How an “Opt-In” Privacy Regime Would Undermine the Internet Ecosystem

Daniel Castro May 26, 2017
May 26, 2017

(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)

Rep. Marsha Blackburn (R-TN), chairman of the House Communications and Technology Subcommittee, recently introduced legislation that would require all online businesses to follow a uniform framework for asking users to share their sensitive data. The bill, dubbed the BROWSER Act (for: Balancing the Rights of Web Surfers Equally and Responsibly), is a misguided proposal that would change how the government regulates online data, thereby increasing costs for companies, limiting their capacity to innovate, and reducing functionality for consumers—all without increasing privacy for users.

Currently, the lion’s share of businesses operate under a notice-and-choice regime, whereby consumers can review a company’s privacy policy, and then decide whether to use its services. For example, if users read a privacy notice provided by an online service and decide that it does not meet their preferences, they can choose to use a different service. The current privacy regime, therefore, is effectively an “opt-out” system—consumers can decide not to use a service if they do not like its data-handling practices or otherwise do not find the value it provides to be worth the tradeoff. Moreover, many of the most popular websites and Internet service providers allow the minority of users with strong privacy preferences to opt out of data collection and sharing.

The BROWSER Act would put an end to this approach by establishing affirmative consent (“opt in”) requirements for the collection and use of certain data, such as location and web browsing histories. In addition, the bill would restrict companies from conditioning access to their services on whether users choose to share their data. If adopted, these policies would be a disaster for Internet users and companies.

First, obtaining consent is expensive. Forcing companies to obtain affirmative consent to collect and use certain user data would raise their costs and leave them with a few bad options to adapt. They would have to charge consumers more, either by eliminating free services, raising prices on paid ones, or both. Another option, for ad-supported services, would be to increase the quantity and decrease the quality of ads they show users—in other words, present less relevant ads along with more spam and pop-ups. A third likely result is that web companies would be forced to cut costs by lowering the quality of their services. Finally, many companies that rely on data subject to affirmative consent might have to eliminate services altogether, ultimately reducing the diversity of the web and hindering its ability to support new data-driven services and platforms.

Second, requiring companies to obtain affirmative consent would make digital services less user-friendly without increasing privacy. Users who have strong privacy preferences already have the option not to use services if they disagree with a company’s data-collection and use practices, and they often can manage privacy settings for particular sites. This bill would have no actual impact on these users. For the rest—individuals who routinely make trade-offs by exchanging private data for something of value—requiring affirmative consent is a hindrance, as they would be required to spend time granting consent for services they overwhelming want to use.

Third, the bill requires providers to allow users to remove their data whenever they wish. This requirement would interfere with companies’ ability to compile and analyze data, which they usually do in ways that boost the quality of services. It would also restrict the ability of businesses to create any service that requires data to be permanent, such as security logs or audit records of online ads. For example, Etherium—a digital currency business—allows users to store data on its blockchain, a shared public ledger. The BROWSER Act would prevent Etherium from using this technology, because data in the blockchain cannot be changed or deleted. The bill also would increase costs, as companies, including small Internet companies, would have to hire staff to handle data-removal requests.

Finally, the bill prohibits service providers from refusing to provide service as a “direct or indirect consequence of the refusal of a user to waive any such privacy rights.” While this language is somewhat ambiguous, it would likely prevent companies from requiring consumers to share certain information as a condition of using online services. This would create a free-rider problem for the many sites that depend on revenue from targeted online advertising, because users could refuse to provide the data needed for these ads while still getting access to a site’s content and services. This would be like Congress passing a law prohibiting restaurants from refusing service to customers who choose not to pay. Most customers would realize they would not have to pay, and few restaurants would stay in business.

Congress should reject this legislation, or any similar proposal that attempts to impose opt-in requirements on the digital economy. The only redeeming feature of the BROWSER Act is its pre-emption of state Internet privacy rules—because the only thing worse than a bad law is a patchwork of them. But there is no justification for deviating from the current, successful model of FTC oversight, in which companies are held legally accountable for adhering to their stated privacy policies. Instead of ratcheting up privacy rules, a better approach would be for Congress to clarify uniform FTC oversight over the entire Internet ecosystem, including Internet service providers. Such legislation could help businesses by reducing conflicting and duplicative requirements while providing users with simple and convenient privacy notices.