Data and Consumer Privacy


Policy Note

The new digital economy presents a myriad of opportunities for individual consumers and companies to achieve better products, services, and information.

As the economics of personal data and access to personal data grow, there is a need to better understand and communicate the importance of how data is collected, shared, and used to provide consumers with products and services that improve their lives.

In this policy note, the Consumer Choice Center presents several recommendations to lawmakers and regulators in key jurisdictions, hoping to better inform the next generation of legislation related to data and consumer privacy. This builds on our previous primer on consumer privacy and data security, released in 2019.


Several legislative efforts on data brokers, privacy, and data collection have been implemented in states such as California and Vermont, as well as the General Data Protection Regulation in the European Union, but they take the position of taking it more complex and convoluted to handle consumer data for firms and consumers alike.

These existing data laws limit the opportunities for consumers and entrepreneurs to benefit from the exchange of data that have proven integral to providing value in all of our lives, especially in the midst of a pandemic. What’s more, these rules often target entrepreneurs and legal businesses while downsizing the significant impact of piracy, hackers, and criminal activity.

What consumers need and want from the data economy are high levels of assurance when it comes to privacy, stewardship, accessibility, encryption, and portability. Many private-sector solutions exist, and we should champion the best to provide the best options for consumers. We should also try to avoid laws that would encourage frivolous lawsuits, create a patchwork of rules across jurisdictions, and facilitate identity and intellectual property theft.

In this policy note, the Consumer Choice Center presents several recommendations to lawmakers and regulators in key jurisdictions, hoping to better inform the next generation of legislation related to data and consumer privacy. This builds on our previous primer on consumer privacy and data security, released in 2019.


  • Champion Innovation

  • Defend Portability

  • Allow Interoperability

  • Embrace Technological Neutrality

  • Avoid patchwork legislation

  • Promote and allow strong encryption


In California, the Consumer Privacy Act of 2018 requires that companies calculate the value of individual data, provide opt-outs, require companies to inform consumers if their data is being sold, allow consumers to request data be deleted (right to be forgotten), and allow consumers access to the data collected by said firms in readable formats.

Vermont’s privacy law requires companies to inform consumers of data breaches directly, and also prohibits some forms of targeted advertising specifically when it comes to students.

Both of these laws contain elements of the EU’s GDPR, which has now been in effect for close to 3 years. As has been noted by several analysts, the enormous compliance costs and efforts have meant a significant reduction in both investment and market activity from small and medium-sized firms that relate to data. What’s more, European users have since been cut-off or blocked from using many services outside EU jurisdiction as firms are avoiding running afoul of the strict regulation. That has resulted in fewer products and services able to European citizens.

These previous attempts at privacy laws are flawed for the following reasons:

First, many parts of these laws stymie and prevent innovation. By making it more difficult and costly for firms to handle consumer data, companies are less incentivized to invest resources in innovative consumer services and offerings, resulting in less consumer choice and a higher barrier of entry for new competitors.

Second, at least in the cases of Vermont and California, these laws create a patchwork of regulation that makes compliance difficult or nearly impossible for firms operating in both the national and global marketplace, thereby driving up costs and depriving consumers of these firms’ services irrespective of which state they reside in. A national law or widely adopted (and ideally global) industry self-regulation, which protects consumer privacy and also champions innovation, would be preferred.

Third, calculating data value for each and every firm’s customer and detailing every aspect of how that data is used is nearly impossible, vastly increasing costs for services that will inevitably be passed on to consumers.

Fourth,  these laws do not take into consideration existing business practices that already provide adequate consumer and data protection, and have thus been used as industry standards. They also thwart innovation practices such as targeted advertising, geo-targeting, and personalization, which consumers prefer.

Last, each of these privacy laws further emboldens litigiousness, sparking new lawsuits and trials that would serve to vastly increase the cost of normal consumer products and services.


Considering that thousands of firms have both safeguarded and used consumer data responsibly, lawmakers should seek to create clear and uniform rules that respect current standards, allow innovation, and provide clarity to both firms and consumers. Privacy rules that place an undue burden on companies following the law, rather than target the most blatant examples of data breaches and impropriety, will end up raising the cost of doing business and thus raise prices for consumers.

