Privacy Notices – Nobody Reads the Small Print.  Is it Time for New Legislation?

Written By Hosch & Morris

Privacy Plus+

Privacy, Technology and Perspective

Privacy Notices – Nobody Reads the Small Print.  Is it Time for New Legislation?  This week, we consider pending privacy legislation as we wonder: When was the last time you read an online privacy notice?  Have you ever fully read one?

In the U.S., privacy notices are built on a foundation of “Notice and Consent:” companies use privacy notices to explain when they do with your personal information when you visit a website, use a service, or otherwise interact with them.  Often, they are lengthy and complex, using vocabulary that is daunting even to privacy-centric consumers.  Yet, they are posted, ostensibly, for the purpose of providing consumers with fair notice, and getting consumers’ consent.  Now, effectively, “Notice and Consent” has become “Click Through and Hope for the Best.”  

Most agree that the burden on consumers to read through and understand privacy notices is significant.  Most also agree that consumers have all but thrown up their hands when it comes to online privacy, opting to use services they deem necessary (Zoom comes to mind) without meaningfully consenting to the information practices set forth in privacy notices posted by those companies.  But there is no consensus at all on how to fix the problem. 

 Of the at least six proposals are in various stages of congressional discussion, all continue to rely notice and consent.  Click below for information on them:

https://crsreports.congress.gov/product/pdf/LSB/LSB10441

 However, the proposals offer many different solutions, including:

  •  Recognizing individual rights, like those recognized under the European Union’s General Data Protection Regulation (GDPR) and its “American Cousin,” the California Consumer Privacy Act (CCPA);

  • Recognizing certain personal information as especially sensitive, like government-issued identification numbers, financial account numbers, health records, biometric data, and geolocation data, and offering such data additional protections; and

  • Strengthening of FTC’s enforcement authority, or alternatively, creating a specialized data protection agency in the U.S., with a range of powers and authority depending on the author(s); and more.

Other ideas, which perhaps affect notice and consent, at least to a degree, are circulating also, including:

  • Adding pop-ups notices every time a consumer submits her information;

  • Requiring options that would allow a person to use an online service without submitting any personal information;

  • Requiring businesses that want to collect and use a person’s personal information to pay them for it (in other than obvious situations, like when performing the service the person is requesting);

  • Restricting what a business can collect and what it can do with it, according to its consumers’ reasonable expectations in the circumstances;

  • Something roughly like the U.S. securities law, which requires much disclosure and transparency, but also restricts certain behavior whether the behavior is disclosed or not; or

  • Various combinations of some or all of these, perhaps on a menu from which businesses can choose according to their business models.

This week, U.S. Senator Sherrod Brown (D-OH) added a new proposal, through his “Data Accountability and Transparency Act:”  throw over the table and start over, by restring businesses from using consumers’ information at all except in order to provide the services they request. 

A link to the Washington Post story describing Senator Brown’s proposal follows: 

https://www.washingtonpost.com/technology/2020/06/18/data-privacy-law-sherrod-brown/

Senator Brown’s proposal will not be greeted with thunderous applause, for too much industry is now built on monetizing data.  But for that matter, the chances of any less dramatic proposal becoming law, either, is also remote, because there is no agreement anywhere on (1)  federal preemption over state laws like the CCPA, and (2) whether private rights of action, like those under Illinois’s Biometric Information Privacy Act, should be allowed. Passage of anything must surely await the next Congress, or the one that re-discovers the lost art of American political compromise. 

Perhaps that will give us just the time we need to debate and decide what would be best to enhance privacy and attendant public trust in our collective future.

---

Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.

 

Hosch & Morris https://hoschmorris.com
Previous

5 Tips for Protecting Your Home Network and Devices
Next

Resources on COVID-19 Privacy and Cybersecurity Issues