DATA AND
CONSUMER PRIVACY
Policy Note
The new digital economy presents a myriad of opportunities for individual consumers and companies to achieve better products, services, and information.
As the economics of personal data and access to personal data grow, there is a need to better understand and communicate the importance of how data is collected, shared, and used to provide consumers with products and services that improve their lives.
In this policy note, the Consumer Choice Center presents several recommendations to lawmakers and regulators in key jurisdictions, hoping to better inform the next generation of legislation related to data and consumer privacy. This builds on our previous primer on consumer privacy and data security, released in 2019.
EXECUTIVE SUMMARY
Several legislative efforts on data brokers, privacy, and data collection have been implemented in states such as California and Vermont, as well as the General Data Protection Regulation in the European Union, but they take the position of taking it more complex and convoluted to handle consumer data for firms and consumers alike.
These existing data laws limit the opportunities for consumers and entrepreneurs to benefit from the exchange of data that have proven integral to providing value in all of our lives, especially in the midst of a pandemic. What’s more, these rules often target entrepreneurs and legal businesses while downsizing the significant impact of piracy, hackers, and criminal activity.
What consumers need and want from the data economy are high levels of assurance when it comes to privacy, stewardship, accessibility, encryption, and portability. Many private-sector solutions exist, and we should champion the best to provide the best options for consumers. We should also try to avoid laws that would encourage frivolous lawsuits, create a patchwork of rules across jurisdictions, and facilitate identity and intellectual property theft.
In this policy note, the Consumer Choice Center presents several recommendations to lawmakers and regulators in key jurisdictions, hoping to better inform the next generation of legislation related to data and consumer privacy. This builds on our previous primer on consumer privacy and data security, released in 2019.
RECOMMENDATIONS
Champion Innovation
Defend Portability
Allow Interoperability
Embrace Technological Neutrality
Avoid patchwork legislation
Promote and allow strong encryption
WHAT TO AVOID
In California, the Consumer Privacy Act of 2018 requires that companies calculate the value of individual data, provide opt-outs, require companies to inform consumers if their data is being sold, allow consumers to request data be deleted (right to be forgotten), and allow consumers access to the data collected by said firms in readable formats.
Vermont’s privacy law requires companies to inform consumers of data breaches directly, and also prohibits some forms of targeted advertising specifically when it comes to students.
Both of these laws contain elements of the EU’s GDPR, which has now been in effect for close to 3 years. As has been noted by several analysts, the enormous compliance costs and efforts have meant a significant reduction in both investment and market activity from small and medium-sized firms that relate to data. What’s more, European users have since been cut-off or blocked from using many services outside EU jurisdiction as firms are avoiding running afoul of the strict regulation. That has resulted in fewer products and services able to European citizens.
These previous attempts at privacy laws are flawed for the following reasons:
First, many parts of these laws stymie and prevent innovation. By making it more difficult and costly for firms to handle consumer data, companies are less incentivized to invest resources in innovative consumer services and offerings, resulting in less consumer choice and a higher barrier of entry for new competitors.
Second, at least in the cases of Vermont and California, these laws create a patchwork of regulation that makes compliance difficult or nearly impossible for firms operating in both the national and global marketplace, thereby driving up costs and depriving consumers of these firms’ services irrespective of which state they reside in. A national law or widely adopted (and ideally global) industry self-regulation, which protects consumer privacy and also champions innovation, would be preferred.
Third, calculating data value for each and every firm’s customer and detailing every aspect of how that data is used is nearly impossible, vastly increasing costs for services that will inevitably be passed on to consumers.
Fourth, these laws do not take into consideration existing business practices that already provide adequate consumer and data protection, and have thus been used as industry standards. They also thwart innovation practices such as targeted advertising, geo-targeting, and personalization, which consumers prefer.
Last, each of these privacy laws further emboldens litigiousness, sparking new lawsuits and trials that would serve to vastly increase the cost of normal consumer products and services.
CHAMPION INNOVATION
Considering that thousands of firms have both safeguarded and used consumer data responsibly, lawmakers should seek to create clear and uniform rules that respect current standards, allow innovation, and provide clarity to both firms and consumers. Privacy rules that place an undue burden on companies following the law, rather than target the most blatant examples of data breaches and impropriety, will end up raising the cost of doing business and thus raise prices for consumers.
