We all deserve control over our digital lives. That’s why we must rein in the data brokers. (Editor’s note: the new California Consumer Protection Act 2018 specifically targets those businesses who collect, sell and share personal data of California residents, just as GDPR does for EU data subjects.)
In 2019, it’s time to stand up for the right to privacy—yours, mine, all of ours. Consumers shouldn’t have to tolerate another year of companies irresponsibly amassing huge user profiles, data breaches that seem out of control and the vanishing ability to control our own digital lives. (Editor’s note: Yes it is inconvenient for businesses who set up operational systems with little or no regard for people’s rights around their personal data. These new laws require tracking and proving consents and permissions, therefore require businesses to re-think what they collect, how long they keep it and how they will secure that data. After all they must stop acting like they own it. The individual owns their own data. These businesses are mere custodians at the behest of each individual. Different context that requires different operational practices, policies and procedures.)
This problem is solvable—it isn’t too big, too challenging or too late. Innovation, breakthrough ideas and great features can go hand in hand with user privacy—and they must.
Realizing technology’s potential depends on it.
That’s why I and others are calling on the U.S. Congress to pass comprehensive federal privacy legislation—a landmark package of reforms that protect and empower the consumer. Last year, before a global body of privacy regulators, I laid out four principles that I believe should guide legislation:
First, the right to have personal data minimized. Companies should challenge themselves to strip identifying information from customer data or avoid collecting it in the first place. Second, the right to knowledge—to know what data is being collected and why. Third, the right to access. Companies should make it easy for you to access, correct and delete your personal data. And fourth, the right to data security, without which trust is impossible. (Editors note: there is a lot packed into this one paragraph. Granting individuals this simple package of rights changes everything about the way businesses have collected, managed, secured, shared and processed data. This is what many businesses are resisting, primarily due to the cost of re-thinking their current practices and making rapid changes.)
But laws alone aren’t enough to ensure that individuals can make use of their privacy rights. We also need to give people tools that they can use to take action. To that end, here’s an idea that could make a real difference.
One of the biggest challenges in protecting privacy is that many of the violations are invisible. For example, you might have bought a product from an online retailer—something most of us have done. But what the retailer doesn’t tell you is that it then turned around and sold or transferred information about your purchase to a “data broker”—a company that exists purely to collect your information, package it and sell it to yet another buyer.
The trail disappears before you even know there is a trail. Right now, all of these secondary markets for your information exist in a shadow economy that’s largely unchecked—out of sight of consumers, regulators and lawmakers.
Let’s be clear: you never signed up for that. We think every user should have the chance to say, “Wait a minute. That’s my information that you’re selling, and I didn’t consent.”
Meaningful, comprehensive federal privacy legislation should not only aim to put consumers in control of their data, it should also shine a light on actors trafficking in your data behind the scenes. Some state laws are looking to accomplish just that, but right now there is no federal standard protecting Americans from these practices. That’s why we believe the Federal Trade Commission should establish a data-broker clearinghouse, requiring all data brokers to register, enabling consumers to track the transactions that have bundled and sold their data from place to place, and giving users the power to delete their data on demand, freely, easily and online, once and for all.
As this debate kicks off, there will be plenty of proposals and competing interests for policymakers to consider. We cannot lose sight of the most important constituency: individuals trying to win back their right to privacy. (Editor’s note: GDPR and the EU is managing this through the Data Protection Authorities (DPAs). For example the ICO have fined Aggregate IQ the maximum allowed under GDPR – $20 million euro or 4% of their global revenue – whichever is most – for their mis-use of personal data to manipulate the Brexit vote.)
Technology has the potential to keep changing the world for the better, but it will never achieve that potential without the full faith and confidence of the people who use it.