For decades, the United States treated data privacy like an aging home, patching individual leaks and drafts only when a new storm hit. The country passed a law protecting healthcare-related information, and not much else. It then passed a law protecting video rental information, and not much else. It continued this way, repeatedly passing sector-specific laws while failing to address a problem that, in the past two years, became impossible to ignore.
Data privacy, as protected by law, is broken.
Americans enjoy no federal rights to access their data, correct their data, easily move their data from one company to another, or individually sue a company that invades their private lives online.
Harmed by the Equifax breach? Good luck getting more than literal pennies in the settlement. Shocked that a company shared menstrual tracking info with Facebook? Oh, well. Want to fight back against invasive online trackers? Your options are limited.
Since mid-2018, several US Senators have sought to fix these types of failures, introducing at least nine bills—with six introduced in 2019 alone—to provide comprehensive data privacy protections to every American.
With so many bills, what's the hold up on getting them passed?
For starters, installing comprehensive data privacy protections is long, complex work—the European Union spent more than five years drafting its own data privacy law, the General Data Protection Regulation (GDPR), and even after the EU approved the law, another two years passed before it took effect. Further, you could say that Congress is a little, um, busy as of late.
Finally, though every bill may focus on data privacy as an end goal, many disagree with how to get there.
One data privacy bill simply aims to stamp out legalese-infused end-user agreements. Another data privacy bill seeks to grant similar protections as those afforded in GDPR, like the rights to access, correct, and delete personal data. One proposal tries to stop invasive online tracking and data-sharing practices. The same proposal argues that dishonest tech CEOs should be jailed. Still more bills offer ideas like data ownership, data valuation, and something called “interoperability,” which, in a perfect world, would let individuals talk to their friends on Facebook without actually needing a Facebook account.
In combing through the many federal and state data privacy bills that emerged this year, we found some similarities. Here is a look at the legislative trends in data privacy for 2019.
Data as property
In November, one Democratic presidential hopeful latched onto a data privacy idea that has been around for at least six years: Paying people for their data.
If data is more valuable than oil, as the candidate said, then shouldn’t the people who produce that data get paid for it? Shouldn’t Americans be compensated for their most valuable asset in today’s data-driven economy?
This is the “data as property” model, and supporters of it argue that, by giving individuals the right to their own data, they can then control how their data is collected, shared, and sold. No more surprise data-sharing between one company and another. No more GPS location data falling into the hands of literal bounty hunters. (Unless, of course, that’s what you want.) And, perhaps most importantly, no more companies making it rich without consumers getting at least a little cut of the profit.
Under a “data as property model,” supporters believe that every day consumers could receive steady, passive income by selling their data on their own terms. Not only that, but data could be sold repeatedly, as it potentially maintains its value even after being sold.
Earlier this year, US Senators Mark Warner of Virginia and Josh Hawley of Missouri hinted at this possible future with their bill, the Designing Accounting Safeguards to Help Broaden Oversight And Regulations on Data, or DASHBOARD, Act.
The DASHBOARD Act would require certain companies to assess and disclose the value of users’ data, while also extending data privacy rights to consumers to delete all, or certain fields, of collected data.
But privacy advocates argue that putting a price tag on data—a process that is neither science or art—only normalizes the idea that our data privacy can be bought. Once that type of relationship is codified into law, the potential risks would disproportionately harm low-income, struggling communities, said Chad Marlow, senior advocacy and policy counsel at ACLU.
“If you have parents who are struggling to put food on the table—who are eating bread and drinking water for multiple dinners—and you say ‘I will give you money if you sell your data’ and you don’t even say how much, they will say yes immediately,” Marlow said. “Because they cannot afford to say no.”
This is the “pay-for-privacy” problem. It showed up a few times this year.
In November 2018, Democratic Senator Ron Wyden introduced the “Consumer Data Protection Act,” a draft proposal that would have empowered American consumers to opt-out of having their data shared with multiple third parties. Unfortunately, according to the proposal, that decision could sometimes come with a price.
As Malwarebytes Labs explained earlier this year, this is how proposal would have worked:
“Say a user, Alice, no longer feels comfortable having companies collect, share, and sell her personal information to third parties for the purpose of targeted ads and increased corporate revenue. First, Alice would register with the Federal Trade Commission’s ‘Do Not Track’ website, where she would choose to opt-out of online tracking. Then, online companies with which Alice interacts would be required to check Alice’s ‘Do Not Track’ status.
