The Jan. 6 editorial “Our broken privacy regime” made a good case for updating privacy laws in the United States. The system is clearly not working. Data breaches are on the rise. Foreign adversaries target the personal data of U.S. consumers stored by U.S. companies. And current privacy laws do an excellent job with privacy concerns from the 1990s — junk faxes and auto dialers — but address current problems such as consumer profiling and location tracking not at all. Meanwhile, several states, notably California, and the European Union are developing innovative solutions to emerging challenges.
Privacy advocates never favored “notice and consent.” Notice may work with nutritional labels and gas mileage, but not for privacy protection. Even when consumers take the time to make privacy choices, they are disregarded by companies and violations are ignored. That was obvious after the Federal Trade Commission allowed Facebook to access the personal data of WhatsApp users. Significantly, the administration has proposed an outcomes-oriented approach that could help establish meaningful safeguards. Privacy is a bipartisan issue, and updates to U.S. law are long overdue.
Marc Rotenberg, Washington
The writer is president of the Electronic Privacy Information Center.
The Jan. 6 editorial “Our broken privacy regime” correctly noted the inadequacies of our current approach to safeguarding individual privacy on the Internet. The solution might be simpler than many think: Section 5 of the Federal Trade Commission Act already prohibits “unfair” business practices. According to this standard, a practice is unfair if it causes injuries that are not reasonably avoidable by consumers. The FTC should better operationalize this principle to bring privacy protections more in line with the prevailing approaches to risk management used in other industries.
We should turn to the product-safety regime tool of strict liability for the consequences that arise from the misuse of our personal information, even where intent to harm does not exist. There is a need for formal regulatory guidelines on how to calculate the value of our personal information, the harm that arises from its improper disclosure and how such harm can be proved. These are difficult questions, but, for the most part, they can be answered.
Ayden Férdeline, Berlin
The writer is a fellow at the Mozilla Foundation.