I agree with this editorial in the New York Times:
American lawmakers are late to the party. Europe has already set what amounts to a global privacy standard with its General Data Protection Regulation, which went into effect in 2018. G.D.P.R. establishes several privacy rights that do not exist in the United States — including a requirement for companies to inform users about their data practices and receive explicit permission before collecting any personal information. Although Americans cannot legally avail themselves of specific rights under G.D.P.R., the fact that the biggest global tech companies are complying everywhere with the new European rules means that the technocrats in Brussels are doing more for Americans’ digital privacy rights than their own Congress.
The toughest privacy law in the United States today, is the California Consumer Privacy Act, which is set to go into effect on Jan. 1, 2020. Just like G.D.P.R., it requires companies to take adequate security measures to protect data and also offers consumers the right to request access to the data that has been collected about them. Under the California law, consumers not only have a right to know whether their data is being sold or handed off to third parties, they also have a right to block that sale. And the opt-out can’t be a false choice — Facebook and Google would not be able to refuse service just because a user didn’t want their data sold.
to the extent that I think we need much more serious federally-secured privacy online. And, while I think that the bill proposed by Josh Hawley in the Senate:
Where the Warner/Fischer bill looks to alleviate the harmful effects of data collection on consumers, Senator Josh Hawley’s Do Not Track Act seeks to stop the problem much closer to the source, by creating a Do Not Track system administered by the Federal Trade Commission
. Commercial websites would be required by law not to harvest unnecessary data from consumers who have Do Not Track turned on.
is a step in the right direction, I would go a step farther. I would require companies to obtain express consent from any user whose personally identifiable data were to be sold each time it is sold with very stiff penalties for violation. No blanket consent. No general waiver. No requirement to opt out.
It’s an idea whose time has come. About ten years ago.
I’d go one step further, specific written consent delivered by snail mail. Included in the paperwork would be exactly what will be disclosed, to whom and a chance to edit what will be sent.
Aggregate information, e.g. the zipcode contains 37 left handed monkey wrench owners could be sent without consent.
Laws need to explicitly address non-primary data. If somebody agrees to Facebook data collection, I have not agreed, but my contact info gets snatched through the primary user.