tiero - Fotolia

Lack of digital governance rules leaves consumer privacy at risk

Consumer data usage in the U.S. is currently governed by a patchwork of privacy legislation that can't keep up with the digital marketplace and leaves consumers at risk. A consumer bill of rights could be the first step to address this problem.

The prevalence of big data analytics in today's digital marketplace has led to increased instances of customers' personal and sensitive data being used for business gain. Educating customers on what exactly is being done with their data and giving them control over how it's used is crucial to addressing this potential abuse of their information, said panelists at a recent consumer data privacy forum hosted by the Massachusetts Attorney General at MIT.

Currently, companies are not holding up their end of the data use transparency bargain, the panelists added.

"The consent-and-disclosure process is, if not irretrievably broken, has a lot of flaws that we think a lot about within the competition for trust," said panelist John Doherty, vice president of state policy and politics and general counsel at TechNet, a technology policy lobbying organization.

John Doherty, image, headshotJohn Doherty

Doherty, along with other panelists that included lawyers and lawmakers, agreed that the major reason many companies are not able to provide adequate transparency to their customers is the lack of broad, comprehensive privacy legislation that provide digital governance guidance at the federal level.

"Laws and regulations definitely are an important framework for setting ground rules that everyone lives by," Doherty said.

Developing these rules is a complex process, however: It calls for a balance between preventing bad actors while enabling technological progress and innovation. In reality, policymakers are far from achieving this balance.

Challenges of digital governance rules

Currently, the collection and use of consumer data is regulated by a patchwork of digital governance rules n that address specific sectors: HIPAA for health information, the Gramm-Leach-Bliley Act for financial data and FERPA for student records, for example.

Cameron Kerry, headshot, image, Sidley Austin LLPCameron Kerry

"Even those bills that are meant to be comprehensive aren't comprehensive. They end up with exclusions: 'We're going to exempt this industry' and 'We're going to take this out,'" added Doherty, who had a three-year stint working at health insurer UnitedHealth Group before he went to TechNet.

Furthermore, this piecemeal approach to legislation is a "losing proposition" that is already lagging behind the fast pace of the Internet, said Cameron Kerry, a distinguished visiting fellow at the Brookings Institution Governance Studies Program and Center for Technology and Innovation.

"Data is moving too fast, the volume of data is growing too fast, and the uses of data are growing too fast," he added.

Exacerbating these privacy legislation gaps is a lack of transparency for consumers, according to Persis Yu, staff attorney at the National Consumer Law Center. She said that while some technology companies, such as Google and Facebook, are relatively transparent about their data collection practices, there are "layers and layers" of unknown third-party data brokers that use data algorithms in ways consumers are not aware of.

Persis Yu, headshot, image, NCLCPersis Yu

For example, Yu has seen low-income student loan borrowers receive emails from loan companies offering services that detail the exact amount of debt the borrowers have. This leaves the borrowers confused as to how these companies obtained that data in the first place.

These practices common among data brokers need to be addressed by policymakers as they develop and improve privacy legislation, Yu said.

"They need to ask, 'What information is so important that it's not right for people to [use it]? Does medical data, for example, rise to that level?' she said.

Consumer privacy bill of rights

The panelists agreed that the ideal way to tackle these policy challenges is by taking it to the federal level. That way, companies can consult a comprehensive set of rules instead of having to navigate several pieces of privacy legislation that vary by sector.

One way to meet this end is to create a broad Consumer Privacy Bill of Rights, although its purpose would not dictate once and for all what behavior is acceptable and what isn't, said Quentin Palfrey, who was senior advisor for jobs and competitiveness at the White House Office of Science and Technology Policy from 2011 to 2013. "The Internet moves too quickly to regulate privacy in a command-and-control kind of a way," he said.

Quentin Palfrey, headshot, image, TechNetQuentin Palfrey

Rather, this bill of rights would lay out a set of principles and expectations that companies can consult and law enforcement agencies can use to conduct regulatory activities. Furthermore, a multi-stakeholder process in which business and advocacy groups have open dialogue with consumers to work out safe harbors will be necessary to drive those principles home, Palfrey said.

Sidley Austin's Kerry agreed that the broad and principled approach of a consumer bill of rights is the best way to improve privacy legislation so it can catch up to advancements in big data analytics.

"We need to be a broad and principled space. If you try to be too prescriptive, you end up being over- or under-implicit, and you end up dating yourself very quickly," he said, adding that privacy legislation needs a broader focus simply because almost any piece of data can be used to identify a consumer and learn various aspects about them.

Data is moving too fast, the volume of data is growing too fast, and the uses of data are growing too fast.
Cameron Kerrysenior counsel, Sidley Austin LLP

The fragmented approach to U.S. privacy legislation is also problematic for global companies whose data flows across the Atlantic. While it is important to govern that data, it also needs to be interoperable.

"Anytime you erect walls around data -- saying 'data has to be kept here,' which is what other countries are doing -- or you impose regulations around that data," those regulations need to be consistent to ensure that the data can flow between countries, Kerry said.

But both Kerry and Palfrey believe that while the federal government is in the ideal position to lay out these comprehensive privacy rules, they think Congress will move too slowly and put consumers in a vulnerable position.

"That leaves us with a world in which consumers face uncertainty about how their data is going to be protected," Palfrey said.

This is where state legislatures need to step in and start laying the foundation for comprehensive digital governance rules to protect consumer privacy, the panelists said.

For example, one state could start with "the state attorney general [calling] on legislative bodies to put in place something like a consumer privacy bill of rights; it would be preferable for that to happen on the congressional level, but I do think state legislatures could take a chunk of that and start laying some of the rules of the road down," Palfrey said.

In part two of this feature, read about how states can help fill the current gaps in consumer privacy legislation.

Next Steps

The importance of transparency, user empowerment in addressing privacy issues

Could cybersecurity legislation hurt consumer privacy?

How the FTC has stepped up its role in consumer data protection

Dig Deeper on Managing governance and compliance