In the constant David-and-Goliath struggle between digital privacy advocates and corporate privacy invaders, the question of how to legally protect Americans with a comprehensive, federal data privacy law provides conflicting answers. Advocates want protections, which Big Tech interprets as restrictions.
As of today, there is no one digital privacy law to rule them all. While a few state laws exist that protect consumer privacy here in the US, overarching federal legislation, such as the Global Data Privacy Regulation (GDPR) in Europe, has not yet penetrated the market.
US-based corporations must comply with GDPR if they have a global presence, but thatâs only for their European customersâand many have found convenient workarounds. Who will protect the American user? Smaller tech? Privacy-forward tech? What about we-donât-have-a-lobbying-war-chest tech? How do they feel about a federal privacy law?
For months, Malwarebytes Labs has reported on data privacy laws in the United States and abroad. But the question of federal legislation that applies to the entire country has gone unanswered, as multiple Senate proposals have yet to move forward.
Further, despite Big Techâs recently-avowed commitment to regulation, those same companies are reportedly funding efforts to dismantle newly-enacted stateside data privacy protections.
But earlier this year, a group of tech companies stood opposed. They wanted to strengthen one of those same privacy protections. This tech group included some of the most recognizable company names in user privacy: DuckDuckGo, Ghostery, ProtonMail, Lavabit, Brave, Vivaldi, Purism, and Disconnect.
We asked those companies to broaden their sights beyond state legislation. What did they want, if anything, from a federal data privacy law for the United States?
For many of these privacy-forward companies, a federal data privacy law would be far from restrictive. Instead, it is considered necessary.
Todd Weaver is the founder and chief executive of Purism. He supports a federal data privacy law, so long as it isnât stripped of meaningful user protections and doesnât create barriers to success for startups and mid-sized companies. Federal legislation could be, Weaver said, the one way to finally defend the public from an ongoing digital privacy crisis.
âWeâre talking about the exploitation of people in the digital world, and this is a giant problem,â Weaver said. He continued:
> âThe problem can be boiled down to things that nobody should ever know. Those are where people are, what people do, and who talks to whom.â
In the US, those pieces of information are far from protected, though. Where we are, what we do, and who we talk to fuels a massive corporate surveillance machine driven by social media behemoths, aggressive online tracking, and unseen data brokers, all motivated by continuously-climbing advertising revenue. No current law forbids much of this.
So how do we fix it? Here are a few ideas from privacy advocates.
Last year, Californiaâs then-governor Jerry Brown signed the California Consumer Privacy Act (CCPA). Effective January 1, 2020, the CCPA grants Californians the rights to know what data is collected on them, whether that data is sold, the option to opt out of those sales, and the right to access that data.
In April, privacy search engine DuckDuckGo, joined by 23 other technology companies, sent a letter to the California Assemblyâs Privacy Committee asking that the law be bolstered. The requested improvements, DuckDuckGo wrote, would include the right to opt out of having information sharedânot just soldâand the right to sue companies that violated any privacy provision of the CCPA.
Helen Horstmann-Allen, chief operating officer at email provider Fastmail (which signed onto DuckDuckGoâs letter) said she would appreciate seeing legislation similar to CCPA go national.
âWe were pleased to see California take the lead with their privacy laws to reflect how companies do business today. Expanding the scope of privacy legislation recognizes that companies donât need to sell data to violate consumer privacy,â Horstmann-Allen said. âWeâd love to see this type of legislation move on the national level as well. Privacy rights shouldnât end at the state line.â
Jeremy Tillman, director of product at the ad-blocking browser extension Ghostery, made similar comments in a 2018 opinion piece for The Hill:
âIf there is serious traction for federal consumer privacy legislation, which there absolutely should be, the California Consumer Protection law can serve as a solid template to model future laws after.â
Californiaâs privacy law received a major setback this year when a proposed amendment did not pass one of the stateâs Senate committees. The amendment, SB 561, would have given Californians the right to sue a company that violated any privacy rights described in the CCPA.
Currently, CCPA only gives Californians the right to sue a company for the harm of a data breach. Though a novel inclusion when compared to the dearth of privacy protections across the nation, some argue that broader opportunities to go to court are needed.
