Online Privacy
and how it affects us everyday
In the digital world of data, understanding what information about us exists online and what controls we have over it are key. Respect for privacy is a crucial component of a healthy internet ecosystem. Data can achieve amazing things, like making online content or personalizing shopping recommendations more relevant to our needs and interests. For that reason, it’s important for users to feel like their data is respected and secure.Harms-Based Approach to Privacy
To remedy against specific harms, not outlaw tools.
Privacy regulation should maximize opportunities for innovation while minimizing specific harms from particular uses. In the United States, there are existing laws regarding use of particularly sensitive data such as financial and certain health information. By responding to how awful actors could specifically abuse our information, this approach helps prevent financial, health, and personal harm.
Policymakers should go after awful actors that are abusing data, not criminalizing otherwise benign tools. Existing uses of our data improve our lives by fighting disease, improving traffic flow, and providing users free and groundbreaking technology. While in the wrong hands, data can harm, discriminate, and exploit, in the right hands, these tools improve our lives. Enforcers can use existing tools to focus on many concerning and already illegal actions. That way improved cybersecurity and consumer education around privacy choices and risks ensure Americans feel safe online.
This application and harm-based approach is why the United States has paved the way for the rest of the world, choosing to go after specific harms in specific industries rather than regulate privacy once across all industries. Based on the success of this approach, innovators have been able to engage in many beneficial uses of data, while regulation responds to those particularly problematic or significantly more likely to result in harm.
Data Portability
Taking your information from one company to another.
Many mainstream websites and digital services let us download our information. Some platforms even help users take that information to a competitor. Microsoft Word can convert to a Google Doc and Google Docs can convert to Microsoft Word.
While data portability empowers users, too much interoperability might sometimes harm them.
Interoperability requires secure services to give third-parties access to your data. Applied poorly, this could allow awful actors to get personal information about you without your consent or knowledge.
“Your information” is not always straightforward and can often overlap with how you interact with others online—like friends’ birthdays, tagged photos posted by others, and algorithmic inferences. In order to best help us protect ourselves online, policy needs clarification for both the companies providing the data and the liability for data that a user has requested to send to another company.
Child Privacy
Balancing parental choice and child safety online with the benefits of technology.
With regards to protecting our kids online, there’s one law to rule them all—the Children’s Online Privacy Protection Act, or COPPA,which applies to children under 13.
COPPA was designed to prevent awful actors from communicating with and grooming our children. The law recognizes the special sensitivity and consent issues associated with children who do not have the full understanding of how their data may be used.
While protecting children’s information is important and may be an appropriate role for regulation, COPPA also has tradeoffs. In some cases, COPPA has likely limited the offering of apps designed to help kids learn, get connected to support, or ask difficult questions to adults and their peers.
By making development for children fraught with financial and legal pitfalls, COPPA may discourage well-intentioned people from making child-appropriate content or choose to institute a higher age-barrier rather than reach all for whom the app would be beneficial.
Changes to COPPA should consider not only the need to protect children, but also the potential tradeoffs particularly for teenagers.
Breach Notification
Notifying you when bad actors may have attempted to steal user data.
Data breach notifications ensure we get timely updates on whether our personal information is being kept safe.
When a breach happens, businesses have only a handful of hours to identify how much data was taken, and who has been affected.
But each state has its own rules on what counts as a breach of our personal information or how quickly they need to be notified.
That inconsistency in rules across the country makes it hard for online services to abide by data breach rules so they can best protect users. We need a national standard to ensure all Americans enjoy the same levels of protections.
Self-Regulatory Solutions
Empowering businesses to police each other with the government’s help
Private businesses have been working with one another to hold themselves accountable under the eyes of the US government.
Safe harbors and other self-regulatory programs are ways that companies can work together to self-regulate, protect their consumers, and adhere to predetermined codes of conduct. If a company fails to abide by the rules and hurts their users, that company is subject to government enforcement and disciplinary action by the Federal Trade Commission.
There are a variety of different self-regulatory solutions, including the Advertising Self-Regulatory Council, the Digital Advertising Association, and the Student Privacy Pledge.
Private Right of Action
Enabling individuals to bring legal action against someone else could limit beneficial innovation if evidence of harm is not required.
There is a fundamental difference between “private right of action” and “private right of action with statutory damages.”
The purpose of our civil law system is to make people whole, not to profit off of someone’s mistakes. Statutory damages would dictate that even if the player wanted to cover all your damages, they could perhaps pay even more because a bureaucrat wants them to.
