Representatives from some of Facebook’s fellow top technology and communications firms testified Tuesday before a Senate committee, where the companies claimed they are ready and willing to be regulated. This is not as surprising as it may sound. The increased appetite for federal privacy legislation comes months after California passed its own data protection law. Working with Congress may help firms preempt state action with rules that are friendlier to industry.
There’s good reason for Congress to act. Addressing privacy in the digital age will involve much more than increased security and notification requirements for breaches such as the one Facebook disclosed Friday, though both are crucial. Leaving the issue to states could lead to a confusing patchwork of regulations; in many cases, conforming to one locality’s laws might put a firm on the wrong side of another’s. But if Congress does take on data protection, it must make sure its regime is more than a get-out-of-jail-free card for companies seeking to avoid stricter regulation.
The principle that must undergird any framework is relatively straightforward: Consumers should have more control over how companies collect, use, share and sell their data. How to put that principle into practice is not straightforward at all.
To start, lawmakers must establish a definition of “personal information” that encompasses users’ characteristics and the inferences companies draw from their behavior online. Legislators must also decide whether consumers consent to the collection and sale of their data on an opt-out or opt-in basis, perhaps differentiating based on the sensitivity of the information. They must mandate that consent be meaningful: Companies should tell consumers clearly and concisely what data they are gathering for what purpose — and then use it for the purpose they promised.
All the while, lawmakers must make their standards and definitions as clear and simple as possible for companies to comply with. They should be mindful that regulation can often serve to entrench the most powerful firms, at the expense of innovative start-ups. And they must give the Federal Communications Commission and the Federal Trade Commission the resources and authority to implement the rules.
Building a robust Internet privacy regime from scratch is not easy. Doing it right will require aid from subject experts — perhaps in the form of an authorized commission — as well as the participation of consumer advocates, who were not included in Tuesday’s hearing. Doing it wrong would leave the millions of Americans who use the Internet every day at risk.