This Is Not the Privateness Invoice You’re Wanting For

Legislators looking to get started with data protection legislation should pass the Uniform Personal Data Protection Act (UPDPA) on by the Uniform Law Commission. The Uniform Law Commission (ULC) seeks to develop model laws that can be passed by state legislatures across the country to set national standards. Unfortunately, the ULC fiddled with its Consumer Privacy Act and created a mockup in the UPDPA that is weak, confusing, and toothless.

Strict data protection legislation must put consumers first. EFF has set its top priorities for data protection laws, which include an unrestricted private right of action that allows people to act as their own data protection officer, and measures that prevent companies from discriminating against those who ask more or offer less that wish to protect their privacy by exercising their rights. EFF also advocates an opt-in consent model, in which companies must obtain a person’s permission before collecting, sharing, or selling their data, rather than an opt-out model.

The UPDPA falls short on many of these fronts. And why? Because despite years of evidence that companies will not protect consumer privacy on their own, the UPDPA is deferring to complaints from companies that respecting people’s privacy is a burden. In fact, UPDPA committee chairman Harvey Perlman openly admitted that one of the drafting committee’s main goals was to reduce the cost of compliance.

By lowering its standards to get companies to comply, the UPDPA is blowing consumers off.

By trying to strike a balance in some of the biggest disagreements between consumer advocates and businesses wanting to change their practices as little as possible, the UPDPA has found “compromises” that won’t work for anyone. Company officials find their proposals confusing as they create a wider framework for compliance. Consumer advocates find the “protection” in the bill hollow. It’s no surprise that an Oklahoma legislature told the International Association of Privacy Professionals the bill was “blank.” “This bill appears to contain nothing more than an obligation for the data company to provide a voluntary standard of consent,” he said. “In essence, those in control of the data can decide on their policies and procedures. So this law is empty because it says: [businesses] We have to come up with something to improve data protection, but we’re not telling you exactly what it is. “

Consumer rights, but defined by companies

By lowering its standards to get companies to comply, the UPDPA is blowing consumers off. Basically, the bill depends on whether a company uses your information for purposes that are either “compatible” or “incompatible” with the reasons for which the company originally collected the information. For example, you can allow a company to collect your location information if you want them to do something for you that has to do with your location, such as: B. Identifies certain restaurants in your area. This type of guardrail may sound good at first; In fact, this is in line with an important data protection principle – businesses should only use a consumer’s information for the purposes for which the consumer originally gave consent. However, the UPDPA undermines the meaning of “compatible purpose” – it does not offer any real protection to ordinary people.

First, individuals have no control over whether the purposes for which companies ultimately use their data are “compatible” with the original purpose of collection, so that definition is left up to companies alone. This gives a company a lot of leeway to process people’s information for any reason consistent with the reason it was collected. That could involve processing that a person does not want at all. For example, if the company that collects your location information to inform you about restaurants nearby decides to also use this data to track your regular travel behavior, it could unilaterally classify this new use as supposedly “compatible” with the original use, without asking you to approve it.

The UPDPA also defines targeted advertising as a “compatible purpose” that does not require additional consent – although targeted advertising is one of the most derided uses of personal information. In fact, when consumers have a choice, the overwhelming majority of them choose not to participate in advertisements that track their behavior. This twists ideas about privacy protection and lets unwanted invasion of privacy slip under the lowest bar.

In addition, if a business uses a consumer’s data for an incompatible purpose, the bill provides that the business only informs the consumer about it and has the option to opt out. In other words, if a weather app had your permission to collect your location information for locally accurate forecasts, but then shared it with a number of advertisers, it wouldn’t have to ask for your permission first. It would just have to give you an early warning that “we share with advertisers” and the option to opt out – likely in a Terms and Conditions update that no one ever reads.

Other rights in this draft law, including those supported by the EFF, such as the right to access one’s own data and the right to have that data rectified, are severely restricted. For example, the bill allows companies to ignore requests for corrections that they consider “inaccurate, unreasonable or excessive”. You can decide which applications meet these criteria without giving a reason. That gives companies far too much leeway to ignore what their customers want. The law gives consumers the right to access their data, but not the right to a machine-readable electronic copy – which is often referred to as the right to data portability.

The UPDPA also falls short on one of the EFF’s most important data protection principles: ensuring that consumers are not punished for exercising their data protection rights. Even in cases where the bill requires a company to use data in order to obtain permission to use it for an “incompatible data practice”, companies can offer a “premium or discount” in exchange for that permission. In other words, you can only have your human right to privacy if you are willing and able to pay for it.

As we said earlier, in this type of practice, our privacy is framed as a commodity that can be traded away rather than a fundamental right to be protected. This is wrong. Someone who values ​​privacy but is struggling to make ends meet will feel pressured to give up their rights for a very small gain – maybe $ 29 off a monthly phone bill. Data protection legislation should rebalance power in favor of consumers, rather than resorting to a bad system of corporate superiority.

The UPDPA has large blind spots …

The UPDPA also does not address how data flows between private companies and the government. He’s not alone: ​​While the European General Data Protection Regulation (GDPR) encompasses both government and private institutions, many federal data protection laws in the US focus only on one thing or the other.

However, there is a growing need to deal with the way data flows from private entities to the government, and the UPDPA largely closes this threat off. For example, the bill regards data as “publicly available” – and therefore exempt from protection – if it is “observable from a publicly accessible location”. For example, this seems to be exempt from footage from ring cameras that people put on their doors and that document what is happening on adjacent public sidewalks. Information from Ring and other private cameras needs to be protected, especially from indiscriminate disclosure to law enforcement agencies. This is another example of how model legislation ignores pressing privacy concerns.

The definition of publicly available information would also appear to completely exclude information posted on restricted social media sites such as Facebook – including requirements to comply with privacy policies or security practices. In particular, the UPDPA “adopts a website or other forum with restricted access if the information is available to a wide audience”. This is way too broad and deliberately ignores the way private companies feed information from social media and other businesses into the hands of government agencies.

… and no teeth

Finally, the UPDPA has huge gaps in its enforcement provisions. Privacy laws are only as good as your teeth. That means strong public enforcement and a strong private right to sue. This bill has neither.

The worst thing is that it specifically does not create a private right to sue and discourages people from the most obvious way to defend themselves against a company that is abusing their privacy: a lawsuit. Many privacy laws include a private right of action, including federal laws on wiretapping, stored electronic communications, video rentals, driver’s licenses, credit reports, and cable subscriptions. This also applies to many other types of public protection laws, including federal clean water laws, discrimination in the workplace, and access to public records. There is no reason why consumer privacy should be any different.

By denying people this obvious and powerful tool to enforce the few safeguards they receive in this act, the UPDPA fails the most important test.

While the attorneys general have the authority to enforce the law, they have a wide discretion not to enforce the law. It’s too big a risk to play with privacy. Attorneys-General may be understaffed or subject to regulatory requirements – in these cases consumers have no legal remedy to be cured for violations of the few privacy laws this law provides.

Do not duplicate this invoice

While the UPDPA wrestles with many of the most controversial discussions in data protection legislation today, none of them can provide a meaningful solution. The privacy problems common people face – invasive data collection, poor control over the use of their information, no clear means to fight for themselves – that put privacy first, are grossly missed. Legislators, at the federal or state level, shouldn’t duplicate this hollow bill and lower the bar on privacy.

Comments are closed.