Usually when a law is passed with statutory damages along and a private right of action, predatory attorneys come out seeking to weaponize victims with little or no harm into a huge attorney pay-day. This results in a series of “gotcha” cases, can financially collapse small startups, and chills innovation simply because monetary damages is not injunctive relief.
Current State of Privacy
State Laws
State Web
39 states have passed student privacy laws that do many things from restricting tech companies’ use of student data to giving students control over their data and knowledge of how it is being used. Many states model their student privacy laws after California’s Student Online Personal Information Protection Act (SOPIPA), which prohibits tech companies from knowingly engaging in targeted advertising to students, profiling K-12 students, and selling or disclosing a student’s covered information.
Three states, Illinois, Texas, and Washington, have passed laws that regulate the collection, use, and disclosure of biometric information to regulate how companies use our retina scans, fingerprints, voiceprints, and facial photos.
All 50 states have data breach notification laws, but each state has different rules on what counts as a breach of our personal information or how quickly they need to be notified.
Virginia, Colorado, Nevada, and California have passed significant consumer data privacy regulation. Many other states have considered broad data privacy regulation and risk the creation of a patchwork of laws that would create confusion for consumers and disruption for innovators.
Federal Legislation
Under our current harm-based approach to privacy, the United States does not have any omnibus federal laws regarding privacy. Instead, it tackles issues regarding privacy piece by piece.
Our federal laws on private actors and privacy vary in scope, protecting a variety of user health information, children’s privacy, financial information, and electronic communication.
While the harm-based approach to privacy is most effective, recent actions at the state level to create state specific omnibus privacy laws and a mismatched patchwork of state privacy regulation, there is a real need for a federal standard for privacy.
American companies are being forced to comply with European standards in part due to an absence of an American alternative. Similarly, Americans in states without laws could find themselves subject to the onerous restrictions imposed by other states or consumers in regulated states lose out on technology available nationwide.
Only with a federal law can the US ensure Americans, American businesses, and American entrepreneurs remain safe online while also eliminating the growing costs of compliance state-based regulation causes.
The Facts
Why does this matter for us?
Bad regulation in this area makes the internet cumbersome for users and businesses. It could prevent the next great technological application and could lead to confusion for consumers.
Why does this matter for us?
Bad regulation in this area makes the internet cumbersome for users and businesses. It could prevent the next great technological application and could lead to confusion for consumers.
Businesses big and small, online and offline, have to identify and comply with over one-hundred different privacy laws that are constantly changing monthly and annually. To comply, businesses have to move money away from hiring staff, innovating, and lowering prices, toward instead funding attorneys. Presuming all use of data is harmful, or that privacy is always the priority, can have real consequences for free speech or and the extremely helpful uses of data like ID’ing individuals impacted by disasters. If businesses could rely on a set of rules and regulations, legal costs go down, barriers to entry decline, and innovation could become supercharged. Americans could more easily know their privacy rules without worry that crossing state borders could drastically affect their personal information online. If businesses could rely on a set of rules and regulations, legal costs go down, barriers to entry decline. At the same time, Americans can know their privacy rules and need not worry about privacy in neighboring states being greater or lower than their own. All will be on equal footing.
What American privacy legislation needs
It is urgent that Congress enact a National Standard on federal privacy laws and data breach laws. Federal Privacy Law needs to ensure that it:
What American privacy legislation needs
It is urgent that Congress enact a National Standard on federal privacy laws and data breach laws. Federal Privacy Law needs to ensure that it:
sets a National Standard. Creating a national standard reduces the complexity and compliance costs of protecting Americans’ privacy online.
Focuses on the risks and harms related to data rather than the size of the company doing the collection. Regardless of size or tax status, we need to ensure Americans’ privacy is protected regardless of who is doing the collecting.
Empowers enforcement only by the government. Because their financial compensation is not dictated by the number of cases or percentage of fees, government agencies have the express goal to do what is best for the people they serve and ensure that actions are brought on the merits of the suit.
Creates self regulatory regimes to encourage best practices. By following the self-regulatory model set out in the Children’s Online Privacy Protection Act, the United States can avoid enforcement problems caused when limited resources prevent effective privacy protections and lax or no enforcement.
Conditions penalties on the actual harm incurred. Because civil law can ensure that the system isn’t abused to favor competitors or serve as an artificial revenue source, ensuring that we’re focusing on the actual harm incurred and not statutory damages will ensure the system remains fair.
