How should the US legislate data privacy?

woman working in an office sitting at her desk typing

In recent months, new privacy rules have gone into effect in the European Union and have been adopted by state of California. Is it time for U.S. privacy legislation at the federal level? On July 26, the Center for Technology Innovation hosted a panel of experts from think tanks, industry, and trade groups to consider this question. CTI Fellow Nicol Turner-Lee moderated a discussion that featured Nuala O’Connor of the Center for Democracy and Technology, Karen Zacharia of Verizon, and Melika Carroll of the Internet Association. The panel covered what they would want to see in federal privacy legislation, why not all data should be treated the same, privacy enforcement mechanisms, and cultural differences in attitudes toward privacy.

All could agree that federal privacy legislation was necessary because consumers should have a baseline level of trust that their data is being used properly. A national approach would apply the same rule to all players, avoiding a patchwork of state laws with different requirements. A patchwork approach would not cover the full breadth of data privacy concerns, given that the internet does not stop at state borders. Legislation should also include some built-in flexibility to adapt to rapidly changing technology. It should build protections around the data that is most important to consumers, since data security is a necessary precursor to privacy. The panelists expressed optimism that educating lawmakers on these issues would lay the groundwork for legislation in the near future.

Preventing misuse of data will depend on robust enforcement of privacy laws. The Cambridge Analytica scandal earlier this year highlighted the need for better privacy enforcement. With laws like GDPR, the EU favors an ex-ante approach to privacy enforcement, while the U.S. takes an ex-post approach. The U.S. Federal Trade Commission can impose fines on companies that use customer data in a way inconsistent with their privacy notices, but the agency has no rulemaking authority. The notice-and-consent regime developed in the 1990s falls short in a world with increasing opportunities for data collection. More ex-ante enforcement in the U.S. could set more stable expectations for consumers and the industry.

The discussion outlined different types of data and their various uses. Personal information can have innocuous uses, such as a retailer asking for a person’s address to ship a package, but one can imagine more harmful cases. Algorithms can aggregate seemingly trivial information to make inferences about a person that can lead to consequential decisions. Each of these cases creates a grey area regarding acceptable use that complicates privacy regulation. One suggested solution to level the playing field between consumers and companies is giving users data portability, allowing them to easily transfer their information between competing services depending on privacy preferences.

While privacy issues are often discussed in the context of technology, the issue cuts across other sectors like health care and law enforcement. Sector-specific regulations treat data differently, and it can be difficult for consumers to understand this decentralized approach. The common thread is the fact that a human generates each data point. A growing recognition that holding data on another person comes with stewardship responsibilities may soon lead to comprehensive U.S. privacy legislation.

Alexander Jin contributed to this blog post.