There should be recognition that consumers willingly give data to firms in order to receive a final service or good that will be useful to them. As long as proper procedures are followed, and no data is leaked or changes hands without authorization, there should be no additional regulatory requirements that would serve to complicate a consumer’s voluntary relationship with a firm.
DEFEND PORTABILITY
Consumer-friendly data portability should be a reasonable standard applied to most firms that complete data transactions. Most of today’s firms allow personal data to be exported for review, but should also remain confidential and secure to avoid potential exploitation. If portability standards are kept too lax, this would be an invitation to hackers and pirates looking to profit from identity or intellectual property theft.
Given the fast pace this environment changes, industry standards might be a more agile way of enforcing portability as compared to regulation.
ALLOW INTEROPERABILITY
Where necessary, firms should be incentivized to maintain open data standards that can be used between platforms where necessary. However, considering the fast-moving nature of data structures and standards, lawmakers should avoid favoring a particular method of data collection or export, whether that be JSON, HTML, or otherwise.
Rather, a broad principle of “technological neutrality” would allow the best standards to naturally evolve rather than be arbitrarily determined by regulatory bodies. Enforcement of interoperability standards would therefore be agreed to by firms handling data, and not necessarily determined by law. Consumers should ultimately decide if they want a service or product that either allows interoperability or not. The wide acceptance of apps and standards such as Apple CarPlay shows that most companies favor such standards that allow consumers to benefit by “plugging in”.
EMBRACE TECHNOLOGICAL NEUTRALITY
Because standards and technologies change so quickly, lawmakers should avoid legislation that favors a particular method or technology in data privacy rules. Applying a uniform rule on the format or process of technology would serve to limit the amount of innovation and natural evolution that currently defines our existing tech sector.
In all cases, legislation should embrace and encourage competition and consumer preference to determine the best technology. Technology changes too quickly and too much regulation might limit new technologies and standards from emerging as fast as they could within a more flexible framework.
AVOID PATCHWORK LEGISLATION
Due to the ever-growing consumer base across both state lines and international borders, state-by-state regulations that would impose different rules on different residents should be avoided. This patchwork of legislation would increase the cost of delivering services in an efficient manner, and would likely stunt the availability of various products or services to consumers in various jurisdictions.
As such, a broad and agile uniform standard should be agreed to at the federal level, rather than individual states or municipalities.
PROMOTE AND ALLOW STRONG ENCRYPTION
The use of encryption by both individuals and firms is essential to our digital rights online. Many legislative proposals since the 1990s have attempted to outlaw cryptographic methods of securing and encrypting data. Most of these proposals have been justified on national security and law enforcement grounds. That said, existing laws on judicial warrants and Fourth Amendment protections apply to firms, and there is no reason to believe that a ban on encryption would make this easier or more productive.
Lawmakers should recognize citizens’ rights to encrypt and protect information and should extend this to the proprietary encryption methods that firms and companies use that serve their customers. Protecting rights to encryption is a safe and effective method to ensure consumer and data privacy can be upheld, whether that be medical data, personally-identifiable information, or financial data.
CONCLUSION
As we have outlined, there are examples of existing laws on data and consumer privacy that go far beyond the scope of consumer protection. Often, these laws service to thwart innovation and slow down the progress that firms and companies can deliver to their customers. What’s more, a regulatory approach that is far too restrictive or cumbersome will serve large incumbent players that can afford the additional costs while locking out start-ups and new competitors.
If the legislative recommendations of championing innovation, defending portability, allowing interoperability, embracing technological neutrality, and protecting strong encryption are followed, consumers can be assured that their data and information can be protected, kept secure, and can be responsibility utilized by firms and companies to provide all of us with the value that we seek.
MEDIA HITS:
New Privacy Bill Aims to End Government’s Grip on Americans’ Financial Data
- November 8, 2024
- Privacy, Recent Media
The Saving Privacy Act, aimed at curbing federal surveillance of Americans’ financial data, is gaining momentum. Backers argue the government has overreached, violating privacy rights without effectively targeting criminals. Provisions include repealing key financial reporting laws and strengthening Fourth Amendment protections. Supporters highlight the need to protect personal financial...
Data breach exposes pitfalls of customer identification regulations
- August 13, 2024
- Privacy, Recent Media
One of the most consequential bank hacks of the last few years was just revealed to the public. In a post uploaded to its website two weeks ago, the Arkansas-based Evolve Bank and Trust informed its customers that a “cybersecurity incident” involving Russian ransomware group LockBit resulted in the theft of...
