Privacy SOS

Federal data protection legislation must be a floor—not a ceiling—for our digital rights

A showdown between data privacy advocates and major tech firms is heating up in Congress, with one side arguing for robust regulations outlawing data discrimination and other exploitative practices, and the other pushing for a federal law to wipe out state level privacy protections. On October 10, the Senate Committee on Commerce, Science, and Transportation held its second hearing on consumer privacy. In September, tech companies pleaded their case, asking Congress to pass a federal law that would preempt state-level data privacy laws. At last week’s hearing, the committee heard from consumer advocates. Unlike the big tech representatives who testified at the first hearing, these advocates focused on consumer protection.

The message from these experts was clear: The United States desperately needs to catch up with Europe and pass a strong federal consumer privacy law, which must act as a floor—not a ceiling—for data regulation nationwide.

The issue facing Congress doesn’t get enough attention given its gravity. Companies like Google, Facebook, and Amazon collect and process unprecedented quantities of extremely sensitive information about hundreds of millions of people in the United States, but remain almost entirely unregulated. The axiom that knowledge is power has never been truer than it is today. It’s not an exaggeration to say that in the Information Age—the age of big data, automation, and artificial intelligence—she who controls information controls the world.

Unregulated, big data and “black box” automated decision systems have been shown to compound existing and historic inequalities, routinely producing outcomes that benefit the powerful and harm the poor, people of color, and women. Barely a week passes without news of another catastrophic data breach, or of a tech company with God-like powers getting caught in a scandal implicating the lives of millions of people currently at the mercy of Silicon Valley’s whims.

Advocates at the hearing last week sounded the alarm, recommending that Congress draw some firm lines in the sand around what companies should be permitted to do with the vast troves of records they collect about us, and highlighting the European Union’s General Data Protection Regulations as an example worth emulating. Laura Moy of the Georgetown Law Center on Privacy & Technology called on Congress to ban companies from digital redlining, or denying consumers information about educational or employment opportunities on the basis of their race, gender, or sexual orientation. Moy questioned the value of consent based data regulation, highlighting the disproportionate power the tech industry has in its asymmetric relationship with consumers. “Where a service is essential or unavoidable for consumers,” she warned, as so many big tech digital services are, “consent may not be freely given.”

Other advocates, like Massachusetts Senator Ed Markey, stressed the importance of protecting children’s privacy. He and Alastair Mactaggart, Board Chair of Californians for Consumer Privacy, said any federal consumer data law should include special protections for people under the age of 16, including the right for individuals to demand companies delete data amassed on them when they were juveniles. These protections are critical for all people, but especially for black and brown children already disproportionately targeted for surveillance, policing, and incarceration.

According to figures provided by the Center for Democracy and Technology’s Nuala O’Connor, people in the United States are overwhelmingly concerned that they’ve lost control over their personal information:

  • 91% of adults in the United States agree or strongly agree that consumers have lost control of how personal information is collected and used by companies.
  • 80% are concerned or very concerned about their online privacy.
  • 68% believe that current laws are not good enough at protecting privacy online.

The witnesses made clear that Americans want comprehensive, strong consumer data privacy law, but that today it doesn’t exist.

The ACLU and others have at times asked big tech firms to self-regulate in the interest of ensuring their tools are only used in ways that support, rather than impede, civil rights and civil liberties. But the tech companies’ performances at the September 26 Senate hearing demonstrated that when it comes to comprehensive consumer data privacy regulation, big tech won’t do the right thing on its own. Lawmakers must step in.

Company claims that regulation will harm innovation or impose untenable cost burdens are overblown and exaggerated. Amazon, one among many astonishingly profitable big data players, is the most highly valued publicly traded company in the country, boasting more wealth than many nations. If we want to live in a free and open society, and exercise democratic control of our own lives, we mustbe able to control information about ourselves. Seizing this control back from major corporations requires lawmakers to act—at the federal level, and where needed, at the state level, too—in the public’s interest.

Data should never be used to discriminate, compromise individual liberty, or disrupt democracy. No matter what compromise emerges on these issues at the federal level, Congress must reject tech industry calls to prohibit states from enacting their own protections. The choices our lawmakers make now will have vast repercussions for the future. Let’s choose wisely.

This blog post was co-authored by Kade Crockford and Siri Nelson.

© 2024 ACLU of Massachusetts.