Following two days of often contentious exchanges between members of Congress and Facebook CEO Mark Zuckerberg this week, the focus in Washington and Silicon Valley has shifted from how Facebook plans to change its data practices to how to implement some of those plans.
The company has already taken steps to streamline its disclosure and privacy policies to give its 2 billion monthly active users more control over their data and limit the sharing of that information with third parties.
However, officials in Washington also have begun to roll out legislation designed to give consumers more power over what Facebook and other companies can do with their personal information.
Sens. Ed Markey, D-Mass., and Richard Blumenthal, D-Conn., this week introduced the “CONSENT (Consumer Online Notification for Stopping Edge Provider Network Transgressions) Act,” a bill that would require the Federal Trade Commission to establish consumer privacy protections on edge providers like Facebook, Google, and similar firms.
If it became law, it would require edge providers to inform users of data collection and sharing policies, as well as notify them of data breaches, and it would require opt-in permission to share or sell users’ personal data. It also would require the providers to maintain “reasonable” data security.
Rep. Marsha Blackburn, R-Tenn., has dusted off the “Browser (Balancing the Rights of Web Surfers Equally and Responsibly) Act,” a 2017 bill that would provide Internet users more protections. The proposal has gained support following the Zuckerberg hearings, she said.
Hot Topic, Short Window
There are a few factors that may prevent new legislation from being passed in the wake of the Cambridge Analytica data scandal, noted Allie Bohm, policy counsel at Public Knowledge.
Among them are the looming midterm elections, the short time remaining in the current congressional session, and the lack of good existing legislation as opposed to bills that would need to be written from scratch.
On the other hand, this may be the best time for the tech industry to get something passed, Bohm pointed out, and doing so could help Silicon Valley’s financial prospects.
“Having some sensible consumer regulation may help consumer confidence and save their bottom line,” she said.
The data privacy issue has been front and center for the last several weeks, and in the Trump era it’s rare for any single legislative issue to remain on the front burner that long, Bohm remarked.
Public Knowledge has urged lawmakers to focus on three areas:
- The bill must provide for meaningful notice and consent from customers, meaning the new privacy language should not be buried on page 39 of a 40-page document, where few would see it.
- The bill must provide for strong data security involving all the entities that use consumer data. Whether someone is buying a house, looking for a job, or renting an apartment, all of the data must be secure.
- Consumers must have meaningful recourse, in particular, removing language calling for mandatory arbitration to settle disputes. For many consumers, the cost of legal fees might outweigh any settlement they could get. There also should be a provision for liquidated damages.
At the state level, the “California Consumer Privacy Act,” a ballot initiative, has gained renewed traction after Facebook pulled its official opposition.
The bill has three main elements, according to Rick Arney, independent chairman of the Lending Club Fund Governance Board, who co-authored the measure:
- Consumers would gain the right to find out what kind of data a large company had about them;
- Consumers would have the right to tell that company to stop collecting their personal data and
- Consumers could hold companies accountable if their data were compromised in a cyber breach.
“The whole reason why we put this initiative together is that significant abuses are happening with data,” Arney told the E-Commerce Times.
Backers have nearly all the signatures they need to get the initiative on the ballot this fall, he said.
Facebook has pulled out of the Committee to Protect California Jobs, an organization created to oppose the initiative, Facebook spokesperson Andy Stone confirmed.
Committee members include Google, Verizon, Comcast, and AT&T. Facebook and Google each contributed US$200,000 to the group, according to government filings.
Facebook withdrew from the committee “in order to focus our efforts on supporting reasonable privacy measures in California,” Stone told the E-Commerce Times.
Zuckerberg emphasized that commitment in his responses to lawmakers this week on Facebook’s plans for compliance with Europe’s General Data Privacy Regulation and the company’s overall support for data privacy regulations, Stone pointed out.
With regard to the numerous questions that Zuckerberg promised Facebook’s staff would research, Stone said that the official committee records will be held open so that legislators can ask additional questions. The House committee record will be open for an additional 10 days, and the joint Senate committees’ record will be open for another 14 days. The committees then will give Facebook time to respond to members’ questions.
Some movement toward increased data protection is likely to come in the U.S. following the Cambridge Analytica data scandal, but implementation probably will stop short of the levels new European laws will provide, suggested Rick Edmonds, media business analyst at Poynter.
“A likely result is for Facebook to continue the current series of measures to address the issue,” he told the E-Commerce Times.
That may be easier than trying to frame a solution in new legislation of FCC/Commerce regulations, he added.
Digital privacy is a complicated issue that will require complex legislation, remarked Andrew Howard, chief technology officer at Kudelski Security.
The European General Data Privacy Regulation is the first attempt to guarantee privacy rights at scale, he told the E-Commerce Times, and it’s unlikely the U.S. will follow suit in the near term.
“While there is a lot of noise currently in the U.S. Congress about data privacy, action is unlikely in the near future,” Howard said. “Americans, especially younger generations, are generally more comfortable with the privacy versus usability tradeoff.”
It will take time to determine whether the GDPR actually works, he added, noting the irony that most of the big tech companies will have to comply with these regulations anyway, as they conduct a large percentage of their business in Europe.
The real question at the center of this debate is about consent, maintained Jason Hart, CTO at Gemalto.
“Click blindness” is very common, he told the E-Commerce Times. In order to access a service, users give immediate consent to share information without reading or understanding what they’re permitting, and their data then is used for market research or advertising, or just sold for profit.
“Should we apply a standard of ownership to the information we share online, “Hart wondered, “similar to that which is established by our laws on plagiarism or copyright infringement?”