There should be recognition that consumers willingly give data to firms in order to receive a final service or good that will be useful to them. As long as proper procedures are followed, and no data is leaked or changes hands without authorization, there should be no additional regulatory requirements that would serve to complicate a consumer’s voluntary relationship with a firm.


Consumer-friendly data portability should be a reasonable standard applied to most firms that complete data transactions. Most of today’s firms allow personal data to be exported for review, but should also remain confidential and secure to avoid potential exploitation. If portability standards are kept too lax, this would be an invitation to hackers and pirates looking to profit from identity or intellectual property theft. 

Given the fast pace this environment changes, industry standards might be a more agile way of enforcing portability as compared to regulation.


Where necessary, firms should be incentivized to maintain open data standards that can be used between platforms where necessary. However, considering the fast-moving nature of data structures and standards, lawmakers should avoid favoring a particular method of data collection or export, whether that be JSON, HTML, or otherwise. 

Rather, a broad principle of “technological neutrality” would allow the best standards to naturally evolve rather than be arbitrarily determined by regulatory bodies. Enforcement of interoperability standards would therefore be agreed to by firms handling data, and not necessarily determined by law. Consumers should ultimately decide if they want a service or product that either allows interoperability or not. The wide acceptance of apps and standards such as Apple CarPlay shows that most companies favor such standards that allow consumers to benefit by “plugging in”.


Because standards and technologies change so quickly, lawmakers should avoid legislation that favors a particular method or technology in data privacy rules. Applying a uniform rule on the format or process of technology would serve to limit the amount of innovation and natural evolution that currently defines our existing tech sector.

In all cases, legislation should embrace and encourage competition and consumer preference to determine the best technology. Technology changes too quickly and too much regulation might limit new technologies and standards from emerging as fast as they could within a more flexible framework.


Due to the ever-growing consumer base across both state lines and international borders, state-by-state regulations that would impose different rules on different residents should be avoided. This patchwork of legislation would increase the cost of delivering services in an efficient manner, and would likely stunt the availability of various products or services to consumers in various jurisdictions.

As such, a broad and agile uniform standard should be agreed to at the federal level, rather than individual states or municipalities.


The use of encryption by both individuals and firms is essential to our digital rights online. Many legislative proposals since the 1990s have attempted to outlaw cryptographic methods of securing and encrypting data. Most of these proposals have been justified on national security and law enforcement grounds. That said, existing laws on judicial warrants and Fourth Amendment protections apply to firms, and there is no reason to believe that a ban on encryption would make this easier or more productive. 

Lawmakers should recognize citizens’ rights to encrypt and protect information and should extend this to the proprietary encryption methods that firms and companies use that serve their customers. Protecting rights to encryption is a safe and effective method to ensure consumer and data privacy can be upheld, whether that be medical data, personally-identifiable information, or financial data.


As we have outlined, there are examples of existing laws on data and consumer privacy that go far beyond the scope of consumer protection. Often, these laws service to thwart innovation and slow down the progress that firms and companies can deliver to their customers. What’s more, a regulatory approach that is far too restrictive or cumbersome will serve large incumbent players that can afford the additional costs while locking out start-ups and new competitors.

If the legislative recommendations of championing innovation, defending portability, allowing interoperability, embracing technological neutrality, and protecting strong encryption are followed, consumers can be assured that their data and information can be protected, kept secure, and can be responsibility utilized by firms and companies to provide all of us with the value that we seek.



<a href="https://consumerchoicecenter.org/team/yael-ossowski/">Yaël Ossowski</a>

Yaël Ossowski

Deputy Director
<a href="https://consumerchoicecenter.org/team/david-clement/">David Clement</a>

David Clement

North American Affairs Manager


Experts Agree: ByteDance is Beholden to the CCP and Cannot Be Allowed to Exploit Americans’ Data

H.R. 7521, the Protecting Americans from Foreign Adversary Controlled Applications Act, is bipartisan legislation that will protect Americans by preventing foreign adversaries, such as China, from targeting, surveilling, and manipulating the American people through online applications like TikTok.   Here’s what experts and top voices are saying about the bill:  Speaker of...

Read More

Why does Ted Cruz want to empower Biden’s radical FTC?

