Privacy is on a winning streak and that is good for every single internet and smartphone user, or in today’s connected world, almost everyone. With the passage of the California Consumer Privacy Act, our most populous state has taken bold action to protect the privacy rights of its residents, and now it’s time for Congress to act so all Americans enjoy these same rights.
The California bill, which follows on the heels of Europe’s General Data Protection Regulation, gives Californians more control over their personal data and places controls on how companies can use it. It’s far from perfect and the process to passage was messy, but it’s real progress. The bill takes a significant step toward bringing greater balance to the power dynamic between individuals and the companies that control our digital world.
What the bill gets right is that it gives consumers the ability to request deletion of their data, and enables them to say no to having their data sold to third parties. It also requires companies to share far more information about the data they collect and who they share it with, and it has strong enforcement mechanisms, including the ability to fine companies that fail to effectively secure sensitive data. It falls short on the right of individuals to take action against companies that misuse their data, has a mish-mash of definitional issues that could lead to uneven application, and doesn’t cover businesses with fewer than 50,000 customers.
These shortcomings can be addressed through comprehensive federal privacy legislation and now there is real momentum behind it. Spurred by the action in Europe and the broad outcry against Cambridge Analytica’s manipulative misuse of Facebook user data, the White House is convening discussions around privacy and there are numerous bills percolating in Congress. These efforts need to go beyond notice and access rights. They must codify Americans’ expectations of privacy and give users real agency in their data transactions.
Individual agency is the ability of each and every American to move about freely in life, and to use digital technologies and services, without the fear of ubiquitous surveillance. Being connected in all aspects of our daily lives cannot mean that private and government actors have access to all of the information about our movements, feelings, and relationships. The Supreme Court’s recent decision in Carpenter affirmed that we can have a reasonable expectation of privacy in sensitive information about our lives—like our locations—even if that data is transmitted to a third party. These expectations of privacy should extend to private companies. For example, just because a company has access to our location data doesn’t mean they should be allowed to use it in unexpected and harmful ways, as was the case when Strava used users’ location to create heat maps that revealed the location of military bases. Location privacy with respect to private companies should be codified in federal law.
Finally, federal legislation must go beyond basic transparency requirements of what data is collected and how it is used. It should enforce transparency beyond dense, unreadable privacy policies and ensure that the design of technologies and platforms allows users to understand, in real-time and in context, where their data is going and the benefits and risks of disclosing it.
The internet and internet-enabled data collection is woven into the fabric of our daily lives, and that is not changing. Now is the time for Congress to act, and California’s ongoing leadership on human-centric policies governing tech and internet policy might just be the catalyst we need.