“If a company sees that Alice has opted out of online tracking, that company is barred from sharing her information with third parties and from following her online to build and sell a profile of her Internet activity. Companies that are run almost entirely on user data—including Facebook, Amazon, Google, Uber, Fitbit, Spotify, and Tinder—would need to heed users’ individual decisions. However, those same companies could present Alice with a difficult choice: She can continue to use their services, free of online tracking, so long as she pays a price.
“This represents a literal price for privacy.”
Nearly one year after Sen. Wyden introduced this draft proposal, he formally introduced the “Mind Your Own Business Act” before the US Senate with many of the same ideas—including the same pay-for-privacy scheme.
The problems with pay-for-privacy schemes are the same with the “data as property” model—the individuals most able to assert their data privacy rights will be those who can literally afford it. If such models move forward, we risk creating a world of the “privacy-have” and “have-nots”—a mirrored image of the already visible socioeconomic striation in America.
These concerns are not hypothetical.
In 2015, AT&T offered a broadband service package with a $30-a-month discount so long as users agreed to have their Internet activity tracked. That type of browsing activity, AT&T said, included “the webpages you visit, the time you spend on each, the links and or ads you see and follow, and the search terms you enter.”
Privacy is a human right, and online privacy should be no exception. That means no commodity pricing, and no selling it to the highest bidder.
Thankfully, at least one state this year passed a law that explicitly forbid pay-for-privacy schemes.
Over the summer this year, the governor of Maine signed into law a bill that prohibits Internet Service Providers from sharing and selling Maine residents’ data without their explicit approval.
The law includes another protection that does not allow ISPs to “charge a customer a penalty or offer a customer a discount based on the customer’s decision to provide or not provide consent” to having their data sold, shared, or accessed by third parties.
Score one for data privacy.
In late October, three US Senators introduced a bill that they believed would increase data privacy by doing something else—increasing competition with Big Tech.
The idea, the Senators argued, was simple: Empower American consumers to leave the platforms that invade their online privacy without losing access to their social networks, where their friends, family, and acquaintances may still reside.
Under the proposal, Americans would enjoy the benefits of data portability—which would enable consumers to pack up their data and take it to another platform—and interoperability—a feature that would potentially allow different chat services to interact with one another. Think of it like Facebook’s massive integration plan announced earlier this year for its chat platforms Messenger, WhatsApp, and Instagram, but for nearly the entire Internet.
As we wrote before about this bill, called the ACCESS Act:
“These rules… would presumably allow Americans to, for example, download all their data from Facebook and move it to privacy-focused social network Ello. Or talk directly to Twitter users while using the San Francisco-based company’s smaller, decentralized competitor, Mastodon. Or even, perhaps, log into their Vimeo account to comment on YouTube videos.”
Responses to the bill were mixed.
Avery Gardiner, senior fellow of competition, data, and power for the Center for Democracy and Technology, lamented the lack of competition facing Big Tech, but she said that data privacy for Americans should come in a data privacy bill, not a competition bill.
Cory Doctorow, a writer, activist, and research affiliate with MIT Media Lab, welcomed the bill because, unlike other efforts in Congress, it did not focus strictly on single bad actors in Big Tech, like Facebook.
“This aims to fix the Internet,” Doctorow said, “so that Facebook’s behavior is no longer so standard.”
What’s next for 2020?
On January 1, 2020, California’s own privacy law, the California Consumer Privacy Act, takes effect. Passed in 2018, the law has survived multiple, legislative attempts to weaken and defang it, and it has inspired similar legislation in other states.
With the law's enormous scope, it will likely serve as a trial run for any federal data privacy bill.
Will companies receive serious fines, or will enforcement be lax? What will the first enforcement action be? What company will it be against? If penalties are severe, at what point will companies bandy together to prevent similar legislation from passing at the federal level? Hint: They're already trying.
None of this is to mention, of course, next year's mindshare-absorbing presidential election, too.
Until then—and after it—Malwarebytes Labs will closely watch this space. We can only predict it will get more interesting, more complex, and more important.