Since the days of Justice Brandeis, individual control of one’s personal information has been the basis for privacy law in the United States. Unfortunately, our current laws are failing to meaningfully protect consumers. The online surveillance economy feeds on our data. With headlines about massive data breaches and unauthorized access to consumer data now commonplace, it’s clear to consumers that participation in the internet economy often comes at the expense of their privacy. Privacy violations take many forms, many of which go beyond the traditional legally cognizable harms of financial or physical harm. The unauthorized or unlawful collection, retention, use, and exchange of personal data can lead to unfair discrimination, lost opportunity, reputational harm, and market manipulation.
The U.S. must pass a strong and comprehensive federal privacy bill to put consumers back in control of their personal data. Europe has already taken action through its General Data Protection Regulation (GDPR), which took effect in May 2018. California has taken the lead on the state level by passing the California Consumer Privacy Act (CCPA). Despite these efforts, the federal government has yet to pass comprehensive legislation of its own. U.S. consumers deserve and demand better.
What PK Is Doing
Public Knowledge is advocating for comprehensive federal privacy legislation that includes:
- No Federal Preemption: A federal law should be a floor, not a ceiling, for privacy regulation. States should be empowered to pass stronger privacy laws as long as they do not conflict with the federal law.
- Meaningful Notice and Choice: Notice of a data collection should be meaningful and effective, given in a clear and understandable manner, and not buried in the fine print of a lengthy terms of service agreement. Consumers must be able to control this data by giving meaningful consent to a personal data collection.
- Data Minimization: A data minimization requirement — the idea that data collectors should only be able to use as much data as required to accomplish a given task — can help prevent harms that arise from misuse of data.
- No Sensitive/Non-Sensitive Distinction: Some policymakers believe that higher protections are only needed for one’s “sensitive” information, such as social security and bank account numbers. However, non-sensitive information can be accumulated to reveal sensitive information and thus must be protected as well. Moreover, people disagree on what they view as personally sensitive information, making the distinction arbitrary.
- Meaningful Redress: Consumers must be provided with meaningful redress when their privacy is violated. This can be accomplished in part by ending forced arbitration during privacy disputes and allowing consumers to seek liquidated damages for privacy harms that are difficult to quantify.
Here are the PK experts on this issue: