At the start of 2020, many individual states were exploring laws to match the California Consumer Privacy Act of 2018. In response, businesses across the country advocated for a federal privacy bill to avoid the need to interpret and adhere to 50 different laws. However, in the wake of the unfolding pandemic, most proposed federal privacy bills have been shelved until 2021. States are also deferring their efforts as they respond to the current crisis.
This pause provides businesses with a golden opportunity to discuss and plan the best path forward. During this time, it may be possible for industry groups to develop consensus with Congress and other interested parties on the basic elements of a comprehensive privacy bill. Establishing these building blocks now will give us all a better chance of getting things right when the time comes to hammer out a national statute.
A successful federal privacy law must be clear and understandable to industry, consumers, and enforcement officials. It will define clearly what uses of consumer data are permitted, which are prohibited, and what protections must be implemented for special uses. Congress, officials from the FTC, State Attorneys General, trade organizations and companies in the data, tech, and advertising industries should debate the following topics over the course of the year:
Transparency
Transparent communication to the consumer about what is being done with their data must be a cornerstone of policy — especially with the wide-spread adoption of data-driven marketing techniques. Some may be surprised to find that transparency is not necessarily fundamental to a privacy law, having not been included in several early statues. However, strong disclosure requirements enable the public to make informed choices about their use of services that provide a fair transaction between personal data and consumer benefit. For example, free content on the internet is rooted in the idea that publishers sell targeted ads to support their efforts, and the use of anonymized data increases the value of those ads — and the satisfaction of consumers because they are receiving relevant information.
Ignorance breeds fear and misunderstanding. If consumers do not understand what is happening with their data, they will continue to turn to legislatures for fixes that do not adequately address their concerns while being overly broad — leading to further confusion and expense for industry. However, if they understand generally what companies are doing with their data, they can make an informed choice about their need for privacy and consider whether they want to use a business’ services in exchange for certain information.
Notice
Notice is a company’s disclosure of its own privacy practices, which typically come in the form of a public-facing privacy policy. There needs to be clear standards on what constitutes notice to a consumer and whether they should be entirely contained in a privacy policy; or elsewhere, such as physical store locations, on order forms, or upon first entering a webpage. Regardless of where the information lives, it is essential that the types of disclosures required be explicit in statutory law with industry-standard language.
Standardizing notice requirements will lead to fuller disclosure to consumers and reduce confusion for companies. It would also be useful to establish clear industry guidance on which technical or factual misstatements on privacy practices would trigger UDAAP (unfair, deceptive, or abusive acts or practices) violations, freeing businesses to implement policies without fear that an accidental misstep would be enforced as harshly as a blatant violations.
Choice Versus Control
Many overly-broad laws begin with the assumption that consumers should be able to exercise complete control over their own data — an admirable starting point, perhaps, but an ideal that examples around the world have shown to be inoperable in practice. Giving consumers choice, but not absolute control, should be a fundamental goal of any new regulation. There are precedents for this approach. Existing laws, such as FCRA and HIPAA, permit consumers to exercise limited and necessary control over their own data, but their rights to modify data are limited because some industries require access to unmodified data for broader societal benefit.
It will be imperative to reach a consensus on whether consumers should be limited to exercise choice only during data collection, or if some choices may be exercised on an indefinite time frame. This clarification should carefully weigh the impact on the economy and efficient market operations. How and when consumers act to protect their data, from opting out, correcting, moving, or deleting their data, can only be determined after this consensus is reached.
Data Types and Fair Usage
Another foundational policy consideration is to regulate according to what data pertains to, as opposed to its source. HIPAA, for example, does not apply to medical information collected by health websites or doctors that do not take insurance. Congress should consider applying one standard to all “sensitive information”, such as data pertaining to children, medical, and financial account information. This would dramatically ease compliance costs for regulated companies while improving consumer protection.
"Usage” is also too generic a term to capture all of the nuance related to different data sets. Use of data must be related to the type of data under review. This underlines the importance of clearly defining data types in terms of its sensitivity and applying common data sharing and transmission guidelines. Some data is sensitive and use beyond certain limited avenues should be restricted completely. Other data uses are so objectionable that they should be prohibited, regardless of the underlying data type. Meanwhile, other uses fall in a middle area of less objectionable but potentially invasive and are probably best suited for opt-in from consumers before use. With a clear framework, consensus on fair uses for each type of data can be reached more easily.
Let’s Not Squander an Opportunity
Intelligent data regulation is not a simple problem. Meeting the legitimate needs of all stakeholders will require active participation from all sides. Unexpected delays at the federal and state level provide the opportunity for consumers, industry and regulators to openly converse and unite around a data management framework that benefits all.
Developing a broad and logical framework for data privacy and security will allow us to meet our needs today and accommodate new developments in technology and business practice, with specific guidelines for what constitutes unfair or deceptive uses. Achieving a fair and transparent policy framework will be the best way to ensure that consumers are protected, and that private industry has the freedom to innovate compliantly, maintaining America’s competitive edge in this sector.
As always, the Compliance team at Alliant is monitoring the situation, and shifting its outlook based on new laws and leading best practices. In these uncertain times, it is helpful to take a minute to evaluate your data practices, and to consult with a trusted partner that lives and breathes transparent and privacy-protective consumer data. If you would like to learn more, or have compliance questions, please contact us.