Congress Has Failed To Protect Consumer Privacy Online. It’s Time for States to Act.

Today, I have the honor of joining a number of national experts on Internet privacy issues in a forum hosted by Massachusetts Attorney General Maura Healey, along with the Berkman Center for Internet & Society and the Computer Science and Artificial Intelligence Lab at MIT.

The panel asks an intriguing question: what can states — and particularly state attorneys general — do to protect consumers online while promoting the innovation economy?

In my view, the time has come for states to act to fill in the troubling gaps in consumer privacy protections left by congressional dysfunction in Internet law. Consumers care a lot about the privacy of their information online, but correctly feel that they have no control over that information, and no meaningful options for both protecting themselves online and participating in the digital revolution.

As a thoughtful progressive who values both consumer protection and economic growth, AG Healey is a terrific person to begin the conversation about what more states can do. State AGs have more tools than people may realize to help protect consumers online. AGs can bring law enforcement actions and demonstrate that predatory or discriminatory behavior will not be tolerated in Massachusetts. They can promulgate regulations defining what is unfair and deceptive, and set clearer rules on what is permitted and what is not. And they can call for state and federal legislators to pass a Consumer Privacy Bill of Rights.

The time for states to act is now. Internet law and policy have historically been a primarily federal issue. As a political appointee in the Commerce Department and the White House Office of Science & Technology Policy in the first term of the Obama administration, I spent a good deal of my time pushing for a Consumer Privacy Bill of Rights as well as other tools for promoting privacy and civil liberties online. Every year, we live more and more of our professional and personal lives on the Internet, mobile devices, and other networked technologies. As the digital revolution has accelerated, the patchwork of consumer protection laws governing Internet privacy have struggled to keep up. And most privacy policies are dense, lengthy, jargon-filled monstrosities that are seldom read and routinely ignored.

There should be a series of core principles governing online privacy on the Internet, such as individual control, transparency, respect for context, security, access and accuracy, focused collection, and accountability. And there should be real enforcement authority to ensure that consumers are protected — as well as clarity for the business community about what is allowed, and what is not.

At the same time, comprehensive regulations should ideally move at the speed of the Internet. Rather than take years to promulgate rules through a notice and comment rulemaking that might result in rules that are obsolete as soon as they are finalized, there should be more nimble multi-stakeholder processes that allow for the development of sophisticated rules that balance privacy protection with the public’s interest in a vibrant and profitable online marketplace.

One advantage of setting rules of this type at the federal level is that it advances uniformity and creates clear rules of the road that apply in all fifty states.

That is what should happen. The problem is that the federal legislative process is fundamentally broken. With very few exceptions, Congress is now a place where good ideas go to die. The Obama Administration has proposed a thoughtful legislative framework for consumer privacy, but it has not progressed in Congress.

In the meantime, there are practices in the online marketplace that clearly hurt consumers and provide little benefit to businesses. A few examples include:

  • Secretive information sharing — websites consumers visit sometimes collect information and then share it with third parties who use this data in ways consumers would not reasonably expect — and over which consumers have very little control. Consumers deserve meaningful information about, and control over, how their sensitive information is collected and shared.
  • Behavioral advertising relating to sensitive information — private information about consumers, such as health conditions, pregnancy status, and other intimate facts, is often collected and used to target advertising to individuals without their meaningful consent.
  • Racial profiling — in some cases, companies collect information about the race or ethnicity of users and then market certain products to these individuals on the basis of their race or ethnicity.
  • Failure to respect “do not track” signals — many browsers now contain instructions for websites such as “do not track” buttons. But there is no effective method for ensuring that these instructions are honored, and they often are not.

But what can states — as opposed to the federal government — do? AG Healey has accomplished one important objective already with today’s forum — using the bully pulpit to start a conversation about the role of states. Here are three other suggestions:

Law enforcement: the AG has broad and flexible powers to bring civil law enforcement actions against commercial actors that harm consumers by committing unfair and deceptive acts in violation of trade or commerce. She can use these powers to hold bad actors to account, and to send a deterrence signal to other shady actors that prey on consumers.

Regulations: the AG has a little-known power that could be quite useful in this space. She can promulgate regulations around the definition of what constitute unfair and deceptive trade practices under Massachusetts General Laws Chapter 93A. Using these tools, she could clearly articulate that certain conduct is unfair and deceptive, and will not be tolerated in the Commonwealth.

Legislation: the AG could also call on the state legislature or the Congress to pass laws containing the key elements of a Online Consumer Privacy Bill of Rights.

As President Obama has said “One thing should be clear, even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever.”

With the federal legislative process deadlocked, leaders at the state level should use their powers to advance sensible consumer protections online.

Quentin Palfrey has worked on consumer protection and Internet privacy issues at the White House Office of Science & Technology Policy, the U.S. Department of Commerce, and the Massachusetts Attorney General’s Office. He now works at MIT.