(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)
U.S. privacy law is at a crossroads. Many consumers are confused and frustrated by how frequently organizations report massive data breaches or confess to misusing people’s sensitive information. This has created a groundswell of support for new laws to hold them accountable. But while there is now bipartisan agreement on the need for federal privacy legislation, there is no clear consensus on what it should look like.
The biggest risk is inaction. In the absence of federal legislation, states will continue responding to the public’s concerns. In March, Virginia became the second state, after California, to pass a sweeping consumer privacy law, and a number of other states, from Florida to Washington, are considering similar bills. Across the nation, many companies are watching with considerable trepidation, because they fear that a coming wave of state privacy laws will create a fragmented regulatory landscape, which will impose significant compliance costs and undermine their ability to responsibly use data to innovate and deliver value to consumers.
Rather than continue debating the same proposals of the past, Congress needs a new approach. Consumers clearly want stronger privacy laws, but imposing a European-style data protection law on American businesses during a global pandemic is going to slow economic recovery by saddling companies with unnecessary red tape while limiting beneficial uses of data. What the country needs instead is to compromise on new data privacy legislation that empowers consumers but also reduces regulatory burdens. It should simultaneously expand and simplify consumers’ data privacy rights, reduce compliance costs from existing state and federal regulations, and enable continued innovation throughout the data-driven economy.
To accomplish all of that, Congress will need to craft legislation that does four main things:
First, lawmakers should establish uniform privacy rules for the entire nation, preempting state and local privacy laws. Consumers should have the same protections regardless of where they live, and companies shouldn’t be faced with 50 different sets of laws and regulations. And then Congress should go further. The U.S. code is littered with privacy statutes—from major sections on health and financial data to narrow ones on video rental histories—and each one has its own set of rules to comply with. Congress should create a roadmap to repeal and replace all of them with a single, comprehensive data privacy law. Such a major overhaul may sound daunting, but the alternative—adding another layer to the pile—will only undermine the purpose of new legislation.
Second, this new comprehensive framework should not treat all data the same, but instead create rules that are tailored for different types of data and the contexts in which they are collected. To that end, federal privacy legislation should make a distinction between sensitive and non-sensitive personal data, because sensitive personal data—such as medical or location information—presents higher risk to people it is made public. Moreover, lawmakers should make a distinction between the relatively small group of organizations where consumers have a greater expectation of privacy—especially banks, schools, hospitals, and governments—and everyone else.
The idea is to create a sliding scale where the most sensitive personal data collected in the most sensitive contexts (e.g., a doctor’s office collecting a patient’s health data) is subject to the strictest rules and penalties to prevent misuse, and non-sensitive data collected in a non-sensitive context (e.g., a grocery store tracking what kind of cereal shoppers buy and a website tracking what users click) would be subject to the fewest requirements. The requirements for sensitive data collected in mundane contexts and non-sensitive data collected where consumers have a higher expectation of privacy would be somewhere in the middle. With a tiered set of rules like this, consumers could receive stronger privacy protections where it matters most, and businesses could avoid undue compliance burdens. Worthless privacy notices that simply end up in the trash would be a thing of the past.
The third key feature of comprehensive data privacy legislation should be to establish clear, yet differentiated, consumer rights. For example, consumers should have the right to know how organizations collect and use any of their personal data. And they should have a right to obtain a copy of any sensitive information, such as their financial records, and move it to a competing service. Further, Congress should set consent requirements for data collection, sharing, and use based on the same sliding scale as for the data-protection requirements. For example, banks should need to obtain permission from consumers before analyzing their sensitive financial transactions to predict their health care conditions, but florists should be able to send their loyal customers a coupon unless they opt out. These rules should apply to all organizations, regardless of size, industry, or location.
For this system to work, there will need to be robust enforcement. So, the fourth thing lawmakers will need to do is improve the Federal Trade Commission’s ability to do its job by giving it more resources and expanded authority to fine organizations that impose actual harms on individuals through data misuse. Organizations should only be subject to significant fines if they have caused actual economic harm. Congress should also give the FTC authority to conduct limited rulemakings for data privacy through its public processes for things like deciding the right way for companies to disclose their data handling practices, and act against violators. However, the legislation should be very specific in how the FTC can exercise its authority to ensure regulators stay within bounds. And to limit what would otherwise by a field day for the bar, Congress should limit private right of action.
When this privacy debate gets underway in earnest, there will be calls from one side to maximize consumer privacy no matter the cost (because they believe privacy is a fundamental right), and from the other side to minimize protections in order to avoid costs. But that is a false dichotomy stemming from a false premise. The real goal should not be to focus myopically on consumer privacy, but on the broader public good of consumer welfare. People don’t just want more privacy; they also want low prices and innovative new products and services in a thriving digital economy. They don’t have both in Europe. They could in America.