Multiple pending federal legislations seek to address online data privacy concerns, asking businesses to provide better safeguards and data sharing options for consumers.
In today’s digital economy, you end up sharing your credit card information on various websites and apps.
But how private is your personal data? Considering all the recent data breach scandals, it seems there should be adequate protections in place for the privacy and security of the data you share online.According to a statement put out by a group of advocate organizations, including U.S. Public Interest Research Group (U.S. P.I.R.G), “The United States confronts a crisis. Digital giants invade our private lives, spy on our families, and gather our most intimate facts for profit. Bad actors, foreign and domestic, target the personal data gathered by U.S. firms, including our bank details, email messages, and Social Security numbers.
“Our privacy laws are decades out of date. We must update federal laws and create a data protection agency specifically tasked with safeguarding the privacy of Americans.”
Various pending federal legislations aim to provide data privacy and security protections. States have also gotten into the act, with California, most notably, set to enact its California Consumer Privacy Act in 2020.
A hodgepodge of legislative efforts
The pending federal legislative efforts include the Data Privacy Act, the Information Transparency and Personal Data Control Act, the Social Media Privacy Protection and Consumer Rights Act, the American Data Dissemination Act, the Privacy Bill of Rights Act, the Balancing the Rights of Web Surfers Act and the Do Not Track Act.
Some themes that emerge in these varied efforts include:
- Requiring businesses that collect consumer data to allow consumers to opt in and opt out of such efforts.
- Asking businesses to provide information on what sort of privacy protections they have.
- Creation of a role for a “privacy protection officer.”
- Setting up of privacy audits.
- Mandating businesses to notify users of any violation of privacy within 72 hours of occurrence.
- Forbidding websites from tracking consumers if they receive a “do not track” signal.
Are these ample protections?
The question remains whether such measures are really up to the task.
“Following implementation of the European General Data Protection Regulation (GDPR) and passage of the California Consumer Privacy Act, powerful special interests amped up their Washington lobby machine to demand preemption of all state privacy laws,” Ed Mierzwinski, senior director at U.S. P.I.R.G., said in an email.
“They knew they’d need to accept a modest federal framework but were OK with that if it would allow them all to continue business as usual. They hadn’t wanted a national privacy law until they realized that numerous states were engaged in protecting their citizens.”
U.S. P.I.R.G. and the other advocacy organizations would like the federal government to set up a data protection agency that has adequate resources and power to make and enforce rules, considering that the Federal Trade Commission doesn’t have the teeth to do the latter.
They also want more accountability for algorithms that the technology firms use to make decisions, with the input of consumer data. Algorithms should be transparent, so that they can be accountable, according to these advocates.
They would also like the government to withhold a go-ahead for mergers that fail to protect consumer privacy. And they advocate for limiting government access to bulk personal data held by corporations, for matters such as law enforcement.
Sean O’ Brien, founder of the Yale Privacy Lab (and a lecturer in cybersecurity at Yale Law School) is also skeptical about whether current legislative efforts go far enough.
“Current legislative efforts in the U.S. – and, arguably, GDPR – offer way too much leeway to deceive and divert users into giving consent they would otherwise not offer,” O’Brien said in an email. “The dismal fate of ‘do not track’ initiatives in the U.S. should serve as a warning for anyone who believes that opt-out mechanisms will be respected by powerful actors.”
Legislation cannot override human motivations
Even if strong data privacy legislation is enacted it could end up being thwarted by corporate motivations.
“It is important for consumers to understand how and to what extent the companies they engage with value their privacy and data,” said Eva Velasquez, CEO of the Identity Theft Resource Center. “It is also important for companies to realize that robust privacy frameworks have positive effects in the security space.”
There have been various breaches of privacy at Facebook, for instance.
O’Brien pointed out, “We have regularly seen that companies like Facebook do not respect privacy internally. Facebook’s day-to-day practice makes a mockery of their internal policies.” This comes about as Facebook’s entire business model is based on gathering and analyzing consumer data to generate advertising revenue.
