Fragmented U.S. privacy rules leave large loopholes for Facebook, others
By FLORIAN SCHAUB
University of Michigan
Facebook CEO Mark Zuckerberg’s Congressional testimony discussed ways to keep people’s online data private, which I’m interested in as a privacy scholar.
Facebook and other U.S. companies already follow more comprehensive privacy laws in other countries. But without comparable requirements at home, there’s little reason for them to protect U.S. consumers the same way.
Inform customers and secure data
U.S. privacy laws are mostly based on the Federal Trade Commission’s Fair Information Practice Principles, which recommend companies:
– Tell customers their data practices.
– Give people some choice about additional uses,
– Provide people with access to information about them, and
– Ensure the security of the data collected.
In some industries, there are regulations for handling what’s called “personally identifiable information.” Federal laws protect medical information, financialdata and education-related records.
Online services and apps are barely regulated, though they must protect children, limit unsolicited email marketing and tell the public what they do with data they collect.
Online tracking and advertising is self-regulated: Industry associations set rules for their members. Data collection by emerging technologies, such as smart speakers or self-driving cars, is mostly unregulated. The FTC does investigate if companies are “unfair or deceptive,” but firms that prominently disclose what they do may avoid trouble.
Strong limits on
Europe, by contrast, generally prohibits collecting and using personal data. Its General Data Protection Regulation, which takes effect on May 25, applies to all businesses and government agencies in European Union member countries – including U.S. companies offering services in Europe.
The GDPR gives six reasons for collecting personal data. But even then, any analysis must be closely related to the purpose for which the data was collected. For example, a fitness-tracking company couldn’t sell users’ exercise data to a health insurance company without additional consent. Companies that violate the GDPR may be fined up to 20 million euros, or 4 percent of the firm’s worldwide annual revenue.
Building on the GDPR, Europe’s forthcoming ePrivacy Regulation will likely require explicit individual consent before a company can track a person’s online activity.
Many other countries, including Mexico, Switzerland and Russia, have adopted comprehensive privacy regulations like the EU’s. Canada also broadly regulates how government agencies and private companies use data.
The advantage of comprehensive privacy protections is that they’re consistent across services and industries, even as new technologies emerge.