Data privacy is an increasing concern for consumers and tech advocates alike. Lawmakers from both the Republican and Democratic parties know this, and it’s why the Informing Consumers about Smart Devices Act, being championed by Sen. Ted Cruz (R-TX), is receiving bipartisan support. Cruz says this bill would “inform” consumers about smart devices with “spying” capabilities, but...

Read More

Technological neutrality is the best mechanism of cyber security and protects consumer data privacy

KUALA LUMPUR, 26 th June 2023 – The Consumer Choice Center (CCC) emphasizes theimportance of governments supporting and maintaining technological neutrality in putting inplace the best mechanisms for cybersecurity systems and consumer data protection. Representative of the Malaysian Consumer Choice Center, Tarmizi Anuwar said: “Technologychanges very quickly and faster...

Read More


Un outil se démocratise qui permet d’accéder à plus de contenus… tant que l’Etat ne s’en mêle pas directement.  De plus en plus de consommateurs utilisent des VPN sur leurs appareils qui accèdent à Internet. Ce qui était autrefois une technique plutôt obscure permettant d’accéder à des sites différents...

Read More

Generational Endgame: The government needs to avoid repeated MySejahtera data leaks

KUALA LUMPUR, 6th March 2023 – The Consumer Choice Center (CCC) voiced concernsover the implementation of the generational endgame and urged the government to drop thegenerational endgame from the Tobacco and Smoking Products Control Bill. According to Tarmizi Anuwar, the Malaysian Consumer Choice Center representative, hebelieves that the Minister...

Read More

MoH urged take immediate recommendations in the AG’s Report on MySejahtera data leak

KUALA LUMPUR: The Malaysia Consumer Choice Center (MCCC) urges the Ministry of Health (MoH) to implement immediate security measures to prevent the continued theft of personal data from the MySejahtera application. This follows the Auditor General’s Report 2021 Series 2, which revealed that the super-admin account downloaded three million...

Read More

Kenapa KKM gagal kenal pasti data MySejahtera dimuat turun ‘Super Admin’, soal kumpulan pengguna

Wakilnya menggesa KKM segera bertindak memperketatkan sistem pengurusan keselamatan data dan aplikasi tersebut. PETALING JAYA: Pusat Pilihan Pengguna (CCC) mengecam kerajaan kerana masih tidak mengenal pasti medan data peribadi yang dimuat turun daripada akaun “Super Admin” menerusi aplikasi MySejahtera, selepas lebih setahun laporan polis dibuat. Wakilnya, Tarmizi Anuwar, menggesa...

Read More

The Ministry of Health Needs to Immediately Take the Recommendations of the Auditor General’s Report

KUALA LUMPUR, 20th February 2023 – The Malaysia Consumer Choice Center (CCC) urges the Ministry of Health of Malaysia to immediately present security measures to protect against the theft of personal data of the MySejahtera application from continuing.  This follows the Auditor General’s Report 2021 Series 2 which revealed that 3...

Read More

The Great Danger of CBDCs

There have been numerous announcements of central banks starting to explore the idea of introducing Central Bank Digital Currencies (CBDC). From e-naira, a CBDC issued by the central bank of Nigeria, to the digital yuan in China to the European central bank exploring the idea of the digital euro....

Read More

Memperkasa Akta Perlindungan Data Peribadi

Maklumat-maklumat penting pelanggan seperti nama, alamat, e-mel, nombor telefon, maklumat kesihatan atau butiran bank – semuanya harus disimpan dan dilindungi dengan teliti.  Namun hampir setiap hari kita mendengar pelbagai kes baru mengenai kecurian identiti, jenayah kewangan atau serangan yang berbentuk pencerobohan data peribadi.  Kebocoran atau pencerobohan data peribadi perlu...

Read More

Where is the FTC’s privacy report?

Data privacy is a fundamental liberal democratic principle for citizens + consumers. In December 2020, the Federal Trade Commission ordered security and privacy data from Big Tech firms to inform potential future rules that would impact all consumers. It’s nearly November 2022 but we still have NO report. Why?...

Read More

The fight over Facebook’s content censor button will make all users lose

By Yaël Ossowski Once the so-called Facebook whistleblower revealed her identity and story, it was clear the narrative about the future of one of the largest social networking sites would soon go off the rails. What Haugen revealed in her initial leaks to the Wall Street Journal, which they...

Read More
Scroll to top