The New York Times recently did a deep dive into the United States’ lack of a national data privacy law and why it matters, and we want to drill down on some key points here.
The article describes the four basic areas of users’ data privacy that should be protected as a minimum, and calls these areas the “floor” of any future national privacy law onto which other protections could be built over time. It shows you the direction in which privacy advocates are heading.
Four basic areas make up the privacy law “floor”:
- Data collection and sharing rights – This is the user’s fundamental right to clearly see what personal data companies collect, share and sell about them; their right to ask a company to delete any personal data they don’t want them to have; and their right to demand a company stop sharing their personal data.
- Opt-in consent – This is where a company, not the user, does the heavy lifting on privacy, by asking the user whether they may collect, share or sell their data to third parties. Opting out takes the user a lot of time and effort; opting in puts that effort on the company. But opt-in isn’t easy to implement, which is why global opt-out functions like the Global Privacy Control are a popular stopgap, even seeming acceptable under the California Consumer Privacy Act. The GPC and other tools like it allow opt out at the browser or device level, not the site level.
- Data minimization – This protection would pare back the data a company can collect to only the basics required for them to deliver their product or service.
- Non-discrimination and no data-use discrimination – The final plank in the basic data privacy “floor” would protect users from being discriminated against for exercising their right to privacy. This means users couldn’t be charged more for opting out (or not opting in) and couldn’t be offered incentives such as discounts and coupons for opting in, for example. This requirement would also prevent companies from discriminating against users based on personal characteristics, such as religion, race or gender.
In addition to this four-plank “floor”, the privacy experts interviewed for the NYT article would like to see:
- a more comprehensive data breach notification law, to standardize who gets notified and some common standards for doing so
- a private right of action or the right of a person to sue a company that violates their privacy
- strong, well-funded enforcement agencies and resources
- privacy by default so apps come with the strictest built-in privacy without the user having to do anything unless they want to opt-in to certain settings.
Anonyome Labs agrees with the four-plank data privacy law “floor” and the regulatory extras proposed by the privacy community in this article. We also recognize that a national privacy law and a uniform approach to these requirements may still be a long way off, which is why we created our consumer privacy app MySudo and the privacy and cybersecurity capabilities in our digital identity protection toolkit that help enterprises rapidly develop and deploy branded privacy and cybersecurity solutions.
Photo By cgstock