So I was intrigued when Sen. Sherrod Brown (D-Ohio) called me recently to say he wants lawmakers to stop pretending like we do. “Nobody reads the small print,” he said. “You end up giving up far too much data.”
Congress has been debating a consumer privacy law since before there were Web browsers, but the United States still doesn’t have one. On Thursday, Brown broke with nearly every past proposal from Democrats and Republicans alike to suggest a more radical idea: allowing companies to take our data only when it’s “strictly necessary.”
For an Internet economy built in part on tracking people, that’s nothing short of a call for revolution. Brown’s new Data Accountability and Transparency Act, released in discussion draft form, would prohibit most collection and sharing of personal data as its starting point. Data could only be used in ways stipulated in the law, such as providing a service you asked for — and no more.
It could mean fewer companies selling your personal information, but also possibly fewer free apps and services.
“It shifts the burden from consumers,” Brown said. It would no longer be on you to read privacy policies to figure out what else is really going on. The reset, Brown said, would also compel companies to figure out business models that don’t depend on surveilling consumers or emphasize collecting only anonymized data.
“We just failed to establish clear rules about corporations using big data to dig into our private lives, and those days should be behind us,” Brown said.
Now for a reality check: Congress has been unable to reach a consensus about a privacy law for decades, and there are at least six other major privacy proposals pending. Chances are slim to none that Brown’s proposal, called DATA in shorthand, could pass this year in a Republican-controlled Senate. Brown, who is the leading Democrat on the Banking Committee, doesn’t yet have other members of his party on board. And I can only imagine the furor it will generate in Silicon Valley.
But that doesn’t change the potential impact of a senator leading the debate on privacy into uncharted territory. It’s an acknowledgment of how bad the Internet data grab has gotten for consumers, and it puts the target directly on tech companies that make money by mining our digital lives.
Many Americans are disillusioned with the status quo. Nearly 7 in 10 say they’re not confident that companies use personal data in ways they’re comfortable with, according to Pew Research — about the same number who admit they never or only sometimes read privacy policies.
“This is the only way forward,” said Frank Pasquale, a professor at the University of Maryland School of Law who was briefed on the proposal. “Rather than saying, ‘Everything is permitted, and we’ll try to legislate against certain things,’ it goes in the opposite direction.”
Brown, who describes himself as “not even close to a techie,” says his idea to take a different swipe at privacy occurred to him after the massive Equifax data breach in 2017. “Most of America didn’t know what Equifax was,” he said, “and they didn’t know the company had their information.”
The idea behind Brown’s bill, which applies to businesses and government alike, isn’t entirely new. He modeled it on the Fair Credit Reporting Act of 1970, which takes the burden off consumers to protect some of their financial data by limiting the collection and sharing of it to “permissible purposes” laid out in the law.
But applying that principle across the many uses for online data is a much bigger challenge. Permitted uses in the new bill include: providing a good or service explicitly requested by an individual, as well as for purposes of journalism, employment and research. Not permitted: using data for alternate purposes, holding onto it longer than necessary to carry out the original purpose, or sharing it unless that’s needed for the original purpose.
To date, much of the wrangling about general privacy legislation in Congress has focused on such details as whether citizens should have a right to sue and whether federal legislation would preempt more aggressive state laws. (Brown’s proposal sides with other Democrats on all those issues.)
But most of the other bills double down on what’s called the “consent” or “notice and choice” model, where consumers are expected to decide to permit — or forbid — use of their data. California’s privacy act, the most aggressive to actually become law, requires consumers to go to each business separately to request to not have their data sold.
This consent idea grew out of the drive to “create accountability when there were no rules,” said Jessica Rich, the former director of the Federal Trade Commission’s Bureau of Consumer Protection, who hadn’t been briefed on Brown’s proposal. A privacy policy is like a contract, so consumers could vote with their feet if they didn’t like it — and companies can be punished for violating their own terms.
But the consent model has been broken for a long time, said Rich. “It’s gotten much more complicated, and consumers can’t possibly read hundreds of privacy policies with long legalese,” she said. So then why do all our privacy proposals still revolve around that idea?
Brown’s bill “is a new and welcome paradigm,” said U.S. Public Interest Research Group senior director Ed Mierzwinski, who was briefed on the proposal. “This is the first bill that recognizes consumers can’t control the use of their information.”
Silicon Valley is likely to have a lot of problems with that. I called up Daniel Castro, a vice president at the Information Technology and Innovation Foundation, to see what he thought about the idea of switching away from a consent model to one that stipulates permitted uses for data.
The problem, Castro said, is determining how much to allow. “There’s so much gray area,” he said. “No matter where you draw that line, you’re going to have very dissatisfied consumers.”
Brown’s bill proposes a new federal Data Accountability and Transparency Agency to enforce the law and help make rules as new issues arise.
There are economic questions, too. Brown doesn’t hide that one goal of his bill is to disrupt the business models of targeted advertising firms. Under the structure of the law, it would be impossible for companies to use Web cookies and other trackers to create profiles of your interests, shopping habits and political preferences and then use them to pitch ads back at you.
But banning that industry could create many waves. Targeted advertising, said Castro, has been good for lots of small businesses to find customers interested in their products.
Targeted ads also help pay for many free websites, news sources, apps and services that consumers like. Would Americans lose access to all of that?
“I don’t buy that for a minute,” said Brown. “Plenty of business and advertising models don’t rely on intrusive tracking.”
He wants to give companies an incentive to explore other models, earning money from contextual (rather than targeted) advertising, subscription or e-commerce.
It’s not clear what impact Brown’s bill would have on the biggest players in the personal-data industry, Facebook and Google. We give Facebook our data to share posts and photos with friends — not to data-mine our lives to target us with ads. And by the strict language of Brown’s bill, data can’t be used for other purposes.
But ads in Google’s search engine results might be permitted, since they’re mostly contextual — based on the contents of the search — rather than targeted to a person’s broader interests and behaviors.
Brown said he hopes his proposal could be in final shape by early next year, but acknowledges even then he would likely need a new Senate and president for it to become law. “We want to get this out there so people really start thinking about this,” he said.
Given that there are zero laws covering many data uses right now, an “ideal law” may not be so different from “a law that can pass,” said Rich, who is now a distinguished fellow at Georgetown University. “Privacy is a complex issue, and we can’t let the perfect be the enemy of the (very) good.”