After reaching an agreement related to privacy protections with the FTC earlier this year, which involved the payment of a $5 billion fine, Facebook CEO Marc Zuckerberg said, “The accountability required by this agreement surpasses current U.S. law and we hope will be a model for the industry. It introduces more stringent processes to identify privacy risks, more documentation of those risks and more sweeping measures to ensure that we meet these new requirements.”
Legislative measures may not also not be able to stand up to the determination of hackers and other criminals. Large repositories of data, such as Equifax’s, will always tantalize cybercriminals.
“Bank robbers rob banks because there’s a lot of money in one place, and data bandits rob data stockpiles because there’s a lot of data in one place,” O’Brien said.
And as technology keeps developing, it becomes more difficult for people to stay on top of it. For instance, Capital One, tripped up in a major data breach incident, stored its data in a remote Amazon cloud.
“Capital One was one of the first major financial institutions to use Amazon Web Services,” said Paul Stephens, director of policy and advocacy at the nonprofit Privacy Rights Clearinghouse. “It probably was not a good idea because it doesn’t sound like they were ready to use the cloud for this kind of sensitive data. Amazon portrays the cloud as being safe, and it can be safe, but you have to know how to configure things.”
See related: Wanted: Your personal data, and not just by Facebook
Lobbying efforts will shape legislative outcomes
Considering that today’s legislative prospects are a step in the right direction, even if they are not fully up to the task, what are their prospects for enactment?
Mierzwinski noted that the lobbying for a federal privacy law is being spearheaded, in addition to banks, by big technology companies such as Facebook and Google, digital advertising firms, phone companies and cable companies.
“Their plan to jam an industry-friendly bill through the Republican-controlled Senate by early this year and force it on the House is now in disarray,” he said. “For years, the banks have tried to pass a weak and preemptive federal data breach law but have never gained traction, since their preferred bill punished Walmart and other retailers but didn’t actually affect the banks.
“With Capital One following on the Equifax breach settlement, the banks and financial industry will again be demanding action.”
O’Brien also points to the lobbying efforts.
“U.S. federal regulation can only take shape after the big tech giants negotiate and decide what they will allow politicians to pass and what they will lobby against,” he said. “Google and Facebook have strong lobbying arms that could stop federal privacy regulation altogether, but they also have an incentive for federal regulation.”
These firms would like to help shape the laws for their own benefit, so that it can look like they are playing by the rules and avoid the headline risks that can hurt their brand value, he noted.
FDATA North America, an association of financial technology firms said, in emailed comments, that consumers should have the legal right to share their financial data with preferred third parties, such as fintech firms, so that they can receive a service from them.
“Though data sharing already occurs in the United States financial marketplace today, it simply happens without comprehensive oversight or policy standards, which limits consumer choice and results in disparate consumer outcomes,” the organization said.
At the end of the day, Stephens noted, “Technology is always going to be light years ahead of any legislation that attempts to address it. And so anytime you are looking for a legislative solution to a technology problem, knowing the way that legislatures work, there is always going to be a long time lag in addressing it.”
Safe practices for online data privacy and security
- Use a credit card, rather than a debit card. A fraudster can empty a checking account connected to a debit card, leaving you short of money while your bank investigates the matter. But most major credit cards offer zero fraud liability as a benefit.
- Obtain a surrogate card number that doesn’t expose your real number to hackers and vendors online.
- Watch out for nonsecure websites (without a https address).
- Make sure you are not dealing with a fly-by-night operator, rather than a legitimate retailer.
- Don’t fall for phishing emails.
- Watch out for sketchy and mismatched domains and email addresses.
- To strengthen a password, use a song lyric you are likely to remember, throwing in upper and lower case letters, numbers and symbols. A password key ring or vault, as well as full-disk encryption of devices, could also help.
- Consider getting a password manager, such as Keeper, LastPass or Password Boss.
- Use an ad blocker in your web browser.
- Instead of big-tech services, consider alternatives based on free and open-source software.