My college economics professor, Dr. Charles Britton, often said, “There’s no such thing as a free lunch.” The common principle known as TINSTAFL implies that even if something appears to be free, there is always a cost to someone, even if it is not the individual receiving the benefit.
For decades, the ad-supported ecosystem enjoyed much more than a proverbial free lunch. Brands, technology providers, publishers and platforms successfully transformed data provided by individuals into massive revenue gains, creating some of the world’s most profitable corporations. So if TINSTAFL is correct, what is the true cost of monetizing this data? Consumer trust, as it turns out.
Studies overwhelmingly demonstrate that the majority of people believe data collection and data use lack the necessary transparency and control. After a few highly publicized data breaches brought a spotlight on the lack of appropriate governance and regulation, people began to voice concerns that companies had operated with too little oversight for far too long, and unfairly benefited from the data individuals provided.
With increased attention, momentum and legislative activity in multiple individual states, we have never been in a better position to pass a federal data privacy law that can rebalance the system and set standards that rebuild trust with the people providing the data.
Over the last two decades, we’ve seen that individuals benefit from regulated use of data. The competitiveness of the banking markets is partly a result of laws around the collection and use of data for credit decisions. In exchange for data collection and use, individuals now have the ability to go online and get a home loan or buy a car with instant credit. A federal law would strengthen the value exchange and provide rules for companies around the collection and utilization of data, as well as establish consistency and uniformity, which can create a truly national market.
In order to close the gap and pass a law that properly balances the interests of people, society and commerce, the business sector must first unify on the need and the current political reality. Most already agree that a federal law should be preemptive of state laws, and many voices with legitimate differences of opinion have come a long way toward a consensus. Further unification on the following three assertions could help achieve bipartisan support:
A federal law must recognize that one size does not fit all. While some common sense privacy accountability requirements should be universal, a blanket approach for accountability practices is unrealistic. Larger enterprises with significant amounts of data on hand should have stricter requirements than other entities and be required to appoint a Data Ethics Officer and document privacy compliance processes and privacy reviews.
They should be required to regularly perform internal and external audits of data collection and use. These audits should be officer-certified and filed with a regulator. While larger companies are equipped to absorb this burden, smaller businesses should not be forced to forego using the data they need to innovate and thrive by imposing the same standards. Instead, requirements for accountability should be “right-sized,” and based on the amount and type of data collected and its intended use.
A federal law must properly empower the designated regulatory authority. The stated mission of the Federal Trade Commission is to protect American consumers. As the government agency of record for data privacy regulation and enforcement, the FTC has already imposed billions of dollars in penalties for privacy violations. However, in a modern world where every company collects and uses data, the FTC cannot credibly monitor or enforce federal regulation without substantially increasing funding and staffing.
With increased authority, equipped with skilled teams to diligently monitor those companies with the most consumer data, the FTC — with State Attorney Generals designated as back-ups — can hold them accountable by imposing meaningful remedial actions and fines.
A federal law must acknowledge that properly crafted private right-to-action is appropriate and necessary. The earlier points build an effective foundation for the protection of people’s privacy rights, but there will still be situations where a person should have access to the judicial system to seek redress. Certainly, if a business does not honor the data rights of an individual as defined by federal law, people should have the right to bring an action for equitable relief. If a person has suffered actual physical or significant economic harm directly caused by violation of a Federal Data Privacy law, they should be able to bring suit if, after giving notice, the FTC declines to pursue.
Too many leaders have been unwilling to venture toward possible common ground, but public opinion dictates that more must be done, otherwise states, counties, parishes and cities will inevitably continue to act if Congress does not. It is just as certain that those data privacy laws will be inconsistent, creating a patchwork of rules based on geography, leading to unnecessary friction and complexity. Consider how much time is spent sorting through the 50 discrete data breach laws that exist today, an expense that could easily be mitigated with a single national standard.
It is clear that responsible availability of data is critical to fostering innovation. American technology has led the world into this new data-driven era, and it’s time for our laws to catch up.
To drive economic growth and benefit all Americans, we need to properly balance the interests of people, society at-large and business, and pass a data law that levels the playing field and allows American enterprise to continue thinking with data. It should ensure that transparency and accountability are fostered and enforced and help rebuild trust in the system.
Coming together to support the passage of a comprehensive and preemptive federal data privacy law is increasingly important. If not, we are conceding that we’re okay with Americans remaining distrustful of the industry, and that the rest of the world should set the standards for us.