Americans feel that their data isn’t theirs anymore.
In an age marred by stunning social media scandals, massive data breaches and exploitative data marketing, more and more Americans believe that they are losing control over their personal data. In a recent Pew study, over 80 percent of Americans say they have very little or no control over their personal information, while 70 percent say they feel their data is less secure today than it was five years ago. And only 4 to 6 percent say they understand very well what all their data is even being used for.
Alarmed by this growing sense of data disempowerment, Americans overwhelmingly support Congress taking direct action to ensure that the data rights of all Americans are clearly defined and properly defended. According to a Morning Consult poll, fully 79 percent of registered voters say that data privacy regulation must be a top priority for Congress in 2020.
In short, Americans want their data back – and it can’t wait until everything “goes back to normal.”
Fortunately for the millions of Americans eager to regain control over their data rights, congressional lawmakers are already well underway crafting new data privacy laws to meet our urgent, national need for greater data security, transparency and regulatory oversight – and I urge them to continue this fight as the disrupted environment only leads to more ways to exploit consumer data.
Democratic Sen. Maria Cantwell and Republican Sen. Roger Wicker have both sponsored bills that propose sweeping data privacy regulations, while the House Energy and Commerce Committee has advanced its own bipartisan draft of data privacy legislation.
But with so many of our fundamental data protections hanging in the balance, it’s important that Congress gets this right. So, what exactly is at stake for U.S. data subjects in Congress’ fight for new data rights protections?
In my judgment, the draft legislation speaks meaningfully to five of our fundamental data rights: the right to transparency, the right to meaningful consent, the right to data deletion, the right to data portability and the right to private action. Let me explain what these rights are, how they all hang together and why they matter.
At a time when more data is being collected from U.S. consumers than ever before, Americans have a right to know who is collecting their data, where their data is going and what their data is being used for. We call this a right to transparency.
Transparency means quite simply that governments and companies provide clear and easy-to-access information about the data collection and data use practices that they employ.
Protections for the right to transparency and for the right to meaningful consent always go hand-in-hand. Americans need transparency in order to know what a company will do with their data before they consent to share their data. Together, these protections ensure that consumers are empowered to make free, informed and genuinely voluntary choices about how their data is shared, collected and used.
But this consumer empowerment isn’t complete without protections for the right to data deletion and the right to data portability. Put simply, the right to data deletion is the consumer’s right to request that any entity currently accessing his or her personal data delete that data. The right to data portability means the consumer’s right to see any personal data that an entity is presently using and request to transfer that data to a different entity at will.
In our current data ecosystem, too much of our data is collected by third parties without our knowledge and control. Often, we grant data access to a known entity, such as a smartphone app developer, but that entity then trades our data to unknown third parties, depriving ordinary consumers of any real control over where their data goes and where their data stays.
While there are some thorny practical and legislative issues here pertaining to how these rights might be fully implemented against downstream and often invisible third-party data brokers, one thing is clear: Without protections for the rights to data deletion and data portability, Americans lack fundamental controls over their own personal information.
Finally, Americans can’t have complete control over their data without protection for the private right to action. The private right to action means that every American citizen will have the power to hold companies directly accountable for their data collection practices. This right ensures that every data abuse is actionable at any time, regardless of the ability or willingness of state actors to prosecute data abusers.
Through federal protections for these five data rights, Americans will finally be able to regain control over their personal information and establish their data autonomy.
In evaluating Congress’ recent draft legislation, however, we must also pay attention to how federal protections will interact with state laws. In my view, it’s crucially important that the federal government avoid preempting data protections already in place at the state level.
While we need clear national policy to protect all Americans, some states, like California, are already doing more to protect data rights. I believe that these state and local protections should be kept in place wherever they surpass or extend federal protections.
In our increasingly complicated and sprawling data economy, the state and federal governments must protect Americans’ data rights, or no one will. Right now, it looks like the American people only stand to gain from Congress’ work to give back to consumers their control over their data.
Thomas F. Kelly, a Silicon Valley serial entrepreneur and an expert in cybersecurity, is president and CEO of ID Experts, a Portland, Ore.-based provider of data breach and identity protection services, including the MyIDCare suite of services.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.