Peretasan Pusat Data Nasional dan Pentingnya Melindungi Data Pribadi
- August 13, 2024
- Privacy, Recent Media
Beberapa waktu lalu, jutaan warga Indonesia dikejutkan dengan berita diretasnya Pusat Data Nasional (PDN). Adanya kejadian tersebut menyebabkan menjadi terhalangnya berbagai layanan publik dasar dikarenakan pusat data yang tidak bisa diakses, mulai dari pembuatan paspor, proses imigrasi otomatis, hingga layanan beasiswa pendidikan. Peretas PDN tersebut juga meminta uang tebusan...
CCC Concerns Over MCMC’s Licensing Requirement for Social Media Companies
- August 1, 2024
- Press Release, Privacy
KUALA LUMPUR, 31st July 2024 — The Malaysian Communications and Multimedia Commission’s (MCMC) recent directive for social media companies to register for a license is concerning, potentially paving the way for censorship and suppression of free speech. This policy could hinder open discourse and stifle dissenting opinions, posing a...
The latest troubling data hacks underscore the futility – and danger – of excessive KYC/AML rules
Three years ago, I opened a column by running through a number of damning data hacks and leaks that looked terrible at the time: On a Monday, there is a data leak affecting half a billion Facebook accounts, by Tuesday a bot has scraped 500 million LinkedIn accounts. On...
In Pursuit Of “Corporate Transparency,” A Mass Doxxing Of LLCs Puts Financial Freedom And Privacy At Risk
- June 21, 2024
- Privacy, Recent Media
Beginning this year, any individual with shares in an American domiciled company will be required to submit identifying information to FinCEN. This record collection from the US Treasury Department’s Financial Crimes Enforcement Network is intended to “curb illicit finance” by requiring a national database of every “beneficial owner” of an LLC. As stipulated...
European Threat To End-To-End Encryption Would Invade Phones
- May 15, 2024
- Privacy, Recent Media
European lawmakers have been implementing a way to circumvent end-to-end encryption to address child sexual abuse material (“CSAM”) – what some activists term the “Chat Control” law. End-to-end communication guarantees that if you communicate with someone, only a receiving device will be available, and the sending device can decrypt...
New Privacy Rights Act Exempts Government and Gives More Power to the FTC
- May 6, 2024
- Privacy, Recent Media
Data privacy talk in Congress seems kind of ironic coming just a week after lawmakers rejected a proposal to make federal authorities get a warrant to search Americans’ electronic communications. But in keeping with that move, the American Privacy Rights Act—a draft data privacy bill that will be getting a...
Consumer Choice Center’s comment on the US government’s proposed KYC regulations for cloud servers
- April 30, 2024
- Blog, Privacy, Tech Regulation, Technology
Earlier this year, the US Department of Commerce proposed a sweeping regulatory rule that would force cloud service providers to collect and retain personal information on their users, particularly those based outside the United States. This regulation, prompted by President Joe Biden’s Executive Orders on the “National Emergency With...
Experts Agree: ByteDance is Beholden to the CCP and Cannot Be Allowed to Exploit Americans’ Data
- March 25, 2024
- Privacy, Recent Media
H.R. 7521, the Protecting Americans from Foreign Adversary Controlled Applications Act, is bipartisan legislation that will protect Americans by preventing foreign adversaries, such as China, from targeting, surveilling, and manipulating the American people through online applications like TikTok. Here’s what experts and top voices are saying about the bill: Speaker of...
Why does Ted Cruz want to empower Biden’s radical FTC?
- October 3, 2023
- Privacy, Recent Media
Data privacy is an increasing concern for consumers and tech advocates alike. Lawmakers from both the Republican and Democratic parties know this, and it’s why the Informing Consumers about Smart Devices Act, being championed by Sen. Ted Cruz (R-TX), is receiving bipartisan support. Cruz says this bill would “inform” consumers about smart devices with “spying” capabilities, but...
Technological neutrality is the best mechanism of cyber security and protects consumer data privacy
- June 26, 2023
- Blog, Press Release, Privacy, Tech Regulation
KUALA LUMPUR, 26 th June 2023 – The Consumer Choice Center (CCC) emphasizes theimportance of governments supporting and maintaining technological neutrality in putting inplace the best mechanisms for cybersecurity systems and consumer data protection. Representative of the Malaysian Consumer Choice Center, Tarmizi Anuwar said: “Technologychanges very quickly and faster...