By: Sarah Johnson
This week we’ll take a closer look at some internet privacy legislation, primarily the American Data Dissemination (ADD) Act. It seems like each week there is a breaking news story about how some tech giant who plays an integral role in our everyday lives has done something with our data most of us are not comfortable with. Whether it is selling our data or using third party companies to deliver apps that invade privacy, it is clear there needs to be some minimum standards set when it comes to privacy, transparency, age and consent.
How Did We Get Here?
When we look at data privacy and the laws that govern it, there is not a single, comprehensive law that regulates the collection and use of personal data on a federal level. That means there are no clear protections and precautions that must be followed by companies to protect consumers enforceable by the US Federal Trade Commission (FTC) on a national level.
The 1974 Privacy Act established a “Code of Fair Information Practice” that governs the collection, maintenance, use and dissemination of personally identifiable information that is maintained in systems of records by federal agencies. Overall, it aims to:
- Restrict disclosure of personally identifiable records maintained by agencies
- Grant individuals increased rights of access to agency records
- Grant individuals the right to seek an amendment to agency records maintained on themselves if they can show the records are not accurate, relevant, timely or complete
- Establish a code of “fair information practices” which requires agencies to comply with statutory norms for collection, maintenance and dissemination of records
What is Happening when it Comes to Data Privacy?
The Privacy Act only applies to government agencies, not private companies. I’m sure I won’t be the first person to tell you this, but companies are collecting every bit of data about you that they can. Companies that collect data are called data brokers. Data brokers are entities that collect information about consumers, and then sell that data (or analytic scores or classifications made based on that data) to other data brokers, companies and/or individuals.
These companies collect everything from names, addresses, income, what websites you visit, where you are and where you’ve been, who you talk to, if you like dogs or cats and what funny viral videos you’ve been watching. Part of what makes this possible is the incredible rate of innovation when it comes to data storage and processing capacity. Here is an interesting article detailing why companies collect and store so much data on us.
Where is the Money?
The article states that Big Data and Data Mining are so important to how we collect, analyze and apply data that the industry is estimated at over $300 billion globally, employing more than 3 million people United States.
In 2014, the FTC published a report stating that “data brokers collect and store a vast amount of data on almost every U.S. household.” One of the nine data brokers the FTC examined in this report had a database with “information on 1.4 billion consumer transactions and over 700 billion aggregated data elements.” One of the largest brokers, Acxiom, reported over $800 million in revenue last year.
At the beginning of February, TechCrunch reported Facebook was breaking Apple’s policy requiring the Enterprise system only be used for distributing internal corporate apps to employees, not paid external testers. The report stated Facebook has been paying users (ages 13 to 35) up to $20 per month to sell their internet activity (privacy) by using the “Facebook Research” app on their phone. Here is an article explaining why this was so invasive.
Let’s Take a Quick Look at Europe’s GDPR
General Data Protection Regulation (GDPR) passed in 2016 and was implemented in May of last year. GDPR states it will, “will fundamentally reshape the way in which data is handled across every sector, from healthcare to banking and beyond.” It will primarily do three things:
- Harmonize data privacy laws across Europe
- Protect and empower all EU citizens data privacy
- Reshape the way organizations across the region approach data privacy
Here is a great website explaining all of the regulations from GDPR ranging from penalties to consent to breach notifications to right to be forgotten. France fined Google 50 million euros ($56.8 million) and Facebook could face 1.6 billion in fines for violating GDPR. Technology companies are motivated to comply with these standards.
GDPR is very ambitious and the rollout has met with mixed success and unintended consequences. At the very least it has been instructional.
What is the American Data Dissemination Act?
S142 would require the FTC to submit detailed recommendations for privacy requirements that Congress would then take into consideration and impose on tech companies that handle massive amounts of our personal data (think Apple, Facebook, Google). This bill aims to do two things:
- Instruct the FTC to write recommendations for Congress detailing what privacy rules should look like for commercial services, based on the 1974 Privacy Act
- Require the FTC to find a way to exempt smaller companies from new rules
When speaking about the bill, Rubio said,
“It is crucial that we do not create a regulatory environment that entrenches big tech corporations. Congress must act, but it is even more important that Congress act responsibly to create a transparent, digital environment that maximizes consumer welfare over corporate welfare.”
Some people do not believe this is the best way to address this issue, mostly because of the difficulty in implementing rules. The FTC is tasked with writing the recommendations, but they do not have the agency to create regulations. Instead, they have to be created and passed by Congress. The FTC will have to enforce what they pass. The bill states if Congress fails to successfully pass a law within two years of the bill taking effect, the FTC has the power to write its own rules.
When looking at Rubio’s bill, Susan Grant, the director of consumer protection and privacy for Consumer Federation of America said,
“While I appreciate Senator Rubio’s interest in privacy protection, this bill fails to adequately address the modern ecosystem of data collection and use and would nullify stronger state laws. Furthermore, we need an independent data protection agency that can promulgate rules without having to submit them for Congressional approval.”
