Last week I wrote about Data Privacy.  The TL:DR version is this:

Malicious uses of data are already covered by existing laws (theft, fraud, libel, etc). Today’s “privacy debate” boils down to whether consumers or companies should have primary control over how consumer data is used for legal purposes (e.g. marketing, notifications, advertising).

In 2012, the Obama administration created a Privacy Bill of Rights to set guidelines for consumer data protections. It included baseline principles for transparency, security, context and accountability. However, a dozen years later, none of these guidelines have been codified in law. The US does not have comprehensive data privacy laws.

Today, I’d like to share my thoughts on what a “Data Bill of Rights” would look like. More than a dozen states have legislated privacy regulations, at times with “bill of rights” type language. The legislation varies significantly state-to-state.

In California, for example, the Consumer Privacy and Privacy Rights Acts have broad protections that apply to all business uses of personal information. California laws apply to all consumers regardless of residency or citizenship and offers a path for consumers to exercise their rights and file suit for damages in the event of violations.

Florida’s Digital Bill of Rights by comparison only applies to businesses operating in Florida that have >$1B in revenue and either make >50% of revenue through advertising or have a smart-speaker product. In other words, Florida’s laws only apply to a small fraction of the largest technology companies and only apply to resident citizens of the state. Florida protects industry by making it illegal for consumers to file independent lawsuits for privacy violations. These can only be filed by the government itself.

In short, some states are regulating data protections to protect consumers while other states are regulating protection for industry (disguised politically as being in consumers’ best interests).

I believe a Data Bill of Rights should be consumer-centric.  I would include these foundational provisions:

  • A Right to Connect – Broadband should be considered a basic human right, on equal terms with other government regulated utilities like water and electricity. Without adequate broadband, not all citizens have equal or equitable access to data.
  • A Right to Security – Any entity that houses data must meet minimum requirements for securely storing data. Transport of data (wired or wireless) should follow best practices for encryption and cybersecurity.
  • A Right to Transparency – Consumers should be explicitly informed of what personal data is collected by companies and when it is being collected.
  • A Right to Access – Consumers should be able to review personal data that has been collected and to ensure that any inaccurate information is deleted or corrected.
  • A Right to Control – Consumers shall always have the opportunity to opt-out of specific data uses.  This includes the ability to deny data collection, data sale or data use by private industry and nonprofit organizations.
  • A Right to Anonymity – Personal data collection and use shall by default be “none”, with consumers opting in to commercial usage. I.e. Industry defaults should align with strong privacy protection and consumers control “weakened” protection through broader application of personal data.
  • A Right to Remove – Personal data should be deleted when consumers no longer engage with companies (e.g. cancel a subscription) so no repository of old data lives into perpetuity.
  • A Right to Context – Consumers should be informed about how personal data is used with clear description when that usage is non-obvious (example – grocery loyalty cards are used by grocers to collect purchase information and process discounts, but most consumers are not aware that most grocers sell that purchase data to health insurers. This needs to be transparent).

Anyone familiar with General Data Protection Regulation in Europe or who regularly track the privacy space will see a lot of similarities with other existing and proposed frameworks. There are a few original thoughts, but much of my thinking is influenced by those regulations and by thought-leaders in this space like Jeff Jarvis, author of Public Parts and an advocate for the publicness of data.

The big question for me is how long it will take for the US to finally create federal regulations – and whether those protections will truly be consumer protections like we see in California or will be strong business protections as have been adopted in Florida.  This is an important topic to consider in the 2024 election cycle that is really not being covered in the media at all.

I’d love to hear your thoughts.  Please join me on Feb. 6 at Raleigh Founded (509 W. North Street, Raleigh) for a State of the Region event where we will discuss how North Carolina and the Triangle are stacking up in the data economy.