Several big technology companies have a message for any U.S. lawmakers crafting new data privacy rules: Follow our advice.
, Google , Apple , and the Internet Association, which lobbies on behalf of its members like Amazon , Facebook, Twitter, and Airbnb, all say they support federal laws aimed at protecting user privacy. What the companies differ on with many privacy advocates, however, are the details.
A number of tech companies are embracing federal legislation, to a point, because would otherwise have to abide by a hodgepodge of state laws. They’re already preparing for the California’s Consumer Privacy Act, the nation’s first state law for data privacy, which takes effect in 2020.
Policymakers are increasingly concerned about how companies collect, store, and use consumer data. And that has turned into a push for rules about how companies must protect consumer information and how they must be more transparent about how they use that data.
Last year, Senator Ron Wyden (D-Ore.) introduced a bill similar to the General Data Protection Regulation, a sweeping data privacy law that the European Union passed in 2016. More recently, Senator Marco Rubio (R-Fla.) proposed a bill that would task the Federal Trade Commission with creating and implementing data privacy standards.
Here’s what some tech companies and a key industry group want in any future privacy legislation:
In general, both parties agree on the following
- Transparency : Consumers should have the ability to know how the data they provide is used, whether it’s shared with others, the categories of entities with whom it’s shared, and the purpose for which it is shared.
- Controls : Consumers should have control over how their data is collected, used and shared, except in cases where the information is necessary for the basic operation of the business or if doing so could lead to breaking a law.
- Access : Consumers should have reasonable access to the information they provide. They also should be able to correct and delete information, except in cases where companies have legitimate need or legal obligation to maintain it. Similarly, companies should make reasonable efforts to keep personal information accurate, complete, and up-to-date.
- Portability : Consumers should be able to get information they provided a company to then give it to another company that provides a similar service.
- Data security : Companies must implement precautions to protect consumer data and should notify consumers of security breaches.
- Accountability : The law should set baseline requirements for compliance and allow flexibility in how requirements are met. This also means not including any technology-specific mandates. Enforcement of the law and remedies for the failure of compliance should be proportional to the potential harms involved in the violation, Google says.
- Preempt state laws : The law should set a national standard that should preempt the patchwork of different data breach and privacy laws.
- Broad application : A data privacy law should impact all organizations that process personal information, not just technology companies.
- Global interoperability : Countries should adopt privacy regulations that avoid overlapping, inconsistent, or conflicting rules, Google says. Privacy regulation should support transferring data across borders and ensure that protections follow the data versus national boundaries.
The California CPA governs not just information that people share directly with companies, but also personal data held by commercial data-brokers. Just as Carpenter suggests that legal protections follow even shared personal data, the CPA imposes transparency and control requirements even on companies that have no direct relationship with consumers.
- Data minimization : Companies should be challenged to strip identifying information from consumer data or stop collecting it at all.
- Access and transparency : Apple agrees with Google and the Internet Association on making data accessible and giving consumers the ability to correct and delete it.
- A data-broker clearinghouse : Data brokers should be required to register with the FTC and allow consumers to track their data after it has been sold to to third parties. Consumers should also be able to delete their data on demand.