What Other Bills Attempt to Address This?
In 2018, Democrats proposed the Data Care Act, which failed. This act would have required companies who collect data (social media, general technology, doctors, banks, lawyers) to protect the information. It also required prompt response when informing users when there is a breach in their system and sensitive data could be compromised. Finally, it would have required companies to “not use individual identifying data in ways that harm users”, whether that refers to the company that collected the data or a third-party company who bought it or had data shared with them.
At the end of last year, Senator Richard Blumenthal and Senator Jerry Moran said they were working on a bipartisan bill which would mandate the protection of consumer data and could be drafted early this year.
Last year, California passed the California Consumer Privacy Act (AB 375). This act gives residents new rights when it comes to their data. The bill defined “personal information” as information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household. This definition also includes personal identifiers, geolocation, biometric data, internet browsing history, psychometric data and inferences a company might make about the consumer. Their residents now have the rights to:
- Request a business that collects a personal information disclose what categories and specific pieces of personal information the business has collected
- Request a business delete any personal information about the consumer
- Direct a business not to sell the personal information – referred to as the right to opt out
- Bring a private right of action against a company if there is an unauthorized breach of non-redacted or non-encrypted personal information
This bill is set to go into effect in 2020.
Should the Public (Companies) or the Government Deal with this?
Everyone from private citizens to CEOs want this issue to be addressed. Apple CEO Tim Cook wrote an op-ed calling on Congress to pass comprehensive federal privacy legislation. Along with better management of data (ethically and protection wise), Cook also wants companies to strip identifying information from customer data or avoid collecting it in the first place. He wants customers to have transparency with what companies are doing and give them the ability to easily access/delete data companies have collected. Part of this would be registering companies who collect, package and sell data with the FTC.
I listened to an incredibly interesting podcast from Reply All about the massive amounts of robocalls we’ve been experiencing lately (I know you’ve been annoyed by them too!). They investigate why it seems like we are getting more calls than ever right now, and they found it is because we are (imagine that). They reported on a massive thirty party market out that is buying our data directly from the companies gathering it (in this case, the telephone companies saving our location data). Cook also addressed this issue stating, “Right now, all of these secondary markets for your information exist in a shadow economy that’s largely unchecked.”
Many people believe legislation like the ADD Act could be a way to undermine more stringent legislation passed on the state level (like the California Consumer Privacy Act) and other legislation that has to do with the internet (think state net neutrality laws).
The Information Technology and Innovation Foundation (ITIF), proposed “A Grand Bargain on Data Privacy for America” in hopes of implementing a single standard for internet rules, to simplify compliance for companies. The plan argues that any new federal data privacy bill should preempt state laws (think of California’s bill again) and that sector-specific laws should be repealed entirely. “Sector-specific” federal bills are bills like the Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA). Having to confirm that you are 13 or older on most web platforms can be attributed to the multiple times Google and Facebook have been sued for violating COPPA. ITIF also wants to expand the FTC’s authority to fine companies that violate the data privacy law.
After this “deal” came out, Senator Blumenthal commented on the proposal saying, “Big tech cannot be trusted to write its own rules– a reality this proposal only underscores. I look forward to rolling out bipartisan privacy legislation that does in fact ‘maximize consumer privacy,’ and puts consumers first.” For more on this, read the full report from The Verge here.
Proponents of the bargain say that if we continue with the “patchwork” we are currently doing to protect consumer privacy, we will stifle innovation and increase service prices for consumers. Consumers will have to start paying for “free” services because companies will no longer make the revenue they once could selling data and they will have to change their business activities (which costs money) to comply with new regulations.
We also recently wrote about a similar idea, the Privacy and Digital Rights for All Framework and the possibility of a dedicated federal Data Protection Agency. So there are lots of ideas for how we might proceed.
Conclusion
This is a huge can of worms! I started off a writing a Closer Look about, and ended up with a 2,000 word research project. I cannot even imagine trying to tackle this on a federal level. But one thing is clear to everyone: something needs to be done, and it ought to have been done a long time ago. This is one of the scariest unchecked parts of our society in my opinion because we as consumers simply do not know what is out there relating to our lives and privacy. I imagine it will be hard to appease everyone because there will undoubtedly be concessions on all sides. Things like the “grand bargain” effectively make business models like Facebook’s the status quo for how companies should operate on a national basis. All you need to do is read the news to know this is not working out well for us and is certainly not the model that will protect us in the future.
We should all become at least a little familiar with these issues and support organizations and legislators who seem to be headed in the right direction. You can help by letting your legislators know you’d like to see them work on legislation moving us towards better data protection, and share the ideas that sound best to you.
Cover Photo by Markus Spiske on Unsplash
About BillTrack50 – BillTrack50 offers free tools for citizens to easily research legislators and bills across all 50 states and Congress. BillTrack50 also offers professional tools to help organizations with ongoing legislative and regulatory tracking, as well as easy ways to share information both internally and with the public.