Privacy

We Need Sound Policy to Quell the Data Arms Race, Protect Users

By Susan Grant, CFA Director of Consumer Protection and Privacy

What do the Equifax breach, Cambridge Analytica’s use of Facebook users’ data for political campaign purposes and Grindr’s sharing of users’ HIV status have in common?

All three incidents illustrate why Americans need to have meaningful control of their personal information and why the companies that hold it should be strictly accountable for its use and security.

While it’s good that members of Congress are grilling Facebook CEO Mark Zuckerberg about the company’s privacy practices, they should also ask themselves: Why doesn’t the United States have a comprehensive data protection law, like most other advanced countries around the world?

Why don’t we have a federal agency that has the ability to set privacy and security rules of the road for retailers, manufacturers, data brokers, social media companies, search engines, internet service providers, app developers and other types of companies that are currently free to collect any personal information they desire?

Why aren’t there stiff fines and requirements for compensation when companies misuse or don’t adequately secure our data?

The failure of the United States to implement public policy based on widely accepted Fair Information Practice Principles (FIPPS) has led to a data arms race in the U.S. Those principles are:

  • limiting the personal information that’s collected and only collecting it fairly and lawfully;
  • specifying the purposes for collecting it and only collecting what’s needed for those purposes;
  • keeping the information accurate and allowing individuals to access it to ensure its accuracy;
  • only using the information for the stated purposes unless the individual consents to a new purpose;
  • deleting the information when it’s no longer needed for those purposes;
  • being transparent about what you’re doing;
  • keeping the information secure; and
  • being responsible for your actions.

More and more personal information is being vacuumed up and used to make judgements about people, sell them something or manipulate them in other ways, without regard to whether these practices are in line with our values and, in many cases, without the individuals’ knowledge or consent. This arms race will only escalate with the growing internet of things.

Some companies see legal constraints as an impediment to their competitive edge. That’s why the internet service providers (ISPs) opposed the Federal Communications Commission’s broadband privacy rules, which Congress voted to repeal last year, and why they’re fighting broadband privacy bills in the states so fiercely now.

We need clear rules about how ISPs, as well as other kinds of companies, treat our personal information. The rules will have to be tailored to fit the circumstances, but the FIPPS and the General Data Protection Regulation (GDPR) that takes effect in Europe next month provide good roadmaps for us to follow.

I believe that many businesses would be relieved if we had such rules, though they are reluctant to say so publicly, because the playing field would be more level. Just as with an arms race, no one wants to disarm unilaterally in the data arms race.

Furthermore, since companies based in the United States that also do business in Europe will have to follow the GDPR for their EU customers, it makes sense for them to treat their U.S. customers’ data the same way. Facebook has announced that it plans to do so.

Congress should empower the Federal Trade Commission to promulgate comprehensive rules for data protection and give it stronger enforcement tools. Congress should stay out of the way of the states as they rightfully seek to ensure that their residents’ privacy and security is well-protected.

This piece originally appeared in The Hill.