âIf you canât sue or do anything to go after these companies that are committing these atrocities, where does that leave us?â Weaver said. âWeâve already seen that with the CCPA in California.â
At least 40 bills have been introduced in California with the near-uniform purpose to amend the CCPA into a weaker version of itself. AB 846, for example, would have limited the CCPAâs discrimination prohibition. AB 873 would have pared down the definition of individualsâ personal information.
More attempts to weaken the CCPA remain, Weaver said.
âOne of those bills is just about defanging the entire regulation,â Weaver said. âIf you do that, if you defang, [the law] is just paper.â
Ghosteryâs Tillman echoed the above sentiments that any federal data privacy legislation should âhold big tech accountable for their deceptive data collection practices,â but he added:
â[It] should require that any data collection occur as part of a transparent, easy-to-understand transaction where the cost to consumers is clear, enabling them to be knowing and voluntary participants in an ad-supported and data-driven economy.â
Johnny Ryan, chief policy officer for the privacy-focused web browser Brave, testified earlier this year before the US Senate Judiciary Committee about a potential federal data privacy law. Such a law, Ryan said, should hew closely to the standards of a popular, across-the-pond framework: the European Unionâs General Data Protection Regulation (GDPR).
âWe view the GDPR as essential,â Ryan said in an email to Malwarebytes Labs. âIt can establish the conditions to allow young, innovative companies like ours to flourish.â
Ryan told the committee that two elements within the GDPR can help both protect Americansâ data and give opportunities for small companies to meaningfully compete with Silicon Valleyâs biggest, most entrenched businesses. Those two provisions are the âpurpose limitationâ principleâwhich protects peopleâs data from being used in ways they could not anticipateâand the ability to easily opt out of a companyâs data collection.
âThese two GDPR tools, the âpurpose limitation principleâ, plus the ease of withdrawal of consent, enable freedom,â Ryan told the committee. âFreedom for the market of users to softly âbreak upââand âun-break upââbig tech companies by deciding what personal data can be used for.â
Further, Ryan said to Malwarebytes Labs, a US federal data privacy law inspired by GDPRâparticularly in defining concepts like personal data, opt-in consent, and profilingâwill provide technology companies with a streamlined path toward compliance, since many have already worked toward complying with GDPR.
âThe standard of protection in a federal privacy law, and the definition of key concepts and tools in it, should therefore be compatible and interoperable with the emerging GDPR de facto standard that is being adopted globally,â Ryan said.
Ever since Americans learned about a European consultancyâs effort to sway the 2016 US Presidential election by harvesting the Facebook data of tens of millions of non-consenting users, individual US states have clamped down hard on data misuse against their residents.
California passed the CCPA. Vermont passed a law regulating data brokers. Maine passed a law placing restrictions on how Internet service providers share Mainersâ personal information.
But those state laws could be in trouble if a federal data privacy law calls for their nullification. Such a provision exists in both Senator Marco Rubioâs data privacy bill and in the draft privacy legislation written by Center for Democracy and Technology.
This superseding provisionâcalled âpre-emptionââis unacceptable to Brave.
âThe federal law should be of equal or higher standard to state laws, and should not undermine state laws,â Ryan said.
When explaining what he would like to see in a federal privacy bill, Weaver repeatedly returned to the idea of a âDigital Bill of Rights.â It is an idea his company has already acted on, having written out and implemented several of the principles.
Included in the companyâs Digital Bill of Rights are:
A digital bill of rights is a rare find for any technology company, but Weaver explained that Purism is not guided by the same rules as Big Tech. Instead, because Purism has incorporated as a âsocial purpose company,â it is not obliged to maximize shareholder value. Instead, it is obliged to fulfill the principles written in its articles of incorporation.
Those âPurist Principles,â Weaver explained, guide the company every day.
âIt allows everyone, including me, our employees, to advance our causes before caring about profits or maximizing shareholder value,â Weaver said.
One last, important aspect about the rights described in the Purist Principles is that none of them can be removed by a companyâs terms of service.
âIf this was established at the federal level,â Weaver said, âthis is saying âThese are your rights, and nobody can remove these rights inside a Terms of Service [agreement] that nobody reads.ââ
The post What should a US federal data privacy law ideally include? appeared first on Malwarebytes Labs.