of the Facebook data leak
The revelation that Facebook shared vast quantities of its users’ personal data with Cambridge Analytica and other third parties has put the issue of consumer data privacy front and center in the national conversation.
One of the most prominent voices in that conversation has been Jessica Rich, former director of consumer protection at the Federal Trade Commission and now vice president of advocacy at Consumer Reports. While at the FTC, Rich oversaw an investigation of Facebook’s privacy practices that resulted in a consent order for the company—one that Facebook may have violated, according to the current regulators at the agency.
Rich and Justin Brookman, another FTC alum who is now the director of privacy and technology at Consumers Union, the advocacy division of Consumer Reports, have laid out a series of principles that we at CR hope can one day soon inform strong regulation to protect consumer data and privacy. (CR has also proposed benchmarks for consumer digital rights in our Digital Standard.)
The U.S. is one of the few advanced countries that doesn’t have a privacy law that gives people rights over their personal information. And now, even Silicon Valley CEOs like Apple’s Tim Cook and Facebook’s Mark Zuckerberg say they’re open to the idea of regulation.
So what would a privacy law do? The goal, Rich and Brookman say, is to put consumers back in charge of their personal information. The law would require:
Simple and easy-to-use consumer choices. Some data collection is necessary just for a product to work. But a lot of practices are extraneous to the core functionality of a product—for example, the sale of information to third-party data brokers, or all-encompassing surveillance of how consumers use a product in the name of “analytics” or “product improvement.” Consumers deserve easy, standardized tools that give them control over their information and allow them to stop companies from using their data for these extraneous purposes. Wherever possible, consumers should be able to make choices about multiple companies at once. For example, Consumers Union supports the notion of a robust Do Not Track option in browsers to enable consumers to limit online tracking as they navigate the web.
The collection and retention of only the data necessary—and the disposal of old data. Consumers shouldn’t bear the entire burden of protecting their privacy through settings and controls. Some practices should simply be out-of-bounds, because of the sensitivity of the data, or the potential for discrimination or abuse. What kind of information should be off-limits? One example might be details of a medical condition, revealed through a consumer’s web searches and online reading. Companies should also collect just as much data as they need to make their product or service work properly. For instance, a navigation app needs to know where you are, and where you want to go, but it probably doesn’t need access to your contacts. Next, companies should get rid of data they no longer need—today, many companies keep consumer information around indefinitely with the vague hope that they’ll be able to find new ways to exploit it later. But that poses a threat to consumers. Personal information left for years on corporate servers can be compromised in a data breach, put to unwelcome uses, included in a corporate sale, or accessed by others in litigation.
Strong data security practices. Companies that collect and maintain personal information should put in place basic protections to ensure that outside attackers cannot access it. Last year’s Equifax breach highlights the urgent need for these protections—in that case, sensitive data on nearly 150 million people was stolen by criminal hackers because the company failed to keep its software updated. And many Internet of Things devices are being designed without even the most rudimentary security protections. If companies collect our information, they should be required to protect it.
Ways for consumers to get easy access to their information. Consumers should be able to see what information companies maintain about them. Such access rights are a fundamental part of privacy laws in Europe and elsewhere. And in fact, overseas regulations have led to some companies making more information available to their American users as well. But those companies are the exception instead of the rule, and U.S. citizens shouldn’t have to rely on other countries to protect them. Additionally, services such as social networks should be required to make it easy for consumers to export their data, in case they want to switch services.
A strong enforcement cop to ensure accountability. Even a strong privacy law won’t help consumers unless it’s backed up by strong enforcement. For more than 20 years, the FTC has taken the lead on privacy and security issues, but it has limited authority and inadequate resources. Specifically, the agency lacks two key tools: the power to obtain civil penalties for wrongdoing and the power to enact regulations clarifying what companies can and can’t do with consumer data. Further, the FTC needs more staff on the consumer data beat, including technologists and computer scientists who can keep pace with Silicon Valley’s race to collect and monetize more consumer information.