In the constant David-and-Goliath struggle between digital privacy advocates and corporate privacy invaders, the question of how to legally protect Americans with a comprehensive, federal data privacy law provides conflicting answers. Advocates want protections, which Big Tech interprets as restrictions.
As of today, there is no one digital privacy law to rule them all. While a few state laws exist that protect consumer privacy here in the US, overarching federal legislation, such as the Global Data Privacy Regulation (GDPR) in Europe, has not yet penetrated the market.
US-based corporations must comply with GDPR if they have a global presence, but that's only for their European customers—and many have found convenient workarounds. Who will protect the American user? Smaller tech? Privacy-forward tech? What about we-don’t-have-a-lobbying-war-chest tech? How do they feel about a federal privacy law?
For months, Malwarebytes Labs has reported on data privacy laws in the United States and abroad. But the question of federal legislation that applies to the entire country has gone unanswered, as multiple Senate proposals have yet to move forward.
Further, despite Big Tech’s recently-avowed commitment to regulation, those same companies are reportedly funding efforts to dismantle newly-enacted stateside data privacy protections.
But earlier this year, a group of tech companies stood opposed. They wanted to strengthen one of those same privacy protections. This tech group included some of the most recognizable company names in user privacy: DuckDuckGo, Ghostery, ProtonMail, Lavabit, Brave, Vivaldi, Purism, and Disconnect.
We asked those companies to broaden their sights beyond state legislation. What did they want, if anything, from a federal data privacy law for the United States?
What's the goal?
For many of these privacy-forward companies, a federal data privacy law would be far from restrictive. Instead, it is considered necessary.
Todd Weaver is the founder and chief executive of Purism. He supports a federal data privacy law, so long as it isn’t stripped of meaningful user protections and doesn't create barriers to success for startups and mid-sized companies. Federal legislation could be, Weaver said, the one way to finally defend the public from an ongoing digital privacy crisis.
“We’re talking about the exploitation of people in the digital world, and this is a giant problem,” Weaver said. He continued:
“The problem can be boiled down to things that nobody should ever know. Those are where people are, what people do, and who talks to whom.”
In the US, those pieces of information are far from protected, though. Where we are, what we do, and who we talk to fuels a massive corporate surveillance machine driven by social media behemoths, aggressive online tracking, and unseen data brokers, all motivated by continuously-climbing advertising revenue. No current law forbids much of this.
So how do we fix it? Here are a few ideas from privacy advocates.
Like the CCPA...but better
Last year, California’s then-governor Jerry Brown signed the California Consumer Privacy Act (CCPA). Effective January 1, 2020, the CCPA grants Californians the rights to know what data is collected on them, whether that data is sold, the option to opt out of those sales, and the right to access that data.
In April, privacy search engine DuckDuckGo, joined by 23 other technology companies, sent a letter to the California Assembly’s Privacy Committee asking that the law be bolstered. The requested improvements, DuckDuckGo wrote, would include the right to opt out of having information shared—not just sold—and the right to sue companies that violated any privacy provision of the CCPA.
Helen Horstmann-Allen, chief operating officer at email provider Fastmail (which signed onto DuckDuckGo’s letter) said she would appreciate seeing legislation similar to CCPA go national.
"We were pleased to see California take the lead with their privacy laws to reflect how companies do business today. Expanding the scope of privacy legislation recognizes that companies don’t need to sell data to violate consumer privacy,” Horstmann-Allen said. “We’d love to see this type of legislation move on the national level as well. Privacy rights shouldn’t end at the state line."
Jeremy Tillman, director of product at the ad-blocking browser extension Ghostery, made similar comments in a 2018 opinion piece for The Hill:
“If there is serious traction for federal consumer privacy legislation, which there absolutely should be, the California Consumer Protection law can serve as a solid template to model future laws after.”
A consumer's right to sue for privacy violations
California’s privacy law received a major setback this year when a proposed amendment did not pass one of the state’s Senate committees. The amendment, SB 561, would have given Californians the right to sue a company that violated any privacy rights described in the CCPA.
Currently, CCPA only gives Californians the right to sue a company for the harm of a data breach. Though a novel inclusion when compared to the dearth of privacy protections across the nation, some argue that broader opportunities to go to court are needed.
“If you can’t sue or do anything to go after these companies that are committing these atrocities, where does that leave us?” Weaver said. “We’ve already seen that with the CCPA in California.”
