A Privacy Law That Actually Protects Americans

The looming implementation of California’s privacy law has thrust the debate over how to protect Americans’ personal information further into the national conversation. As the debate is playing out, we are seeing many ways to approach this question, and we applaud anyone who comes to the table to help devise stronger data privacy and security rules for all of us. But if the nearly constant drumbeat of news articles about privacy violations shows anything, it’s that we can’t simply tinker around the edges of the current dynamic in which consumers are too often left trying to decipher whether a company is using their data reasonably, securely, and in line with what they expect – or harnessing it for improper and harmful practices.

Privacy for America, the coalition I advise of trade groups and companies encompassing a broad cross-section of the U.S. economy, believes that is time for a fundamentally different approach to change this untenable situation. The internet of today needs a legislative framework that doesn’t put the onus on consumers to become privacy lawyers before they can feel safe online, but instead establishes clear and enforceable rules that outlaw harmful data practices.

What does this new paradigm look like? For starters, it’s comprehensive and would apply consistently nationwide. We believe that consumers – no matter where they live in the United States – deserve broad-based privacy regulations that provide them with stronger protections than an amalgamation of state and sector-specific laws. While we believe California’s privacy law marks a significant development in the privacy debate, the reality is that it leaves Americans in the other 49 states largely unprotected – and continues to follow the old model that asks consumers to decipher and police how their data is used.

This new framework should also make plain what data practices are illegal. Companies shouldn’t be able to use someone’s personal information, unless specifically permitted by federal or state law, to decide whether to grant them a job, credit, insurance, or health care.

They shouldn’t be able to use data about a person’s race, color or religion in setting prices for products or services. They shouldn’t be allowed to share a consumer’s personal information with third parties unless they ensure — through enforceable, contractual means — that the other party will use the data lawfully.  And companies that do engage in illegal practices must be subject to strict enforcement and penalties.

The law should also recognize that certain types of data deserve extra protections. Particularly sensitive personal information – like medical, financial and biometric data – shouldn’t be used or collected without someone’s explicit permission.

Writing these clear protections into law lets consumers know that uses of data that may harm them are fully against the law – not subject to wiggle room or dependent on an interpretation of a company’s privacy policy.

Some have tried to raise concerns over the idea of the government setting standards about proper and improper uses of data. Limiting government intervention into a nascent internet made sense for many years. Now, this is a mature ecosystem and regulation is appropriate and simply a natural extension of how policymakers have chosen to protect consumers in other contexts. We don’t, for example, simply make information about food safety available to citizens and then leave it to them to decide whether to buy a tainted cut of beef. We require specific levels of hygiene so consumers can trust it is safe – and when it’s not, serious action is taken to protect the public.

In the same sense, these protections need to be effective – which means the Federal Trade Commission must be given increased resources and enforcement authority. In particular, the agency needs three things: a new bureau specifically tasked with protecting consumers’ data; new rulemaking authority that allows the agency to remain flexible in identifying and prohibiting inappropriate data practices; and a new, stronger ability to levy penalties against privacy and data security violations. Taken together, these changes would be a signal to consumers that there’s a real cop on the beat—and a warning to would-be bad actors that their transgressions will no longer go unnoticed or unpunished.

Lawmakers have been working doggedly for months toward a bill that incorporates these types of changes, and the reality is that it’s not an easy lift. Progress toward a strong, national privacy law is going to come slowly – but it is critical that policymakers continue the charge. Both consumers and businesses will thank them.

We know privacy reforms will address only part of the complex feelings Americans have about digital life. But championing this new approach to protecting consumers online would be a major shift toward a world where Americans can benefit from the internet – and all the promise it represents for their lives – while, finally, being protected from the harmful data practices they’ve rightly come to fear.

Stu Ingis is an adviser to Privacy for America and partner at Venable LLP, where he co-chairs the eCommerce, Privacy and Cybersecurity Group.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.