Silicon Valley tech companies have been fighting against regulations for years, but they are coming, and companies are learning to accept them. Even Facebook
CEO Mark Zuckerberg, acknowledges that regulations are necessary. In a March Washington Post editorial, Zuckerberg advocated “a more active role for governments and regulators,” in such areas as “harmful content, election integrity, privacy and data portability.”
Zuckerberg may be getting his wish – at least when it comes to privacy. Silicon Valley Congresswomen Anna Eshoo and Zoe Lofgren have introduced HR 4987, the Online Privacy Act. This is far from the first Congressional privacy bill, but it’s noteworthy that it’s coming from two members of Congress whose constituencies include thousands of tech workers, along with a fair number of very wealthy entrepreneurs, CEOs and investors who benefit from tech’s use of data to monetize their ventures.
The bill creates a new federal agency to enforce users’ privacy rights and ensure companies follow the law, according to a summary provided by its two sponsors. It would also give users the right to “access, correct, delete, and transfer data about them; request a human review of impactful automated decisions; require opt-in consent for using data for machine learning/A.I. algorithms; be informed if a covered entity has collected your information; and choose for how long their data can be kept.”
Companies would be required to articulate the need for and minimize the user data they collect, minimize employee and contractor access to user data and not disclose or sell personal information without explicit consent. They would also be required to “employ reasonable cybersecurity policy to protect user data.”
The bill also criminalizes “doxing,” which is posting private, personally identifiable information about individuals without their consent.
It also contains protections for journalists “to use or disclose personal information for investigative journalism no differently than they do today,” as long as there are safeguards for non-journalistic purposes.
In a press release about their new legislation, Eshoo and Lofgren included quotes from experts and advocacy groups. I don’t often pay attention to these types of quotes, but I was impressed that they got an encasement from The Electronic Privacy Information Center, which is one of the toughest privacy advocacy groups in the country. EPIC’s policy director, Caitriona Fitzgerald, said that the group “carefully reviewed the privacy bills pending in Congress, and we have now rated the Online Privacy Act #1.” She said that it “sets out strong rights for Internet users, promotes innovation, and establishes a data protection agency.”
Eshoo and Lofgren’s bill would be federal law, similar in some ways to Europe’s General Data Protection Regulation (GDPR) that gives European citizens strong privacy protections and rights, regardless of where the company is based. There is also a new data protection law in California that goes into effect January 2020.
Just as the GDPR is designed to protect Europeans, the California law only protects California, but because both laws apply to companies regardless of where they are located, these laws have an impact on the entire industry. But laws that protect Californians and Europeans don’t negate the need for a U.S. national law.
The California law applies to any for-profit entity that does business in California, regardless of where the business is located if it collects, sells or buys personal information of more than 50,000 California consumers, households or devices. It requires businesses to disclose the categories and specific pieces of personal information collected and to delete information about consumers if so requested. It also gives consumers the right to opt-out of the sale of their information to any third parties and requires affirmative consent (opt-in) for teens between 13 and 16 and parental opt-in for children under 13.
But the proposed federal law, in addition to protecting consumers in all parts of the country, goes even further, especially because of the establishment of an enforcement bureau which would have, among other things, the authority to issue regulations and issue fines for violations.
The new bill also has some additional protections including giving consumers the right to determine how long a business can keep their data: Only as long as needed, a certain period of time or forever. It also requires companies to ask your permission each time it wants to sell your data. Companies could no longer scan your email or personal documents to target advertising to you. And, sorry lawyers, privacy policies would have to be written in clear and “understandable” language.
I suspect that the establishment of a new federal enforcement agency will be the most controversial part of this bill, given the president’s commitment to reduce regulations and government oversight throughout the Federal government. Yet, there are good reasons for the new agency, which would be staffed by experts who spend their entire working day (and probably some nights) dealing with data.
Our personal data is incredibly valuable not only to us but to anyone who can mine it, parse it and combine it with other data to extract enormous profits. It’s what fuels Google, Facebook and countless data brokers who have made a business of taking, buying and selling information about each and every one of us. The internet didn’t create the exploitation of personal data, but it’s made it a lot easier to obtain. Just about everything we do on the web and on our mobile devices leaves bread crumbs which are often collected, compiled and packaged for someone’s profit.
What’s worse is that we have no idea what is being collected. When you install an app or your phone or a program on your PC, you have no way to know what it’s doing behind the scenes. It’s like giving a service worker a key to your house. Sure, you know what service they’re providing but unless you have a surveillance system installed, do you know what they’re doing with that key while you’re not looking?
I’m not arguing against the collection of data. While it is a fuel for profit, that profit is also the incentive for companies to bring us apps and services that we need or want. I would hate to go back to a world without Google and other search engines. As both a consumer and a journalist, I derive enormous value from having the world’s information at my fingertips. Many of the free apps on my phone provide me essential services which I would hate to do without. Of course, the industry could create a different business model and charge for the use of these apps and services, but I wonder how many people would be willing to pay for search, navigation and all the other services they derive from advertiser supported commercial services.
But just because we have to put up with data collection and advertising as the cost of “free” services, doesn’t mean we shouldn’t have control of our information, the right to delete it and the right to know why and how it is being collected.
Silicon Valley has long been a cradle of innovation and it’s nice to see two Silicon Valley lawmakers introduce an innovative bill that could benefit Americans regardless of where they live.
Disclosure: Larry Magid is CEO of ConnectSafely.org, a nonprofit internet safety organization that receives financial support from both Google and Facebook.