At least 40 bills have been introduced in California with the near-uniform purpose to amend the CCPA into a weaker version of itself. AB 846, for example, would have limited the CCPA’s discrimination prohibition. AB 873 would have pared down the definition of individuals’ personal information.
More attempts to weaken the CCPA remain, Weaver said.
“One of those bills is just about defanging the entire regulation,” Weaver said. “If you do that, if you defang, [the law] is just paper.”
Transparent data collection practices
Ghostery’s Tillman echoed the above sentiments that any federal data privacy legislation should “hold big tech accountable for their deceptive data collection practices,” but he added:
“[It] should require that any data collection occur as part of a transparent, easy-to-understand transaction where the cost to consumers is clear, enabling them to be knowing and voluntary participants in an ad-supported and data-driven economy.”
Design for interoperability with GDPR
Johnny Ryan, chief policy officer for the privacy-focused web browser Brave, testified earlier this year before the US Senate Judiciary Committee about a potential federal data privacy law. Such a law, Ryan said, should hew closely to the standards of a popular, across-the-pond framework: the European Union’s General Data Protection Regulation (GDPR).
“We view the GDPR as essential,” Ryan said in an email to Malwarebytes Labs. “It can establish the conditions to allow young, innovative companies like ours to flourish.”
Ryan told the committee that two elements within the GDPR can help both protect Americans’ data and give opportunities for small companies to meaningfully compete with Silicon Valley’s biggest, most entrenched businesses. Those two provisions are the “purpose limitation” principle—which protects people’s data from being used in ways they could not anticipate—and the ability to easily opt out of a company’s data collection.
“These two GDPR tools, the ‘purpose limitation principle’, plus the ease of withdrawal of consent, enable freedom,” Ryan told the committee. “Freedom for the market of users to softly ‘break up’—and ‘un-break up’—big tech companies by deciding what personal data can be used for.”
Further, Ryan said to Malwarebytes Labs, a US federal data privacy law inspired by GDPR—particularly in defining concepts like personal data, opt-in consent, and profiling—will provide technology companies with a streamlined path toward compliance, since many have already worked toward complying with GDPR.
“The standard of protection in a federal privacy law, and the definition of key concepts and tools in it, should therefore be compatible and interoperable with the emerging GDPR de facto standard that is being adopted globally,” Ryan said.
Do not undermine states’ individual data privacy laws
Ever since Americans learned about a European consultancy’s effort to sway the 2016 US Presidential election by harvesting the Facebook data of tens of millions of non-consenting users, individual US states have clamped down hard on data misuse against their residents.
California passed the CCPA. Vermont passed a law regulating data brokers. Maine passed a law placing restrictions on how Internet service providers share Mainers’ personal information.
But those state laws could be in trouble if a federal data privacy law calls for their nullification. Such a provision exists in both Senator Marco Rubio’s data privacy bill and in the draft privacy legislation written by Center for Democracy and Technology.
This superseding provision—called “pre-emption”—is unacceptable to Brave.
“The federal law should be of equal or higher standard to state laws, and should not undermine state laws,” Ryan said.
A “Digital Bill of Rights”
When explaining what he would like to see in a federal privacy bill, Weaver repeatedly returned to the idea of a “Digital Bill of Rights.” It is an idea his company has already acted on, having written out and implemented several of the principles.
Included in the company’s Digital Bill of Rights are:
- The right to change providers
- Users can take all their data and move it to another service
- The right to protect personal data
- Users “own and control” the master keys to encrypt their data
- The right to verify
- Users can analyze the source code of software operating locally on their machines
- The right to not be tracked
- Users know about and have access to all the collections and uses of their data
- Users can “obtain, correct, or permanently delete personal data”
- User data that is collected for a purpose is deleted after that purpose is fulfilled
- The right to access
- Users will not be “discriminated against nor exploited based on personal data”
A digital bill of rights is a rare find for any technology company, but Weaver explained that Purism is not guided by the same rules as Big Tech. Instead, because Purism has incorporated as a “social purpose company,” it is not obliged to maximize shareholder value. Instead, it is obliged to fulfill the principles written in its articles of incorporation.
Those “Purist Principles,” Weaver explained, guide the company every day.
“It allows everyone, including me, our employees, to advance our causes before caring about profits or maximizing shareholder value,” Weaver said.
One last, important aspect about the rights described in the Purist Principles is that none of them can be removed by a company’s terms of service.
“If this was established at the federal level,” Weaver said, “this is saying ‘These are your rights, and nobody can remove these rights inside a Terms of Service [agreement] that nobody reads.’”