After being prodded by its own watchdog, Congress is finally getting serious about privacy. Committees in both the House and Senate held privacy hearings at the end of February, after being spurred on by a Jan. 15, 2019, Government Accountability Office report that called on Congress to clearly determine which federal agencies should be responsible for consumer privacy.
GAO found that while the Federal Trade Commission has the lead in overseeing internet privacy, the agency has not issued regulations for internet privacy other than financial privacy and the privacy of children. The GAO recommended that Congress determine which agency or agencies would be responsible for oversight of internet privacy, who would have the authority to write regulations and enforce civil penalties, as well as balance the consumers’ need for internet privacy and private industry’s ability to innovate and provide services.
As Congress moves through the process of enacting updated consumer data privacy laws, members must agree to a clear and concise national policy that will provide consistency and certainty for both businesses and consumers.
Any legislation passed by Congress should require businesses to provide consumers with easy-to-understand privacy choices based on the sensitivity of their personal data and how it will be used or disclosed, consistent with the FTC’s privacy enforcement guidance, and an opt-out choice to use their non-sensitive customer information for personalized third-party marketing. Businesses should be able to continue to rely on implied consent to use customer information for activities such as service fulfillment and support, fraud prevention, market research, product development, network management and security, compliance with the law, and first-party marketing.
Consumers should be provided with clear, comprehensible, accurate, and continuously available privacy notices by businesses collecting, using, or sharing consumer data that describe in detail the information being collected, how that information will be used, and whether the information will be sold or shared with third parties. Should customer information be sold or shared with a third party, customers must be notified about the types of third parties to whom their information has been given and for what purpose.
Different types of data require separate methods and standards of protection. For example, sensitive health care data and financial data require a higher level of security than a social media account or a computer’s IP address. Therefore, policies must be consistent with the type of data being collected and how it is to be used. There should also be reasonable limits on the amount of personal data that organizations will collect, use, and disclose, consistent with the context in which that data is provided. Every effort should be made to de-identify and delete data as promptly as possible when it is no longer necessary.
Consumers should expect that the personal data they share with other entities is maintained in a secure environment. Information technology systems are under constant attack; breaches have and will continue to occur. In the event of a data breach in which there is a reasonable likelihood of misuse and consumer harm, consumers should expect timely notification of the event, and an offer by the entity breached as to the remedies available to make the consumer as whole as possible, including credit protection services, fraud alerts, and credit monitoring through credit reporting agencies.
With the GAO report followed closely by the hearings in the House and Senate, privacy appears to be on the front burner in Washington. Congress must take the enactment of a federal consumer data privacy protection seriously and formulate an agreement on how to best meet both the needs of consumers and those of industries seeking to improve services to their customers. This must be done in a manner that avoids burdensome regulations or government interference in the incredible progress that continues to be made in providing the best and latest technology across the internet ecosystem.
Deborah Collier is the director of tech policy for Citizens Against Government Waste.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.