The sun may be setting on the old privacy rulebook
Privacy policies have been the standard approach to online privacy for the entire existence of the commercial internet. Now key Democrats are souring on them.
Why it matters: Moving away from relying on the so-called "notice and consent" requirements would be a sea change for users and could put the United States at odds with Europe's sweeping privacy regulation.
How it works: Internet users experience "notice and consent" daily:
- Then they offer their consent by clicking on "I agree," whether they've read the document or not.
Democrats say that system just isn't enough anymore.
- House Energy and Commerce Chairman Rep. Frank Pallone (D-N.J.) said at a hearing last week that we "can no longer rely on a 'notice and consent' system built on such unrealistic and unfair foundations."
- “We need to find solutions that take the burden off the consumer and put some responsibilities on those who want our data,” said Rep. Jan Schakowsky (D-Ill.), who chairs the consumer protection subcommittee of the panel.
Driving the news: Consumers don't read privacy policies before consenting to data collection — yet they're bringing more and more connected devices into their lives.
- "Ten years from now, your toaster’s going to be connected to the internet. Your keys are going to be connected to the internet," said Sen. Brian Schatz (D-Hawaii) at the Commerce Committee hearing. The current system would then leave consumers with "hundreds of microdecisions every day that you’re supposed to achieve informed consent about," he said.
- More than half of American adults usually or always agree to online privacy policies without reading them first, according to a recent Axios-SurveyMonkey poll.
While lawmakers are unlikely to abandon the notice and consent framework entirely, they're saying it needs to be bolstered by more explicit prescriptions for how services can collect, use and store consumer data.
- They could lay out prohibitions in a new law, or give the Federal Trade Commission more authority to make rules and guide them in the direction of the type of conduct they wanted to prohibit.
- Sen. Catherine Cortez Masto (D-Nev.) just introduced a bill requiring the FTC to approve regulations guaranteeing that "data collection, processing, storage, and disclosure practices may not be for purposes that result in discrimination" against an individual based on "race, sex, gender, sexual orientation, nationality, religious belief, or political affiliation."
- Schatz has also proposed a bill that would put new, broad obligations on companies to safely use consumer data, arguing that the current regime doesn't do enough to police the way companies use the data once they've received the consent to collect it.
Yes, but: Some conservatives say lawmakers shouldn't be too prescriptive in regulating privacy, or give regulators new broad authority to make their own rules.
- Europe is also heavily invested in the notice and consent approach, which forms the backbone of the General Data Protection Regulation that went into effect last year and has become the de facto global standard.
What they're saying: "The apparent congressional shift away from notice and consent is important," said Paul Gallant, an analyst at Cowen Washington Research Group who noted the trend in a note last week. "Replacing that with categories of data practices that are simply off limits for companies could be a major change."