Though consumers have a fundamental right to privacy, there is no comprehensive federal privacy law granting consumers baseline privacy and security protections. Apps, including dating and period-tracking apps, send sensitive personal information on consumers (such as location data) to dozens, if not hundreds, of companies for advertising and profiling. Our personal information can be sold without our permission or awareness, or otherwise disseminated in ways that could mean getting charged more for insurance, or even facing job discrimination.
In the absence of effective action from Congress, momentum for privacy and data security laws has moved to the states. But existing models are inadequate — companies have found loopholes to circumvent both the opt-in (like Europe’s General Data Protection Regulation) and opt-out models (such as the California Consumer Privacy Act). That’s why Consumer Reports is proposing a model state privacy bill that, instead of taking an opt-in or opt-out approach, protects consumer privacy by prohibiting companies from engaging in privacy-invasive behaviors. In addition to deletion, access, portability, correction, and data security rights, the Model Act ensures that consumers’ privacy is protected by default, by providing:
- Data minimization and a broad prohibition on secondary data sharing. Consumers should be able to use an online service or app safely without having to take any action. This model bill ensures privacy by default by limiting data collection and sharing to what is reasonably necessary to operate the service requested by the consumer. Consumers aren’t forced to navigate countless confusing opt-outs, and can’t be bombarded with abusive consent dialogs.
- Non-discrimination. This model bill cuts off exploitative programs that could separate consumers into privacy haves and have-nots, and clarifies that legitimate loyalty programs that reward consumers for repeated patronage are supported by this bill.
- Strong enforcement. Strong enforcement is essential to make sure that companies comply. This model bill provides a private right of action, enables city and county attorneys to enforce the Act, and ensures that there is no “right to cure” in administrative enforcement.
This model will help address problems that have plagued existing privacy laws. For example, consumers have struggled to exercise their new privacy rights under the California Consumer Privacy Act (CCPA). Because of its opt-out model, to fully protect their privacy, consumers would have to opt out of the sale of their information at hundreds, if not thousands of different companies. Some “do not sell” processes involve multiple, complicated steps to opt out, including downloading third-party software. And some adtech platforms and publishers, including Google and Facebook, have exploited ambiguities in the CCPA to avoid opt-out requests at all. The recently-ratified California Privacy Rights Act will help close up these loopholes — but those provisions will not go into effect until 2023.
Opt-in models can also fail to protect consumers. In response to Europe’s recently enacted General Data Protection Regulation, websites bombard consumers with nonstop permission dialogs to consumers to consent to more sharing that they intended through the use of dark patterns — deceptive interfaces that subvert user intent. Users who click “OK” to vague prompts are alleged to have consented to the collection and sharing of their data for any number of purposes. Consumers shouldn’t be tricked into unrelated data sharing; it should simply be restricted.
Instead, problematic data sharing should simply be prohibited. Companies should be allowed to collect and use the data that is necessary to deliver the product or service a consumer has requested — along with narrow, specified operational uses — all without onerous consent interfaces. On the other hand, other disclosures of personal information — like selling information to data brokers or sharing with advertisers — should be off limits. This approach is reflected in legislation such as U.S. Senator Sherrod Brown’s Data Accountability and Transparency Act of 2020, and California Assemblymember Buffy Wicks’s Minimization of Consumer Data Processing Act (2020).
Clearly, existing privacy laws put too much of the burden on consumers to protect their own privacy — an approach that is impractical and ineffective. We’ve spent the last two years learning from mistakes in implementation of the GDPR and the CCPA, and other states have the opportunity to benefit by moving forward with more effective approaches. Several states, including Washington, are considering privacy legislation this year, building off of the momentum of the CCPA and the recent passage of Prop. 24. Now is the time to ensure that consumers have the privacy protections they need.