All over the world, government officials are trying to figure out how to craft laws and regulations about privacy – especially for digital data and online activity. The European Union’s General Data Protection Regulation took effect in May 2018; about a month later, California’s new Consumer Privacy Act did too. Both impose stringent new legal requirements on organizations that collect and use personal data.
In the U.S., lawmakers and an increasing number of voters are starting to wonder if it’s time for a comprehensive U.S. privacy law. State legislatures are considering more than 90 privacy-related bills, and Congress has more than a dozen bills of its own. In April, the Federal Trade Commission is holding the latest in a six-month long series of privacy and security hearings.
Everyone agrees something needs to change: Consumers want better protection for their data, and businesses want clear national laws instead of 50 different state standards. Yet there is virtually no consensus about what a broad privacy law should entail.
Fortunately, almost 50 years of experience with laws adopted in other countries and various U.S. states, suggest three key elements that any comprehensive privacy law should include.
Change who’s responsible
Screenshot by The Conversation
For decades, U.S. laws have made people individually responsible for protecting their own privacy. Businesses can legally use personal data for almost anything, provided they at least tell consumers what they’re going to do, and give people a chance to object. That is why many websites and software packages have long, complicated privacy policies in incomprehensible legalese that customers are required to agree to before they can use the system. For instance, the current Apple privacy notice takes up about 74 iPhone screens.
Consent has never provided strong privacy protection, as privacy regulators around the world have acknowledged. People rarely read, much less understand, privacy notices. They definitely don’t keep track of everything they’ve allowed each company to do with their information, and take legal action to enforce any limits or punish any violations.
Advancing technologies have made the problem much worse, enabling nearly ubiquitous data collection. Cameras, phones, cars, refrigerators, smart TVs, networked thermostats and thousands of other internet-connected sensors record the steady trail of what has been called “data exhaust” that people generate as they live their lives.
It is absurd to expect people to be aware of, understand and make intelligent choices about how their data are used. And it is unconscionable to make those individuals responsible for the consequences of choices they didn’t know they made and couldn’t have understood if they’d tried.
Effective data protection laws should require anyone who uses personal data to bear both responsibility and liability for its misuse. The goal is simple: to ensure that companies and government agencies are accountable for how they collect, store, use and share information – just like equipment manufacturers are when they make an unsafe product. The threat of legal consequences helps executives and other leaders make sensible choices about how much data to collect, how long to keep it and how to protect it.