Allowing data access for a more convenient and efficient “user experience” creates risks to privacy and data security.
Social media, multiplayer and interactive games, augmented reality, and ever-expanding data storage capacities and data sharing capabilities are seen as accelerating threats to the right of privacy. Can we always rely on people and companies to respond ethically?
Take Pokemon Go for example. Niantic, the developer, allowed players to register for the game using their Gmail account, and Google offers “full account access” to the developer. Therefore, many Pokemon Go players unknowingly authorized Niantic to have full account access, even though to play the game that level of access was not necessary. Niantic only actually needed a user identity, an email address, and GPS location information for the game to function properly.
There is no evidence that Niantic actually used more access than was required. To the company’s credit, when the “full account access” discrepancy was discovered, the problem was addressed promptly. Both Google and Niantic appropriately limited access, and no action was required on the part of the consumer.
However, this no harm no foul outcome was not the only possible result. The result could have been very different if a malware developer or hacker sought to exploit the mismatch between authority and need.
Today’s federal privacy laws provide specific protections for limited and specific categories of information, including medical information (the Health Insurance Portability and Accountability Act privacy rule); financial information (Financial Services Modernization Act and Fair Credit Reporting Act); educational information (Family Educational Rights and Privacy Act), and information gathered from children under 13 (Children’s Online Privacy Protection Act).
Even with those laws on the books, adults are giving companies access to their personal information by contract. Users often fail to read the terms of service or privacy statement/agreement when creating new accounts online or installing new programs or apps. This can result in permission being granted to use any information collected (other than medical or financial information) for any purpose.
Congress and state legislatures are considering legislation that will take steps to modernize our data privacy laws, so they reflect the current realities of our increasingly digital and interconnected world. This week both the House Energy and Commerce Committee and the Senate Commerce Committee will hold hearings on this issue and explore what would need to go into legislation to ensure consumer data privacy protection.
At the state level, at least two bills were introduced in the Arizona House to regulate use of personal information collected on websites, including video and audio data.
Last year California enacted the Consumer Privacy Act (taking effect in 2020) giving consumers more control over the use and retention of personal information. This California law echoes concepts found in the General Data Protection Regulation adopted by the European Union (EU) in 2016. In response to concern with the permanence of information on the Internet, the EU recognized what is described as the right “to be forgotten” – embodied in the right to the erasure of data under EU law.
The law isn’t static. Like technology, the law changes and evolves to address social needs and norms. Changes in the law (and consumer protection technology) are inevitable to protect data privacy, an important issue impacting every technology user.
Even when data protection laws are enacted, compliance is not automatic. Consumers are well advised to exercise judgment to protect themselves.
Ray K. Harris is a director at Fennemore Craig, a Mountain West Law Firm, and practices commercial litigation, including patent, trade secret, trademark, trade dress, copyright, data protection, and privacy, and other intellectual property and technology matters. Scott L. Altes is a director at Fennemore Craig and chairs the firm’s health care litigation regulation and privacy and data security practice groups.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.