U.S. consumer privacy laws are, to put it bluntly, a mess. We have sectoral laws that provide different protections for financial information, cable and phone subscriber records, health privacy and yes, video rentals. But we are the only country in the OECD except for Turkey that fails to provide baseline protections for consumer data that is collected online and offline.
Every day, our personal data are scattered like breadcrumbs to pigeons in the park, across the Internet and beyond to advertisers, social network sites, data brokers, direct marketers and the myriad companies we do business with. Our privacy laws simply haven't moved in step with the way our capacity to collect, process and share our personal information.
The Federal Trade Commission (FTC) has pushed about as far as it can with its limited power to go after bad guys for unfair or deceptive practices, but that case-by-case focus on instances where companies deceive consumers is just not enough. Companies simply hide behind ponderous and undecipherable privacy policies that do nothing to protect privacy, written by lawyers who are looking out for their companies -- not you.
But we might make progress yet. A recently introduced a bill from Senators John Kerry (D-Mass.) and John McCain (R-Ariz.) would create for the first time a commercial privacy "Bill of Rights." It is the first comprehensive privacy bill in the Senate in more than a decade.
Given the rancor in Congress these days, the simple fact that this bill is a bipartisan effort speaks volumes.
Lawmakers are quickly wising up to the importance of consumer privacy. The bill gets a lot of things right, though there are several things my organization, the Center for Democracy and Technology, would change. But at least for today, let's focus on the things the bill does right.
Senate Bill Requires Basic Principles for Companies That Collect Personal Data
The bill would require basic Fair Information Practice Principles for all companies that collect personal data both online and offline. In practice, this means you get clearer, more timely and understandable notice when your information is collected.
Companies will have to tell you exactly what they are planning to do with your information, collect only what they need to accomplish that purpose and only hold on to your data as long as they need it for the stated purpose. You will be able to opt out of third party advertising and that opt-out needs to be global and persistent over time.
Security rules will be strengthened, as will the right of consumers to access the information that a company holds about you. If it's wrong, you can fix it. Both the FTC and State Attorneys General would have power to enforce the new law and impose significant civil penalties for violations, up to $6 million in civil fines.
The bill also has a requirement that companies engage in "Privacy by Design," which means they have to have internal processes in place to consider how to protect privacy as a product or service is first developed.
Finally, in order to make sure that these high level obligations can be tailored to different industries, the bill encourages companies to collaborate with consumer groups and others to develop industry-specific codes that incorporate and build upon the law's requirements. It is then up to the FTC to review those codes and approve the ones that pass muster.
This flexible approach should work for every industry and avoids rigid mandates that might dampen innovation or freeze privacy practices that might quickly be outdated.
As the bill winds its way through Congress, it's important not to get distracted by side issues. One that most worries me is the "teen privacy" debate. To be sure, there is a lot to worry about here: data-sharing by teens on social networking sites, behavioral advertising, data collection by mobile applications, and sketchy advertising campaigns.
These valid concerns have led to all kinds of ideas -- extending existing parental consent laws aimed at young children to teens, mandating an eraser button on social networks and establishing a Do Not Track requirement just for teens.
These, however, are little more than bright shiny objects that make for good sound bites but don't make a lot of sense as legal mandates. In order for sites to comply, they'd have to get everyone's identifying information before using the site. That doesn't sound particularly privacy-protective to me. Teen-specific laws would get Congress tangled up in constitutional questions about teen rights and technology mandates.
We have to remember that the United States has almost no privacy protections for our personal data whether we are 15 or 85. That is why we need to keep our eyes focused on the real prize: a comprehensive privacy law that protects everyone's data.
Is Kerry-McCain bill perfect? No, but it is a good place to begin. If we wait for perfect, we wait forever; this bill is better -- and more comprehensive -- than anything the Senate has seen in ten years. It gets us most of the way there, and if there are some critical tweaks, it will get us darn close. We need a consumer privacy bill that will protect data across all sectors, online and off, and provide the flexibility to meet future technology challenges. The time to get it done is now.